mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-03-12 22:51:44 -05:00
a2958f5a26
- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking. - The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project. - This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query. - Added unit testing. - Added integration testing. - Resolves Codeberg/Community#1809 - Regression of https://codeberg.org/forgejo/forgejo/pulls/6843 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7143 Reviewed-by: Otto <otto@codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz> |
||
|---|---|---|
| .. | ||
| PrivateIssueProjects | ||
| TestGetUnmergedPullRequestsByHeadInfoMax | ||
| TestParseCommitWithSSHSignature | ||
| access.yml | ||
| access_token.yml | ||
| action.yml | ||
| action_artifact.yml | ||
| action_run.yml | ||
| action_run_job.yml | ||
| action_runner.yml | ||
| action_runner_token.yml | ||
| action_task.yml | ||
| action_task_output.yml | ||
| attachment.yml | ||
| branch.yml | ||
| collaboration.yml | ||
| comment.yml | ||
| commit_status.yml | ||
| commit_status_index.yml | ||
| deploy_key.yml | ||
| email_address.yml | ||
| external_login_user.yml | ||
| federated_user.yml | ||
| federation_host.yml | ||
| follow.yml | ||
| forgejo_blocked_user.yml | ||
| gpg_key.yml | ||
| gpg_key_import.yml | ||
| hook_task.yml | ||
| issue.yml | ||
| issue_assignees.yml | ||
| issue_index.yml | ||
| issue_label.yml | ||
| issue_user.yml | ||
| issue_watch.yml | ||
| label.yml | ||
| lfs_meta_object.yml | ||
| login_source.yml | ||
| milestone.yml | ||
| mirror.yml | ||
| notice.yml | ||
| notification.yml | ||
| oauth2_application.yml | ||
| oauth2_authorization_code.yml | ||
| oauth2_grant.yml | ||
| org_user.yml | ||
| project.yml | ||
| project_board.yml | ||
| project_issue.yml | ||
| protected_branch.yml | ||
| protected_tag.yml | ||
| public_key.yml | ||
| pull_request.yml | ||
| push_mirror.yml | ||
| reaction.yml | ||
| release.yml | ||
| renamed_branch.yml | ||
| repo_archiver.yml | ||
| repo_indexer_status.yml | ||
| repo_redirect.yml | ||
| repo_topic.yml | ||
| repo_transfer.yml | ||
| repo_unit.yml | ||
| repository.yml | ||
| review.yml | ||
| secret.yml | ||
| star.yml | ||
| stopwatch.yml | ||
| system_setting.yml | ||
| team.yml | ||
| team_repo.yml | ||
| team_unit.yml | ||
| team_user.yml | ||
| topic.yml | ||
| tracked_time.yml | ||
| two_factor.yml | ||
| user.yml | ||
| user_open_id.yml | ||
| user_redirect.yml | ||
| watch.yml | ||
| webauthn_credential.yml | ||
| webhook.yml | ||