From 9372bdd4a3ecced0cca58c8da7c1940799525937 Mon Sep 17 00:00:00 2001 From: Gergely Nagy Date: Sun, 25 Feb 2024 10:52:11 +0100 Subject: [PATCH] Move permission check from ArtifactsDeleteView to the route As suggested by @Gusted in #2431, move the permission checking from `ArtifactsDeleteView` into the route instead, where it belongs. Signed-off-by: Gergely Nagy --- routers/web/repo/actions/view.go | 5 ----- routers/web/web.go | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/routers/web/repo/actions/view.go b/routers/web/repo/actions/view.go index 903ff2632f..abef5325f7 100644 --- a/routers/web/repo/actions/view.go +++ b/routers/web/repo/actions/view.go @@ -579,11 +579,6 @@ func ArtifactsView(ctx *context_module.Context) { } func ArtifactsDeleteView(ctx *context_module.Context) { - if !ctx.Repo.CanWrite(unit.TypeActions) { - ctx.Error(http.StatusForbidden, "no permission") - return - } - runIndex := ctx.ParamsInt64("run") artifactName := ctx.Params("artifact_name") diff --git a/routers/web/web.go b/routers/web/web.go index 0684b2ac82..f4d657fb78 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -1401,7 +1401,7 @@ func registerRoutes(m *web.Route) { m.Post("/approve", reqRepoActionsWriter, actions.Approve) m.Post("/artifacts", actions.ArtifactsView) m.Get("/artifacts/{artifact_name}", actions.ArtifactsDownloadView) - m.Delete("/artifacts/{artifact_name}", actions.ArtifactsDeleteView) + m.Delete("/artifacts/{artifact_name}", reqRepoActionsWriter, actions.ArtifactsDeleteView) m.Post("/rerun", reqRepoActionsWriter, actions.Rerun) }) })