From 5131206aadc917623be56162a8e5f7f5f2d09069 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Sun, 3 May 2020 20:12:36 -0500 Subject: [PATCH] repo: milestone: make /milestone/:id endpoint accessible (#11264) (#11282) Previously, this required authentication, but there's not actually any privileged information on this page. Move the endpoint out of the group that requires sign-in. It still requires the ability to read issues and pull requests, so private repositories (for instance) will not be exposed. Fixes #10312 Fixes #11233 Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> --- routers/routes/routes.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/routers/routes/routes.go b/routers/routes/routes.go index 3202c62d6..30c17e699 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -668,6 +668,14 @@ func RegisterRoutes(m *macaron.Macaron) { m.Post("/:username/:reponame/action/:action", reqSignIn, context.RepoAssignment(), context.UnitTypes(), repo.Action) + // Grouping for those endpoints not requiring authentication + m.Group("/:username/:reponame", func() { + m.Group("/milestone", func() { + m.Get("/:id", repo.MilestoneIssuesAndPulls) + }, reqRepoIssuesOrPullsReader, context.RepoRef()) + }, context.RepoAssignment(), context.UnitTypes()) + + // Grouping for those endpoints that do require authentication m.Group("/:username/:reponame", func() { m.Group("/issues", func() { m.Combo("/new").Get(context.RepoRef(), repo.NewIssue). @@ -723,9 +731,6 @@ func RegisterRoutes(m *macaron.Macaron) { m.Post("/:id/:action", repo.ChangeMilestonStatus) m.Post("/delete", repo.DeleteMilestone) }, context.RepoMustNotBeArchived(), reqRepoIssuesOrPullsWriter, context.RepoRef()) - m.Group("/milestone", func() { - m.Get("/:id", repo.MilestoneIssuesAndPulls) - }, reqRepoIssuesOrPullsReader, context.RepoRef()) m.Combo("/compare/*", repo.MustBeNotEmpty, reqRepoCodeReader, repo.SetEditorconfigIfExists). Get(repo.SetDiffViewStyle, repo.CompareDiff). Post(context.RepoMustNotBeArchived(), reqRepoPullsReader, repo.MustAllowPulls, bindIgnErr(auth.CreateIssueForm{}), repo.CompareAndPullRequestPost)