From 9a75c2741d2806f5bb12d21b5a9d7387b2d44073 Mon Sep 17 00:00:00 2001 From: zeripath Date: Wed, 26 Jan 2022 20:01:35 +0000 Subject: [PATCH] Only view milestones from current repo (#18414) The endpoint /{username}/{reponame}/milestone/{id} is not currently restricted to the repo. This PR restricts the milestones to those within the repo. Signed-off-by: Andrew Thornton --- go.mod | 2 +- models/issue_milestone.go | 16 ---------------- routers/web/repo/issue.go | 4 ++-- routers/web/repo/milestone.go | 2 +- 4 files changed, 4 insertions(+), 20 deletions(-) diff --git a/go.mod b/go.mod index 9ca1429d1..9a2f3cf91 100644 --- a/go.mod +++ b/go.mod @@ -97,7 +97,7 @@ require ( github.com/quasoft/websspi v1.0.0 github.com/rs/xid v1.3.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 // indirect + github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 github.com/sergi/go-diff v1.2.0 github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 diff --git a/models/issue_milestone.go b/models/issue_milestone.go index 7f2fd9a1f..a32171851 100644 --- a/models/issue_milestone.go +++ b/models/issue_milestone.go @@ -134,22 +134,6 @@ func GetMilestoneByRepoIDANDName(repoID int64, name string) (*Milestone, error) return &mile, nil } -// GetMilestoneByID returns the milestone via id . -func GetMilestoneByID(id int64) (*Milestone, error) { - return getMilestoneByID(db.GetEngine(db.DefaultContext), id) -} - -func getMilestoneByID(e db.Engine, id int64) (*Milestone, error) { - var m Milestone - has, err := e.ID(id).Get(&m) - if err != nil { - return nil, err - } else if !has { - return nil, ErrMilestoneNotExist{ID: id, RepoID: 0} - } - return &m, nil -} - // UpdateMilestone updates information of given milestone. func UpdateMilestone(m *Milestone, oldIsClosed bool) error { ctx, committer, err := db.TxContext() diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go index 4f2716763..c4928054a 100644 --- a/routers/web/repo/issue.go +++ b/routers/web/repo/issue.go @@ -799,7 +799,7 @@ func NewIssue(ctx *context.Context) { milestoneID := ctx.FormInt64("milestone") if milestoneID > 0 { - milestone, err := models.GetMilestoneByID(milestoneID) + milestone, err := models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID) if err != nil { log.Error("GetMilestoneByID: %d: %v", milestoneID, err) } else { @@ -886,7 +886,7 @@ func ValidateRepoMetas(ctx *context.Context, form forms.CreateIssueForm, isPull // Check milestone. milestoneID := form.MilestoneID if milestoneID > 0 { - milestone, err := models.GetMilestoneByID(milestoneID) + milestone, err := models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID) if err != nil { ctx.ServerError("GetMilestoneByID", err) return nil, nil, 0, 0 diff --git a/routers/web/repo/milestone.go b/routers/web/repo/milestone.go index eadc89333..df5fd411b 100644 --- a/routers/web/repo/milestone.go +++ b/routers/web/repo/milestone.go @@ -264,7 +264,7 @@ func DeleteMilestone(ctx *context.Context) { // MilestoneIssuesAndPulls lists all the issues and pull requests of the milestone func MilestoneIssuesAndPulls(ctx *context.Context) { milestoneID := ctx.ParamsInt64(":id") - milestone, err := models.GetMilestoneByID(milestoneID) + milestone, err := models.GetMilestoneByRepoID(ctx.Repo.Repository.ID, milestoneID) if err != nil { if models.IsErrMilestoneNotExist(err) { ctx.NotFound("GetMilestoneByID", err)