tjh.dev / test
forked from tangled.org/core
Mirror of @tangled.org/core. Running on a Raspberry Pi Zero 2 (Please be gentle).
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

appview: fix pull close/reopen permissions

Signed-off-by: oppiliappan <me@oppi.li>

oppiliappan 0e8ec37e a2586d47

+6 -2
+4 -2
appview/pulls/pulls.go
··· 2026 2026 2027 2027 // auth filter: only owner or collaborators can close 2028 2028 roles := f.RolesInRepo(user) 2029 + isOwner := roles.IsOwner() 2029 2030 isCollaborator := roles.IsCollaborator() 2030 2031 isPullAuthor := user.Did == pull.OwnerDid 2031 - isCloseAllowed := isCollaborator || isPullAuthor 2032 + isCloseAllowed := isOwner || isCollaborator || isPullAuthor 2032 2033 if !isCloseAllowed { 2033 2034 log.Println("failed to close pull") 2034 2035 s.pages.Notice(w, "pull-close", "You are unauthorized to close this pull.") ··· 2095 2094 2096 2095 // auth filter: only owner or collaborators can close 2097 2096 roles := f.RolesInRepo(user) 2097 + isOwner := roles.IsOwner() 2098 2098 isCollaborator := roles.IsCollaborator() 2099 2099 isPullAuthor := user.Did == pull.OwnerDid 2100 - isCloseAllowed := isCollaborator || isPullAuthor 2100 + isCloseAllowed := isOwner || isCollaborator || isPullAuthor 2101 2101 if !isCloseAllowed { 2102 2102 log.Println("failed to close pull") 2103 2103 s.pages.Notice(w, "pull-close", "You are unauthorized to close this pull.")
+2
appview/pulls/router.go
··· 44 44 r.Get("/", s.ResubmitPull) 45 45 r.Post("/", s.ResubmitPull) 46 46 }) 47 + // permissions here require us to know pull author 48 + // it is handled within the route 47 49 r.Post("/close", s.ClosePull) 48 50 r.Post("/reopen", s.ReopenPull) 49 51 // collaborators only