appview: fix pull close/reopen permissions · lewis.moe/tangled-core@0e8ec37

lewis.moe / tangled-core

forked from tangled.org/core

fork atom

Monorepo for Tangled

fork atom

appview: fix pull close/reopen permissions

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li 7 months ago 0e8ec37e a2586d47

verified

+6 -2

2 changed files

expand all

unified split

appview

pulls

pulls.go

router.go

+4 -2

appview/pulls/pulls.go

··· 2026 2026 2027 2027 // auth filter: only owner or collaborators can close 2028 2028 roles := f.RolesInRepo(user) 2029 + isOwner := roles.IsOwner() 2029 2030 isCollaborator := roles.IsCollaborator() 2030 2031 isPullAuthor := user.Did == pull.OwnerDid 2031 - isCloseAllowed := isCollaborator || isPullAuthor 2032 + isCloseAllowed := isOwner || isCollaborator || isPullAuthor 2032 2033 if !isCloseAllowed { 2033 2034 log.Println("failed to close pull") 2034 2035 s.pages.Notice(w, "pull-close", "You are unauthorized to close this pull.") ··· 2094 2095 2095 2096 // auth filter: only owner or collaborators can close 2096 2097 roles := f.RolesInRepo(user) 2098 + isOwner := roles.IsOwner() 2097 2099 isCollaborator := roles.IsCollaborator() 2098 2100 isPullAuthor := user.Did == pull.OwnerDid 2099 - isCloseAllowed := isCollaborator || isPullAuthor 2101 + isCloseAllowed := isOwner || isCollaborator || isPullAuthor 2100 2102 if !isCloseAllowed { 2101 2103 log.Println("failed to close pull") 2102 2104 s.pages.Notice(w, "pull-close", "You are unauthorized to close this pull.")

appview/pulls/router.go

··· 44 44 r.Get("/", s.ResubmitPull) 45 45 r.Post("/", s.ResubmitPull) 46 46 }) 47 + // permissions here require us to know pull author 48 + // it is handled within the route 47 49 r.Post("/close", s.ClosePull) 48 50 r.Post("/reopen", s.ReopenPull) 49 51 // collaborators only