Check pr creator permissions

splitt3r · CalK16 · commit 906514e1cb93 · 2024-10-31T19:25:52.000+08:00
diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
@@ -1225,8 +1225,9 @@ func ValidateRepoMetas(ctx *context.Context, form forms.CreateIssueForm, isPull
 			return nil, nil, nil, 0, 0
 		}
 
-		// Check if the passed reviewers actually exist
+		// Check if the passed reviewers (user/team) actually exist
 		for _, rID := range reviewerIDs {
+			// negative reviewIDs represent team requests
 			if rID < 0 {
 				_, err := organization.GetTeamByID(ctx, -rID)
 				if err != nil {
diff --git a/routers/web/repo/pull.go b/routers/web/repo/pull.go
@@ -1268,7 +1268,7 @@ func CompareAndPullRequestPost(ctx *context.Context) {
 		return
 	}
 
-	labelIDs, assigneeIDs, reviewerIDs, milestoneID, _ := ValidateRepoMetas(ctx, *form, true)
+	labelIDs, assigneeIDs, reviewerIDs, milestoneID, projectID := ValidateRepoMetas(ctx, *form, true)
 	if ctx.Written() {
 		return
 	}
diff --git a/services/pull/pull.go b/services/pull/pull.go
@@ -43,7 +43,7 @@ func getPullWorkingLockKey(prID int64) string {
 }
 
 // NewPullRequest creates new pull request with labels for repository.
-func NewPullRequest(ctx context.Context, repo *repo_model.Repository, issue *issues_model.Issue, labelIDs []int64, uuids []string, pr *issues_model.PullRequest, assigneeIDs []int64, reviewerIDs []int64) error {
+func NewPullRequest(ctx context.Context, repo *repo_model.Repository, issue *issues_model.Issue, labelIDs []int64, uuids []string, pr *issues_model.PullRequest, assigneeIDs, reviewerIDs []int64) error {
 	if err := issue.LoadPoster(ctx); err != nil {
 		return err
 	}
@@ -118,11 +118,16 @@ func NewPullRequest(ctx context.Context, repo *repo_model.Repository, issue *iss
 		}
 
 		for _, reviewerID := range reviewerIDs {
+			// negative reviewIDs represent team requests
 			if reviewerID < 0 {
 				team, err := organization.GetTeamByID(ctx, -reviewerID)
 				if err != nil {
 					return err
 				}
+				err = issue_service.IsValidTeamReviewRequest(ctx, team, issue.Poster, true, issue)
+				if err != nil {
+					return err
+				}
 				_, err = issue_service.TeamReviewRequest(ctx, issue, issue.Poster, team, true)
 				if err != nil {
 					return err
@@ -134,6 +139,14 @@ func NewPullRequest(ctx context.Context, repo *repo_model.Repository, issue *iss
 			if err != nil {
 				return err
 			}
+			permDoer, err := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster)
+			if err != nil {
+				return err
+			}
+			err = issue_service.IsValidReviewRequest(ctx, reviewer, issue.Poster, true, issue, &permDoer)
+			if err != nil {
+				return err
+			}
 			_, err = issue_service.ReviewRequest(ctx, issue, issue.Poster, reviewer, true)
 			if err != nil {
 				return err
diff --git a/templates/repo/issue/new_form.tmpl b/templates/repo/issue/new_form.tmpl
@@ -69,7 +69,11 @@
 									{{ctx.AvatarUtils.Avatar .User 28 "gt-mr-3"}}{{template "repo/search_name" .User}}
 								</span>
 							</a>
-						{{else if .Team}}
+						{{end}}
+					{{end}}
+					<div class="divider"></div>
+					{{range .Reviewers}}
+						{{if .Team}}
 							<a class="item muted" data-id="{{.ItemID}}" data-id-selector="#reviewer_{{.ItemID}}">
 								<span class="octicon-check invisible">{{svg "octicon-check" 16}}</span>
 								<span class="text">

Original file line number	Diff line number	Diff line change
`@@ -1268,7 +1268,7 @@ func CompareAndPullRequestPost(ctx *context.Context) {`
`1268`	`1268`	`return`
`1269`	`1269`	`}`
`1270`	`1270`
`1271`		`- labelIDs, assigneeIDs, reviewerIDs, milestoneID, _ := ValidateRepoMetas(ctx, *form, true)`
	`1271`	`+ labelIDs, assigneeIDs, reviewerIDs, milestoneID, projectID := ValidateRepoMetas(ctx, *form, true)`
`1272`	`1272`	`if ctx.Written() {`
`1273`	`1273`	`return`
`1274`	`1274`	`}`