Remove redundant Repo.CanWrite checks from action handlers - permissions are enforced at route level

rossigee · rossigee · commit aaf50824a7d9 · 2025-10-23T22:22:55.000+07:00
diff --git a/routers/api/v1/repo/actions_run.go b/routers/api/v1/repo/actions_run.go
@@ -107,11 +107,6 @@ func RerunWorkflowRun(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	_, run, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
@@ -192,11 +187,6 @@ func CancelWorkflowRun(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	runID, _, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
@@ -293,11 +283,6 @@ func ApproveWorkflowRun(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	runID, _, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
@@ -396,11 +381,6 @@ func RerunWorkflowJob(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	runID, _, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
