Skip to content

Fix bug when push to prs with allow edits from maintainers and lfs usage #36376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
lunny wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Fix bug when push to prs with allow edits from maintainers and lfs usage #36376

lunny wants to merge 4 commits into from
+109 −28

Conversation

@lunny
Copy link
Member

@lunny lunny commented Jan 15, 2026

Fix #35226

@lunny lunny added the type/bug label Jan 15, 2026
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 15, 2026
@github-actions github-actions bot added modifies/go Pull requests that update Go code and removed backport/v1.25 labels Jan 15, 2026
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 16, 2026
wxiaoguang
wxiaoguang reviewed Jan 16, 2026
View reviewed changes
services/lfs/server.go Outdated
Comment on lines 56 to 110
func normalizeLFSRefName(raw string) string {
ref := strings.TrimSpace(raw)
if ref == "" {
return ""
}
prefixes := []string{"refs/heads/", "refs/remotes/", "refs/"}
for _, prefix := range prefixes {
if trimmed, ok := strings.CutPrefix(ref, prefix); ok {
ref = trimmed
break
}
}
return ref
}

func refNameFromBatchRequest(br *lfs_module.BatchRequest) string {
if br == nil || br.Ref == nil {
return ""
}
return normalizeLFSRefName(br.Ref.Name)
}

func setLFSRefInContext(ctx *context.Context, ref string) {
ref = normalizeLFSRefName(ref)
if ref == "" {
return
}
if ctx.Data == nil {
ctx.Data = make(map[string]any)
}
ctx.Data[lfsRefContextKey] = ref
}

func getLFSRefFromContext(ctx *context.Context) string {
if ctx.Data == nil {
return ""
}
if ref, ok := ctx.Data[lfsRefContextKey].(string); ok {
return ref
}
return ""
}

func setLFSRefFromQuery(ctx *context.Context) {
ref := ctx.Req.URL.Query().Get(lfsRefQueryKey)
setLFSRefInContext(ctx, ref)
}

func appendRefQuery(baseURL, ref string) string {
if ref == "" {
return baseURL
}
return baseURL + "?" + lfsRefQueryKey + "=" + url.QueryEscape(ref)
}

Copy link
Contributor

@wxiaoguang wxiaoguang Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really don't understand why these newly added function can be right or necessary.

@wxiaoguang wxiaoguang marked this pull request as draft January 16, 2026 11:01
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Jan 17, 2026

I really don't understand what you are doing.

You always have the ctx *context.Context for these functions, why you still use ctx.Data to pass the value from query parameter?

wxiaoguang
wxiaoguang reviewed Jan 28, 2026
View reviewed changes
services/lfs/server.go
if ref == "" {
return baseURL
}
return baseURL + "?" + lfsRefQueryKey + "=" + url.QueryEscape(ref)
Copy link
Contributor

@wxiaoguang wxiaoguang Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if baseURL contains ?

wxiaoguang
wxiaoguang reviewed Jan 28, 2026
View reviewed changes
services/lfs/server.go

branchName := refName.BranchName()
if branchName == "" {
if strings.HasPrefix(ref, "refs/") {
Copy link
Contributor

@wxiaoguang wxiaoguang Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

wxiaoguang
wxiaoguang reviewed Jan 28, 2026
View reviewed changes
services/lfs/server.go
}
}

func canMaintainerWriteLFS(ctx *context.Context, perm access_model.Permission, user *user_model.User, ref string) bool {
Copy link
Contributor

@wxiaoguang wxiaoguang Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It needs to clearly document and test this behavior:

  • ref can be anything passed by the user, it is not fully trusted
  • if a PR branch is set "allow maintainer edit", a maintainer can pass that branch name and fully write all the LFS objects in the head repo, there is no check / no relation between the branch and LFS objects.

@silverwind silverwind requested a review from Copilot January 28, 2026 05:30

This comment was marked as off-topic.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

Copilot code review Copilot Copilot left review comments

@silverwind silverwind silverwind approved these changes

Assignees

No one assigned

Labels

backport/v1.25 lgtm/need 1 This PR needs approval from one additional maintainer to be merged. modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unable to Push to PRs with "Allow Edits from Maintainers" and LFS usage

4 participants

@lunny @wxiaoguang @silverwind @GiteaBot