fix(sec): Forgejo Actions web routes (go-gitea#6844)

Earl Warren · Earl Warren · commit b44b5fa63e49 · 2025-02-08T09:16:23.000Z
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6844 Reviewed-by: 0ko <0ko@noreply.codeberg.org>
diff --git a/models/actions/runner.go b/models/actions/runner.go
@@ -282,27 +282,22 @@ func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
 }
 
 // DeleteRunner deletes a runner by given ID.
-func DeleteRunner(ctx context.Context, id int64) error {
-	runner, err := GetRunnerByID(ctx, id)
-	if err != nil {
-		return err
-	}
-
+func DeleteRunner(ctx context.Context, r *ActionRunner) error {
 	// Replace the UUID, which was either based on the secret's first 16 bytes or an UUIDv4,
 	// with a sequence of 8 0xff bytes followed by the little-endian version of the record's
 	// identifier. This will prevent the deleted record's identifier from colliding with any
 	// new record.
 	b := make([]byte, 8)
-	binary.LittleEndian.PutUint64(b, uint64(id))
-	runner.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
+	binary.LittleEndian.PutUint64(b, uint64(r.ID))
+	r.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
 		b[0], b[1], b[2], b[3], b[4], b[5], b[6], b[7])
 
-	err = UpdateRunner(ctx, runner, "UUID")
+	err := UpdateRunner(ctx, r, "UUID")
 	if err != nil {
 		return err
 	}
 
-	_, err = db.DeleteByID[ActionRunner](ctx, id)
+	_, err = db.DeleteByID[ActionRunner](ctx, r.ID)
 	return err
 }
 
diff --git a/models/actions/runner_test.go b/models/actions/runner_test.go
@@ -34,7 +34,7 @@ func TestDeleteRunner(t *testing.T) {
 	require.NoError(t, unittest.PrepareTestDatabase())
 	before := unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: recordID})
 
-	err := DeleteRunner(db.DefaultContext, recordID)
+	err := DeleteRunner(db.DefaultContext, &ActionRunner{ID: recordID})
 	require.NoError(t, err)
 
 	var after ActionRunner
diff --git a/models/actions/variable.go b/models/actions/variable.go
@@ -86,19 +86,17 @@ func FindVariables(ctx context.Context, opts FindVariablesOpts) ([]*ActionVariab
 }
 
 func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) {
-	count, err := db.GetEngine(ctx).ID(variable.ID).Cols("name", "data").
+	count, err := db.GetEngine(ctx).ID(variable.ID).Where("owner_id = ? AND repo_id = ?", variable.OwnerID, variable.RepoID).Cols("name", "data").
 		Update(&ActionVariable{
 			Name: variable.Name,
 			Data: variable.Data,
 		})
 	return count != 0, err
 }
 
-func DeleteVariable(ctx context.Context, id int64) error {
-	if _, err := db.DeleteByID[ActionVariable](ctx, id); err != nil {
-		return err
-	}
-	return nil
+func DeleteVariable(ctx context.Context, variableID, ownerID, repoID int64) (bool, error) {
+	count, err := db.GetEngine(ctx).Table("action_variable").Where("id = ? AND owner_id = ? AND repo_id = ?", variableID, ownerID, repoID).Delete()
+	return count != 0, err
 }
 
 func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -3903,6 +3903,7 @@ variables.deletion.description = Removing a variable is permanent and cannot be
 variables.description = Variables will be passed to certain actions and cannot be read otherwise.
 variables.id_not_exist = Variable with ID %d does not exist.
 variables.edit = Edit Variable
+variables.not_found = Failed to find the variable.
 variables.deletion.failed = Failed to remove variable.
 variables.deletion.success = The variable has been removed.
 variables.creation.failed = Failed to add variable.
diff --git a/routers/api/v1/org/action.go b/routers/api/v1/org/action.go
@@ -475,7 +475,7 @@ func (Action) UpdateVariable(ctx *context.APIContext) {
 	if opt.Name == "" {
 		opt.Name = ctx.Params("variablename")
 	}
-	if _, err := actions_service.UpdateVariable(ctx, v.ID, opt.Name, opt.Value); err != nil {
+	if _, err := actions_service.UpdateVariable(ctx, v.ID, ctx.Org.Organization.ID, 0, opt.Name, opt.Value); err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "UpdateVariable", err)
 		} else {
diff --git a/routers/api/v1/repo/action.go b/routers/api/v1/repo/action.go
@@ -414,7 +414,7 @@ func (Action) UpdateVariable(ctx *context.APIContext) {
 	if opt.Name == "" {
 		opt.Name = ctx.Params("variablename")
 	}
-	if _, err := actions_service.UpdateVariable(ctx, v.ID, opt.Name, opt.Value); err != nil {
+	if _, err := actions_service.UpdateVariable(ctx, v.ID, 0, ctx.Repo.Repository.ID, opt.Name, opt.Value); err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "UpdateVariable", err)
 		} else {
diff --git a/routers/api/v1/user/action.go b/routers/api/v1/user/action.go
@@ -228,7 +228,7 @@ func UpdateVariable(ctx *context.APIContext) {
 	if opt.Name == "" {
 		opt.Name = ctx.Params("variablename")
 	}
-	if _, err := actions_service.UpdateVariable(ctx, v.ID, opt.Name, opt.Value); err != nil {
+	if _, err := actions_service.UpdateVariable(ctx, v.ID, ctx.Doer.ID, 0, opt.Name, opt.Value); err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
 			ctx.Error(http.StatusBadRequest, "UpdateVariable", err)
 		} else {
diff --git a/routers/web/repo/setting/runners.go b/routers/web/repo/setting/runners.go
@@ -179,7 +179,7 @@ func RunnerDeletePost(ctx *context.Context) {
 		ctx.ServerError("getRunnersCtx", err)
 		return
 	}
-	actions_shared.RunnerDeletePost(ctx, ctx.ParamsInt64(":runnerid"), rCtx.RedirectLink, rCtx.RedirectLink+url.PathEscape(ctx.Params(":runnerid")))
+	actions_shared.RunnerDeletePost(ctx, ctx.ParamsInt64(":runnerid"), rCtx.OwnerID, rCtx.RepoID, rCtx.RedirectLink, rCtx.RedirectLink+url.PathEscape(ctx.Params(":runnerid")))
 }
 
 func RedirectToDefaultSetting(ctx *context.Context) {
diff --git a/routers/web/repo/setting/variables.go b/routers/web/repo/setting/variables.go
@@ -127,7 +127,7 @@ func VariableUpdate(ctx *context.Context) {
 		return
 	}
 
-	shared.UpdateVariable(ctx, vCtx.RedirectLink)
+	shared.UpdateVariable(ctx, vCtx.OwnerID, vCtx.RepoID, vCtx.RedirectLink)
 }
 
 func VariableDelete(ctx *context.Context) {
@@ -136,5 +136,5 @@ func VariableDelete(ctx *context.Context) {
 		ctx.ServerError("getVariablesCtx", err)
 		return
 	}
-	shared.DeleteVariable(ctx, vCtx.RedirectLink)
+	shared.DeleteVariable(ctx, vCtx.OwnerID, vCtx.RepoID, vCtx.RedirectLink)
 }
diff --git a/routers/web/shared/actions/runners.go b/routers/web/shared/actions/runners.go
@@ -142,10 +142,21 @@ func RunnerResetRegistrationToken(ctx *context.Context, ownerID, repoID int64, r
 }
 
 // RunnerDeletePost response for deleting a runner
-func RunnerDeletePost(ctx *context.Context, runnerID int64,
+func RunnerDeletePost(ctx *context.Context, runnerID, ownerID, repoID int64,
 	successRedirectTo, failedRedirectTo string,
 ) {
-	if err := actions_model.DeleteRunner(ctx, runnerID); err != nil {
+	runner, err := actions_model.GetRunnerByID(ctx, runnerID)
+	if err != nil {
+		ctx.ServerError("GetRunnerByID", err)
+		return
+	}
+
+	if !runner.Editable(ownerID, repoID) {
+		ctx.NotFound("Editable", util.NewPermissionDeniedErrorf("no permission to edit this runner"))
+		return
+	}
+
+	if err := actions_model.DeleteRunner(ctx, runner); err != nil {
 		log.Warn("DeleteRunnerPost.UpdateRunner failed: %v, url: %s", err, ctx.Req.URL)
 		ctx.Flash.Warning(ctx.Tr("actions.runners.delete_runner_failed"))
 
diff --git a/routers/web/shared/actions/variables.go b/routers/web/shared/actions/variables.go
@@ -39,25 +39,33 @@ func CreateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL str
 	ctx.JSONRedirect(redirectURL)
 }
 
-func UpdateVariable(ctx *context.Context, redirectURL string) {
+func UpdateVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	id := ctx.ParamsInt64(":variable_id")
 	form := web.GetForm(ctx).(*forms.EditVariableForm)
 
-	if ok, err := actions_service.UpdateVariable(ctx, id, form.Name, form.Data); err != nil || !ok {
-		log.Error("UpdateVariable: %v", err)
-		ctx.JSONError(ctx.Tr("actions.variables.update.failed"))
+	if ok, err := actions_service.UpdateVariable(ctx, id, ownerID, repoID, form.Name, form.Data); err != nil || !ok {
+		if !ok {
+			ctx.JSONError(ctx.Tr("actions.variables.not_found"))
+		} else {
+			log.Error("UpdateVariable: %v", err)
+			ctx.JSONError(ctx.Tr("actions.variables.update.failed"))
+		}
 		return
 	}
 	ctx.Flash.Success(ctx.Tr("actions.variables.update.success"))
 	ctx.JSONRedirect(redirectURL)
 }
 
-func DeleteVariable(ctx *context.Context, redirectURL string) {
+func DeleteVariable(ctx *context.Context, ownerID, repoID int64, redirectURL string) {
 	id := ctx.ParamsInt64(":variable_id")
 
-	if err := actions_service.DeleteVariableByID(ctx, id); err != nil {
-		log.Error("Delete variable [%d] failed: %v", id, err)
-		ctx.JSONError(ctx.Tr("actions.variables.deletion.failed"))
+	if ok, err := actions_model.DeleteVariable(ctx, id, ownerID, repoID); err != nil || !ok {
+		if !ok {
+			ctx.JSONError(ctx.Tr("actions.variables.not_found"))
+		} else {
+			log.Error("Delete variable [%d] failed: %v", id, err)
+			ctx.JSONError(ctx.Tr("actions.variables.deletion.failed"))
+		}
 		return
 	}
 	ctx.Flash.Success(ctx.Tr("actions.variables.deletion.success"))
diff --git a/services/actions/variables.go b/services/actions/variables.go
@@ -31,7 +31,7 @@ func CreateVariable(ctx context.Context, ownerID, repoID int64, name, data strin
 	return v, nil
 }
 
-func UpdateVariable(ctx context.Context, variableID int64, name, data string) (bool, error) {
+func UpdateVariable(ctx context.Context, variableID, ownerID, repoID int64, name, data string) (bool, error) {
 	if err := secret_service.ValidateName(name); err != nil {
 		return false, err
 	}
@@ -41,16 +41,14 @@ func UpdateVariable(ctx context.Context, variableID int64, name, data string) (b
 	}
 
 	return actions_model.UpdateVariable(ctx, &actions_model.ActionVariable{
-		ID:   variableID,
-		Name: strings.ToUpper(name),
-		Data: util.ReserveLineBreakForTextarea(data),
+		ID:      variableID,
+		Name:    strings.ToUpper(name),
+		Data:    util.ReserveLineBreakForTextarea(data),
+		OwnerID: ownerID,
+		RepoID:  repoID,
 	})
 }
 
-func DeleteVariableByID(ctx context.Context, variableID int64) error {
-	return actions_model.DeleteVariable(ctx, variableID)
-}
-
 func DeleteVariableByName(ctx context.Context, ownerID, repoID int64, name string) error {
 	if err := secret_service.ValidateName(name); err != nil {
 		return err
@@ -69,7 +67,8 @@ func DeleteVariableByName(ctx context.Context, ownerID, repoID int64, name strin
 		return err
 	}
 
-	return actions_model.DeleteVariable(ctx, v.ID)
+	_, err = actions_model.DeleteVariable(ctx, v.ID, ownerID, repoID)
+	return err
 }
 
 func GetVariable(ctx context.Context, opts actions_model.FindVariablesOpts) (*actions_model.ActionVariable, error) {
diff --git a/tests/integration/actions_variables_test.go b/tests/integration/actions_variables_test.go
@@ -0,0 +1,150 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	forgejo_context "code.gitea.io/gitea/services/context"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionVariablesModification(t *testing.T) {
+	defer tests.AddFixtures("tests/integration/fixtures/TestActionVariablesModification")()
+	defer tests.PrepareTestEnv(t)()
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	userVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1001, OwnerID: user.ID})
+	userURL := "/user/settings/actions/variables"
+	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
+	orgVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1002, OwnerID: org.ID})
+	orgURL := "/org/" + org.Name + "/settings/actions/variables"
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1, OwnerID: user.ID})
+	repoVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1003, RepoID: repo.ID})
+	repoURL := "/" + repo.FullName() + "/settings/actions/variables"
+	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{IsAdmin: true})
+	globalVariable := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionVariable{ID: 1004}, "owner_id = 0 AND repo_id = 0")
+	adminURL := "/admin/actions/variables"
+
+	adminSess := loginUser(t, admin.Name)
+	adminCSRF := GetCSRF(t, adminSess, "/")
+	sess := loginUser(t, user.Name)
+	csrf := GetCSRF(t, sess, "/")
+
+	type errorJSON struct {
+		Error string `json:"errorMessage"`
+	}
+
+	test := func(t *testing.T, fail bool, baseURL string, id int64) {
+		defer tests.PrintCurrentTest(t, 1)()
+		t.Helper()
+
+		sess := sess
+		csrf := csrf
+		if baseURL == adminURL {
+			sess = adminSess
+			csrf = adminCSRF
+		}
+
+		req := NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/edit", id), map[string]string{
+			"_csrf": csrf,
+			"name":  "glados_quote",
+			"data":  "I'm fine. Two plus two is...ten, in base four, I'm fine!",
+		})
+		if fail {
+			resp := sess.MakeRequest(t, req, http.StatusBadRequest)
+			var error errorJSON
+			DecodeJSON(t, resp, &error)
+			assert.EqualValues(t, "Failed to find the variable.", error.Error)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DThe%2Bvariable%2Bhas%2Bbeen%2Bedited.", flashCookie.Value)
+		}
+
+		req = NewRequestWithValues(t, "POST", baseURL+fmt.Sprintf("/%d/delete", id), map[string]string{
+			"_csrf": csrf,
+		})
+		if fail {
+			resp := sess.MakeRequest(t, req, http.StatusBadRequest)
+			var error errorJSON
+			DecodeJSON(t, resp, &error)
+			assert.EqualValues(t, "Failed to find the variable.", error.Error)
+		} else {
+			sess.MakeRequest(t, req, http.StatusOK)
+			flashCookie := sess.GetCookie(forgejo_context.CookieNameFlash)
+			assert.NotNil(t, flashCookie)
+			assert.EqualValues(t, "success%3DThe%2Bvariable%2Bhas%2Bbeen%2Bremoved.", flashCookie.Value)
+		}
+	}
+
+	t.Run("User variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, userVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, userVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, false, userURL, userVariable.ID)
+		})
+	})
+
+	t.Run("Organisation variable", func(t *testing.T) {
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, orgVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, orgVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, false, orgURL, orgVariable.ID)
+		})
+	})
+
+	t.Run("Repository variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, repoVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, repoVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, true, adminURL, userVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, false, repoURL, repoVariable.ID)
+		})
+	})
+
+	t.Run("Global variable", func(t *testing.T) {
+		t.Run("Organisation", func(t *testing.T) {
+			test(t, true, orgURL, globalVariable.ID)
+		})
+		t.Run("User", func(t *testing.T) {
+			test(t, true, userURL, globalVariable.ID)
+		})
+		t.Run("Repository", func(t *testing.T) {
+			test(t, true, repoURL, globalVariable.ID)
+		})
+		t.Run("Admin", func(t *testing.T) {
+			test(t, false, adminURL, globalVariable.ID)
+		})
+	})
+}
diff --git a/tests/integration/fixtures/TestActionVariablesModification/action_variable.yml b/tests/integration/fixtures/TestActionVariablesModification/action_variable.yml
diff --git a/tests/integration/fixtures/TestRunnerModification/action_runner.yml b/tests/integration/fixtures/TestRunnerModification/action_runner.yml
diff --git a/tests/integration/runner_test.go b/tests/integration/runner_test.go

Original file line number	Diff line number	Diff line change
`@@ -475,7 +475,7 @@ func (Action) UpdateVariable(ctx *context.APIContext) {`
`475`	`475`	`if opt.Name == "" {`
`476`	`476`	`opt.Name = ctx.Params("variablename")`
`477`	`477`	`}`
`478`		`- if _, err := actions_service.UpdateVariable(ctx, v.ID, opt.Name, opt.Value); err != nil {`
	`478`	`+ if _, err := actions_service.UpdateVariable(ctx, v.ID, ctx.Org.Organization.ID, 0, opt.Name, opt.Value); err != nil {`
`479`	`479`	`if errors.Is(err, util.ErrInvalidArgument) {`
`480`	`480`	`ctx.Error(http.StatusBadRequest, "UpdateVariable", err)`
`481`	`481`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -414,7 +414,7 @@ func (Action) UpdateVariable(ctx *context.APIContext) {`
`414`	`414`	`if opt.Name == "" {`
`415`	`415`	`opt.Name = ctx.Params("variablename")`
`416`	`416`	`}`
`417`		`- if _, err := actions_service.UpdateVariable(ctx, v.ID, opt.Name, opt.Value); err != nil {`
	`417`	`+ if _, err := actions_service.UpdateVariable(ctx, v.ID, 0, ctx.Repo.Repository.ID, opt.Name, opt.Value); err != nil {`
`418`	`418`	`if errors.Is(err, util.ErrInvalidArgument) {`
`419`	`419`	`ctx.Error(http.StatusBadRequest, "UpdateVariable", err)`
`420`	`420`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -228,7 +228,7 @@ func UpdateVariable(ctx *context.APIContext) {`
`228`	`228`	`if opt.Name == "" {`
`229`	`229`	`opt.Name = ctx.Params("variablename")`
`230`	`230`	`}`
`231`		`- if _, err := actions_service.UpdateVariable(ctx, v.ID, opt.Name, opt.Value); err != nil {`
	`231`	`+ if _, err := actions_service.UpdateVariable(ctx, v.ID, ctx.Doer.ID, 0, opt.Name, opt.Value); err != nil {`
`232`	`232`	`if errors.Is(err, util.ErrInvalidArgument) {`
`233`	`233`	`ctx.Error(http.StatusBadRequest, "UpdateVariable", err)`
`234`	`234`	`} else {`
Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ func RunnerDeletePost(ctx *context.Context) {`
`179`	`179`	`ctx.ServerError("getRunnersCtx", err)`
`180`	`180`	`return`
`181`	`181`	`}`
`182`		`- actions_shared.RunnerDeletePost(ctx, ctx.ParamsInt64(":runnerid"), rCtx.RedirectLink, rCtx.RedirectLink+url.PathEscape(ctx.Params(":runnerid")))`
	`182`	`+ actions_shared.RunnerDeletePost(ctx, ctx.ParamsInt64(":runnerid"), rCtx.OwnerID, rCtx.RepoID, rCtx.RedirectLink, rCtx.RedirectLink+url.PathEscape(ctx.Params(":runnerid")))`
`183`	`183`	`}`
`184`	`184`
`185`	`185`	`func RedirectToDefaultSetting(ctx *context.Context) {`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ func VariableUpdate(ctx *context.Context) {`
`127`	`127`	`return`
`128`	`128`	`}`
`129`	`129`
`130`		`- shared.UpdateVariable(ctx, vCtx.RedirectLink)`
	`130`	`+ shared.UpdateVariable(ctx, vCtx.OwnerID, vCtx.RepoID, vCtx.RedirectLink)`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`func VariableDelete(ctx *context.Context) {`
`@@ -136,5 +136,5 @@ func VariableDelete(ctx *context.Context) {`
`136`	`136`	`ctx.ServerError("getVariablesCtx", err)`
`137`	`137`	`return`
`138`	`138`	`}`
`139`		`- shared.DeleteVariable(ctx, vCtx.RedirectLink)`
	`139`	`+ shared.DeleteVariable(ctx, vCtx.OwnerID, vCtx.RepoID, vCtx.RedirectLink)`
`140`	`140`	`}`