forgejo/models
forgejo-backport-action c2158b2a1f
Some checks failed
/ release (push) Has been cancelled
testing / backend-checks (push) Has been cancelled
testing / frontend-checks (push) Has been cancelled
testing / test-unit (push) Has been cancelled
testing / test-e2e (push) Has been cancelled
testing / test-remote-cacher (redis) (push) Has been cancelled
testing / test-remote-cacher (valkey) (push) Has been cancelled
testing / test-remote-cacher (garnet) (push) Has been cancelled
testing / test-remote-cacher (redict) (push) Has been cancelled
testing / test-mysql (push) Has been cancelled
testing / test-pgsql (push) Has been cancelled
testing / test-sqlite (push) Has been cancelled
testing / security-check (push) Has been cancelled
[v10.0/forgejo] fix: consider public issues for project boards (#7144)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143

- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- Resolves Codeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7144
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-03-07 00:51:07 +00:00
..
actions fix(sec): web route update and delete runner variables 2025-02-08 06:04:14 +00:00
activities Fix nil panic if repo doesn't exist (#32501) 2024-11-17 12:18:56 +01:00
admin Next round of db.DefaultContext refactor (#27089) 2023-09-16 14:39:12 +00:00
asymkey [v10.0/forgejo] fix: native parsing of ssh certificate key (#6954) 2025-02-15 17:28:48 +00:00
auth fix: xorm needs to be lowercase otherwise it is ignored 2024-12-29 18:27:08 +00:00
avatars chore(build): use a stable mirror for go-libravatar 2024-09-14 09:58:49 +02:00
db chore: use errors.New to replace fmt.Errorf with no parameters (#32800) 2024-12-15 09:15:57 +01:00
dbfs Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
fixtures [v10.0/forgejo] fix: consider public issues for project boards (#7144) 2025-03-07 00:51:07 +00:00
forgefed enhance test & fix reviews 2024-05-14 08:24:31 +02:00
forgejo/semver tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
forgejo_migrations fix: keying SQLite migration 2024-12-24 10:05:59 +01:00
git Detect whether action view branch was deleted (#32764) 2024-12-15 09:45:10 +01:00
issues [v10.0/forgejo] fix: consider public issues for project boards (#7144) 2025-03-07 00:51:07 +00:00
migrations [v10.0/forgejo] fix: reduce noise for the v303 migration (#6594) 2025-01-17 08:15:16 +00:00
organization fix: correct permission loading for limited organisation 2024-12-04 11:03:33 +01:00
packages tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
perm tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
project fix(sec): permission check for project issue 2025-02-08 06:06:03 +00:00
pull Add branch auto deletion for scheduled PRs 2024-10-31 03:49:15 +01:00
quota feat: Trivial default quota configuration 2024-08-26 13:25:34 +02:00
repo [v10.0/forgejo] fix: make author search case insenstive (#6783) 2025-02-04 17:06:20 +00:00
secret feat(secret): generate FORGEJO_TOKEN for all tasks 2024-12-08 09:42:18 +08:00
shared/types Refactor locale&string&template related code (#29165) 2024-02-16 15:20:52 +01:00
system fix: xorm:version default is inconsistent 2024-12-24 09:42:47 +01:00
unit i18n: UX improvements: Team permissions and issue closing 2024-09-24 19:03:30 +02:00
unittest chore: simplify CopyDir 2024-11-10 17:21:57 +01:00
user [v10.0/forgejo] fix: delay deleting authorization token (#6976) 2025-02-19 07:06:01 +00:00
webhook Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
error.go Add merge style fast-forward-only (#28954) 2024-02-14 17:19:19 +01:00
main_test.go tests: improve actvititypub integration test code 2024-11-01 22:39:49 +01:00
org.go Refactor deletion (#28610) 2023-12-25 21:25:29 +01:00
org_team.go Remove GetByBean method because sometimes it's danger when query condition parameter is zero and also introduce new generic methods (#28220) 2023-12-07 15:27:36 +08:00
org_team_test.go Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
org_test.go Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
repo.go Refactor deletion (#28610) 2023-12-25 21:25:29 +01:00
repo_test.go Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
repo_transfer.go chore: use errors.New to replace fmt.Errorf with no parameters will much better (#30621) 2024-04-28 15:39:00 +02:00
repo_transfer_test.go Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00