bug:fix add assignees permission bug on New PR from forked repo #10848
Conversation
GiteaBot
added
the
lgtm/need 2
|
|
||
| <!-- input id="assignee_ids" name="assignee_ids" type="hidden" value="{{.assignee_id}}"> | ||
| <div class="ui {{if not .Assignees}}disabled{{end}} floating jump select-assignee dropdown"> | ||
| <span class="text"> | ||
| <strong>{{.i18n.Tr "repo.issues.new.assignees"}}</strong> | ||
| <span class="octicon octicon-gear"></span> | ||
| </span> | ||
| <div class="filter menu"> | ||
| <div class="no-select item">{{.i18n.Tr "repo.issues.new.clear_assignees"}}</div> | ||
| {{range .Assignees}} | ||
| <div class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?assignee={{.ID}}" data-avatar="{{.RelAvatarLink}}"><img src="{{.RelAvatarLink}}"> {{.Name}}</div> | ||
| {{end}} | ||
| </div> | ||
| </div> | ||
| <div class="ui select-assignee list"> | ||
| <span class="no-select item {{if .Assignee}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_assignees"}}</span> | ||
| <div class="selected"> | ||
| {{if .Assignee}} | ||
| <a class="item" href="{{.RepoLink}}/issues?assignee={{.Assignee.ID}}"><img class="ui avatar image" src="{{.Assignee.RelAvatarLink}}"> {{.Assignee.Name}}</a> | ||
| {{end}} | ||
| </div> | ||
| </div>--> |
There was a problem hiding this comment.
Hello, I don't think these comments are usefull, so I suggest to remove them, If it have some special reason that should be kept. please tell me, I will recover them. thanks
|
I don't think user with read permissions should be able to set assignee |
|
Hello, so, I add an extern check for it on new pull request page , Is something wrong about it? |
In gitea now seting, only users have write permission can add Assignees, but if a user who don't have write permission also can add Assignees when they creat a Pull Request from a forked repo ,Because It haven't check the permission, so it's a bug. This PR should fix this bug by add a check for write permission. two other small changes: * hide gear on new PR page when it's not necessary like go-gitea#10750, * remove some unusefull comments. Signed-off-by: a1012112796 <[email protected]>
a1012112796
force-pushed
the
fix_assignees
branch
from
210b397 to
e7b55b4
Compare
a1012112796
changed the title
Codecov Report
@@ Coverage Diff @@
## master #10848 +/- ##
==========================================
- Coverage 43.52% 43.49% -0.03%
==========================================
Files 590 592 +2
Lines 82809 82907 +98
==========================================
+ Hits 36040 36063 +23
- Misses 42290 42364 +74
- Partials 4479 4480 +1
Continue to review full report at Codecov.
|
|
I think having a gear you can't click is a bug but I think it is better to do what Github does and show some text like 'nothing to show' or 'no labels defined' etc... if there are no labels/milestones. Removing the gear creates the impression that you aren't allowed to add them and is the same interface for users who don't have permission to add them. That could be for another PR if this one wants to just fix the write issue and remove the comment |
I'm sorry , but maybe you missunderstand me , the bug is reader of a repo should not have permission to add assignees, but they can do it on New PR page now. the hide gear and delet |
In gitea now seting, only users have write permission can add Assignees, but if a user who don't have write permission also can add Assignees when they creat a Pull Request from a forked repo ,
Because It haven't check the permission, so it's a bug . This PR should fix this bug by add a check for it.
two other small changes:
before change:
make PR frm a forked repo:
after change:
