From adc774cbe53569511759723c26e411051c219d1b Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 23 Apr 2023 15:35:14 +0200 Subject: [PATCH] Only delete secrets belonging to its owner (#24284) --- routers/web/org/setting_secrets.go | 2 ++ routers/web/repo/setting_secrets.go | 2 ++ routers/web/shared/secrets/secrets.go | 4 ++-- routers/web/user/setting/secrets.go | 2 ++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/routers/web/org/setting_secrets.go b/routers/web/org/setting_secrets.go index 1cdbe35f32ade..580a14015bd9b 100644 --- a/routers/web/org/setting_secrets.go +++ b/routers/web/org/setting_secrets.go @@ -43,6 +43,8 @@ func SecretsPost(ctx *context.Context) { func SecretsDelete(ctx *context.Context) { shared.PerformSecretsDelete( ctx, + ctx.ContextUser.ID, + 0, ctx.Org.OrgLink+"/settings/secrets", ) } diff --git a/routers/web/repo/setting_secrets.go b/routers/web/repo/setting_secrets.go index c42dee583b923..57a4c470dd601 100644 --- a/routers/web/repo/setting_secrets.go +++ b/routers/web/repo/setting_secrets.go @@ -41,6 +41,8 @@ func SecretsPost(ctx *context.Context) { func DeleteSecret(ctx *context.Context) { shared.PerformSecretsDelete( ctx, + 0, + ctx.Repo.Repository.ID, ctx.Repo.RepoLink+"/settings/secrets", ) } diff --git a/routers/web/shared/secrets/secrets.go b/routers/web/shared/secrets/secrets.go index e242c5e81611d..0e6fa247416fb 100644 --- a/routers/web/shared/secrets/secrets.go +++ b/routers/web/shared/secrets/secrets.go @@ -38,10 +38,10 @@ func PerformSecretsPost(ctx *context.Context, ownerID, repoID int64, redirectURL ctx.Redirect(redirectURL) } -func PerformSecretsDelete(ctx *context.Context, redirectURL string) { +func PerformSecretsDelete(ctx *context.Context, ownerID, repoID int64, redirectURL string) { id := ctx.FormInt64("id") - if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id}); err != nil { + if _, err := db.DeleteByBean(ctx, &secret_model.Secret{ID: id, OwnerID: ownerID, RepoID: repoID}); err != nil { log.Error("Delete secret %d failed: %v", id, err) ctx.Flash.Error(ctx.Tr("secrets.deletion.failed")) } else { diff --git a/routers/web/user/setting/secrets.go b/routers/web/user/setting/secrets.go index 3a57897d8f607..2314f3694f775 100644 --- a/routers/web/user/setting/secrets.go +++ b/routers/web/user/setting/secrets.go @@ -40,6 +40,8 @@ func SecretsPost(ctx *context.Context) { func SecretsDelete(ctx *context.Context) { shared.PerformSecretsDelete( ctx, + ctx.Doer.ID, + 0, setting.AppSubURL+"/user/settings/secrets", ) }