LFS locks must belong to the intended repo (go-gitea#36344)

lunny · GiteaBot · commit eecf538bd6bf · 2026-01-12T00:42:39.000Z
diff --git a/models/git/lfs_lock.go b/models/git/lfs_lock.go
@@ -108,10 +108,10 @@ func GetLFSLock(ctx context.Context, repo *repo_model.Repository, path string) (
 	return rel, nil
 }
 
-// GetLFSLockByID returns release by given id.
-func GetLFSLockByID(ctx context.Context, id int64) (*LFSLock, error) {
+// GetLFSLockByIDAndRepo returns lfs lock by given id and repository id.
+func GetLFSLockByIDAndRepo(ctx context.Context, id, repoID int64) (*LFSLock, error) {
 	lock := new(LFSLock)
-	has, err := db.GetEngine(ctx).ID(id).Get(lock)
+	has, err := db.GetEngine(ctx).ID(id).And("repo_id = ?", repoID).Get(lock)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -160,7 +160,7 @@ func CountLFSLockByRepoID(ctx context.Context, repoID int64) (int64, error) {
 // DeleteLFSLockByID deletes a lock by given ID.
 func DeleteLFSLockByID(ctx context.Context, id int64, repo *repo_model.Repository, u *user_model.User, force bool) (*LFSLock, error) {
 	return db.WithTx2(ctx, func(ctx context.Context) (*LFSLock, error) {
-		lock, err := GetLFSLockByID(ctx, id)
+		lock, err := GetLFSLockByIDAndRepo(ctx, id, repo.ID)
 		if err != nil {
 			return nil, err
 		}
diff --git a/models/git/lfs_lock_test.go b/models/git/lfs_lock_test.go
@@ -0,0 +1,82 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func createTestLock(t *testing.T, repo *repo_model.Repository, owner *user_model.User) *LFSLock {
+	t.Helper()
+
+	path := fmt.Sprintf("%s-%d-%d", t.Name(), repo.ID, time.Now().UnixNano())
+	lock, err := CreateLFSLock(t.Context(), repo, &LFSLock{
+		OwnerID: owner.ID,
+		Path:    path,
+	})
+	require.NoError(t, err)
+	return lock
+}
+
+func TestGetLFSLockByIDAndRepo(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	lockRepo1 := createTestLock(t, repo1, user2)
+	lockRepo3 := createTestLock(t, repo3, user4)
+
+	fetched, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo1.ID)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo1.ID, fetched.ID)
+	assert.Equal(t, repo1.ID, fetched.RepoID)
+
+	_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo3.ID)
+	assert.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+
+	_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo1.ID)
+	assert.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+}
+
+func TestDeleteLFSLockByIDRequiresRepoMatch(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
+	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+
+	lockRepo1 := createTestLock(t, repo1, user2)
+	lockRepo3 := createTestLock(t, repo3, user4)
+
+	_, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo1, user2, true)
+	assert.Error(t, err)
+	assert.True(t, IsErrLFSLockNotExist(err))
+
+	existing, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo3.ID)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo3.ID, existing.ID)
+
+	deleted, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo3, user4, true)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo3.ID, deleted.ID)
+
+	deleted, err = DeleteLFSLockByID(t.Context(), lockRepo1.ID, repo1, user2, false)
+	require.NoError(t, err)
+	assert.Equal(t, lockRepo1.ID, deleted.ID)
+}
diff --git a/services/lfs/locks.go b/services/lfs/locks.go
@@ -90,7 +90,7 @@ func GetListLockHandler(ctx *context.Context) {
 			})
 			return
 		}
-		lock, err := git_model.GetLFSLockByID(ctx, v)
+		lock, err := git_model.GetLFSLockByIDAndRepo(ctx, v, repository.ID)
 		if err != nil && !git_model.IsErrLFSLockNotExist(err) {
 			log.Error("Unable to get lock with ID[%s]: Error: %v", v, err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func GetListLockHandler(ctx *context.Context) {`
`90`	`90`	`})`
`91`	`91`	`return`
`92`	`92`	`}`
`93`		`- lock, err := git_model.GetLFSLockByID(ctx, v)`
	`93`	`+ lock, err := git_model.GetLFSLockByIDAndRepo(ctx, v, repository.ID)`
`94`	`94`	`if err != nil && !git_model.IsErrLFSLockNotExist(err) {`
`95`	`95`	`log.Error("Unable to get lock with ID[%s]: Error: %v", v, err)`
`96`	`96`	`}`