Prevent DeleteUser API abuse by 6543 · Pull Request #10125 · go-gitea/gitea

6543 · 2020-02-03T15:38:38Z

close #10119

6543 · 2020-02-03T15:38:54Z

I think we should backport this ...

6543 · 2020-02-03T15:43:01Z

I run in this trap while writing tests for the sdk ...

jolheiser

Small nits otherwise LGTM

codecov-io · 2020-02-03T16:26:27Z

Codecov Report

❗ No coverage uploaded for pull request base (master@29151b9). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #10125   +/-   ##
=========================================
  Coverage          ?    43.4%           
=========================================
  Files             ?      576           
  Lines             ?    79636           
  Branches          ?        0           
=========================================
  Hits              ?    34565           
  Misses            ?    40791           
  Partials          ?     4280

Impacted Files	Coverage Δ
routers/org/setting.go	`0% <ø> (ø)`
routers/api/v1/admin/user.go	`30.19% <0%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 29151b9...fbc34ad. Read the comment docs.

lafriks · 2020-02-03T16:46:46Z

Please send backport

@jolheiser

* fix & co * word suggestions from @jolheiser

6543 · 2020-02-03T16:52:50Z

done -> #10128

@jolheiser

* fix & co * word suggestions from @jolheiser

lunny · 2020-02-04T02:45:26Z

I think it's better to move the check into models.DeleteUser.

6543 · 2020-02-04T02:52:19Z

should I send a refactor PR?

guillep2k · 2020-02-04T04:06:57Z

I think it's better to move the check into models.DeleteUser.

So orgs can't be deleted ever? 🤔

6543 · 2020-02-04T05:17:15Z

@guillep2k Orgs have there own delete function:

gitea/models/org.go

Lines 257 to 275 in b3c72a7

    
           // DeleteOrganization completely and permanently deletes everything of organization. 
        
           func DeleteOrganization(org *User) (err error) { 
        
           	sess := x.NewSession() 
        
           	defer sess.Close() 
        
           	if err = sess.Begin(); err != nil { 
        
           		return err 
        
           	} 
        
           	if err = deleteOrg(sess, org); err != nil { 
        
           		if IsErrUserOwnRepos(err) { 
        
           			return err 
        
           		} else if err != nil { 
        
           			return fmt.Errorf("deleteOrg: %v", err) 
        
           		} 
        
           	} 
        
           	return sess.Commit() 
        
           }

to be exact it is here:

gitea/models/org.go

Lines 299 to 301 in b3c72a7

    
           if _, err = e.ID(u.ID).Delete(new(User)); err != nil { 
        
           	return fmt.Errorf("Delete: %v", err) 
        
           }

6543 · 2020-02-04T05:19:11Z

@lunny -> #10134

fix & co

1181781

GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 3, 2020

techknowlogick changed the title ~~Prefent API missuse~~ Prevent API misuse Feb 3, 2020

techknowlogick added the kind/api label Feb 3, 2020

techknowlogick added this to the 1.12.0 milestone Feb 3, 2020

lafriks approved these changes Feb 3, 2020

View reviewed changes

GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 3, 2020

lafriks added the backport/v1.11 label Feb 3, 2020

davidsvantesson approved these changes Feb 3, 2020

View reviewed changes

GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 3, 2020

6543 changed the title ~~Prevent API misuse~~ Prevent DeleteUser API abuse Feb 3, 2020

jolheiser approved these changes Feb 3, 2020

View reviewed changes

Comment thread routers/api/v1/admin/user.go Outdated

Comment thread routers/org/setting.go Outdated

word suggestions from @jolheiser

fbc34ad

lafriks merged commit ea50f60 into go-gitea:master Feb 3, 2020

6543 deleted the prefent-api-missuse branch February 3, 2020 16:46

6543 added a commit to 6543-forks/gitea that referenced this pull request Feb 3, 2020

Prevent DeleteUser API abuse (go-gitea#10125)

b397ae2

* fix & co * word suggestions from @jolheiser

6543 mentioned this pull request Feb 3, 2020

Prevent DeleteUser API abuse (#10125) #10128

Merged

lafriks added the backport/done All backports for this PR have been created label Feb 3, 2020

lafriks pushed a commit that referenced this pull request Feb 3, 2020

Prevent DeleteUser API abuse (#10125) (#10128)

0129e76

* fix & co * word suggestions from @jolheiser

6543 mentioned this pull request Feb 4, 2020

Ensure DeleteUser is not allowed to Delete Orgs and visa versa #10134

Merged

go-gitea locked and limited conversation to collaborators Nov 24, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Prevent DeleteUser API abuse#10125

Prevent DeleteUser API abuse#10125
lafriks merged 2 commits into
go-gitea:masterfrom
6543-forks:prefent-api-missuse

6543 commented Feb 3, 2020

Uh oh!

6543 commented Feb 3, 2020

Uh oh!

6543 commented Feb 3, 2020

Uh oh!

jolheiser left a comment

Uh oh!

Uh oh!

Uh oh!

codecov-io commented Feb 3, 2020

Uh oh!

lafriks commented Feb 3, 2020

Uh oh!

6543 commented Feb 3, 2020

Uh oh!

lunny commented Feb 4, 2020

Uh oh!

6543 commented Feb 4, 2020

Uh oh!

guillep2k commented Feb 4, 2020

Uh oh!

6543 commented Feb 4, 2020 •

edited

Loading

Uh oh!

6543 commented Feb 4, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Uh oh!

Conversation

6543 commented Feb 3, 2020

Uh oh!

6543 commented Feb 3, 2020

Uh oh!

6543 commented Feb 3, 2020

Uh oh!

jolheiser left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

codecov-io commented Feb 3, 2020

Codecov Report

Uh oh!

lafriks commented Feb 3, 2020

Uh oh!

6543 commented Feb 3, 2020

Uh oh!

lunny commented Feb 4, 2020

Uh oh!

6543 commented Feb 4, 2020

Uh oh!

guillep2k commented Feb 4, 2020

Uh oh!

6543 commented Feb 4, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

6543 commented Feb 4, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

6543 commented Feb 4, 2020 •

edited

Loading