nune/gitea
nune/gitea
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Reject star-related requests if stars are disabled (#33208)

Browse source 
This PR fixes #33205.

If stars are disabled:
* The `.../repo/stars` page returns a 403 Forbidden error
* Star-related API endpoints return a 403 Forbidden error saying `Stars are disabled.`
* Same for action endpoints

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Henrique Corrêa 2025-02-04 02:21:23 -03:00 committed by GitHub
parent a4676db7dd
commit d0f4e92563
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 113 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

16
routers/api/v1/api.go
View file

@ -580,6 +580,16 @@ func reqWebhooksEnabled() func(ctx *context.APIContext) {
}
}
// reqStarsEnabled requires Starring to be enabled in the config.
func reqStarsEnabled() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
if setting.Repository.DisableStars {
ctx.Error(http.StatusForbidden, "", "stars disabled by administrator")
return
}
}
}
func orgAssignment(args ...bool) func(ctx *context.APIContext) {
var (
assignOrg bool
@ -995,7 +1005,7 @@ func Routes() *web.Router {
m.Get("/{target}", user.CheckFollowing)
})
m.Get("/starred", user.GetStarredRepos)
m.Get("/starred", reqStarsEnabled(), user.GetStarredRepos)
m.Get("/subscriptions", user.GetWatchedRepos)
}, context.UserAssignmentAPI(), checkTokenPublicOnly())
@ -1086,7 +1096,7 @@ func Routes() *web.Router {
m.Put("", user.Star)
m.Delete("", user.Unstar)
}, repoAssignment(), checkTokenPublicOnly())
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))
}, reqStarsEnabled(), tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))
m.Get("/times", repo.ListMyTrackedTimes)
m.Get("/stopwatches", repo.GetStopwatches)
m.Get("/subscriptions", user.GetMyWatchedRepos)
@ -1248,7 +1258,7 @@ func Routes() *web.Router {
m.Post("/markup", reqToken(), bind(api.MarkupOption{}), misc.Markup)
m.Post("/markdown", reqToken(), bind(api.MarkdownOption{}), misc.Markdown)
m.Post("/markdown/raw", reqToken(), misc.MarkdownRaw)
m.Get("/stargazers", repo.ListStargazers)
m.Get("/stargazers", reqStarsEnabled(), repo.ListStargazers)
m.Get("/subscribers", repo.ListSubscribers)
m.Group("/subscription", func() {
m.Get("", user.IsWatching)