fix(sec): web route update and delete runner variables

The web route to update and delete variables of runners did not check if
the ID that was given belonged to the context it was requested in, this
made it possible to update and delete every existing runner variable of
a instance for any authenticated user.

The code has been reworked to always take into account the context of
the request (owner and repository ID).

(cherry picked from commit 5cb8fdfc8b9213cc368cd074aac93a1327ea20b0)

services/actions/variables.go

@@ -31,7 +31,7 @@ func CreateVariable(ctx context.Context, ownerID, repoID int64, name, data strin
 	return v, nil
 }
 
-func UpdateVariable(ctx context.Context, variableID int64, name, data string) (bool, error) {
+func UpdateVariable(ctx context.Context, variableID, ownerID, repoID int64, name, data string) (bool, error) {
 	if err := secret_service.ValidateName(name); err != nil {
 		return false, err
 	}
@@ -41,16 +41,14 @@ func UpdateVariable(ctx context.Context, variableID int64, name, data string) (b
 	}
 
 	return actions_model.UpdateVariable(ctx, &actions_model.ActionVariable{
-		ID:   variableID,
-		Name: strings.ToUpper(name),
-		Data: util.ReserveLineBreakForTextarea(data),
+		ID:      variableID,
+		Name:    strings.ToUpper(name),
+		Data:    util.ReserveLineBreakForTextarea(data),
+		OwnerID: ownerID,
+		RepoID:  repoID,
 	})
 }
 
-func DeleteVariableByID(ctx context.Context, variableID int64) error {
-	return actions_model.DeleteVariable(ctx, variableID)
-}
-
 func DeleteVariableByName(ctx context.Context, ownerID, repoID int64, name string) error {
 	if err := secret_service.ValidateName(name); err != nil {
 		return err
@@ -69,7 +67,8 @@ func DeleteVariableByName(ctx context.Context, ownerID, repoID int64, name strin
 		return err
 	}
 
-	return actions_model.DeleteVariable(ctx, v.ID)
+	_, err = actions_model.DeleteVariable(ctx, v.ID, ownerID, repoID)
+	return err
 }
 
 func GetVariable(ctx context.Context, opts actions_model.FindVariablesOpts) (*actions_model.ActionVariable, error) {