Fix comment permissions (#28213)

This PR will fix some missed checks for private repositories' data on web routes and API routes.
2025-10-30 22:11:07 +00:00 · 2023-11-26 01:21:21 +08:00 · 2023-11-26 01:21:21 +08:00 · 5504ce44d2
commit 5504ce44d2
parent 8b6f5a890b
34 changed files with 417 additions and 105 deletions
--- a/routers/api/v1/user/hook.go
+++ b/routers/api/v1/user/hook.go
@ -62,6 +62,11 @@ func GetHook(ctx *context.APIContext) {
 		return
 	}

+	if !ctx.Doer.IsAdmin && hook.OwnerID != ctx.Doer.ID {
+		ctx.NotFound()
+		return
+	}
+
 	apiHook, err := webhook_service.ToHook(ctx.Doer.HomeLink(), hook)
 	if err != nil {
 		ctx.InternalServerError(err)