...

sapk · sapk · commit 340bf89b1e14 · 2019-08-23T20:12:30.000+02:00
diff --git a/models/attachment.go b/models/attachment.go
@@ -42,6 +42,11 @@ func (a *Attachment) IncreaseDownloadCount() error {
 	return nil
 }
 
+// IsNotAttached define is the attachement is linked to an issue or release
+func (a *Attachment) IsNotAttached() bool {
+	return a.ReleaseID == 0 && a.IssueID == 0
+}
+
 // APIFormat converts models.Attachment to api.Attachment
 func (a *Attachment) APIFormat() *api.Attachment {
 	return &api.Attachment{
diff --git a/models/release.go b/models/release.go
@@ -147,8 +147,8 @@ func createTag(gitRepo *git.Repository, rel *Release) error {
 	}
 	return nil
 }
-/* TODO set this at upload
-func addReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error) {
+
+func linkReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error) {
 	// Check attachments
 	var attachments = make([]*Attachment, 0)
 	for _, uuid := range attachmentUUIDs {
@@ -159,6 +159,10 @@ func addReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error
 			}
 			return fmt.Errorf("getAttachmentByUUID [%s]: %v", uuid, err)
 		}
+		if !attach.IsNotAttached(){
+			log.Error("getAttachmentByUUID [%s]: skipping already linked attachement", uuid)
+			continue
+		}
 		attachments = append(attachments, attach)
 	}
 
@@ -172,7 +176,6 @@ func addReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error
 
 	return
 }
-*/
 
 // CreateRelease creates a new release of repository.
 func CreateRelease(gitRepo *git.Repository, rel *Release, attachmentUUIDs []string) error {
@@ -193,7 +196,7 @@ func CreateRelease(gitRepo *git.Repository, rel *Release, attachmentUUIDs []stri
 		return err
 	}
 
-	err = addReleaseAttachments(rel.ID, attachmentUUIDs)
+	err = linkReleaseAttachments(rel.ID, attachmentUUIDs)
 	if err != nil {
 		return err
 	}
diff --git a/routers/routes/routes.go b/routers/routes/routes.go
@@ -478,6 +478,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Get("/following", user.Following)
 		})
 
+		//Keeping this path to have backward compat
 		m.Get("/attachments/:uuid", func(ctx *context.Context) {
 			attach, err := models.GetAttachmentByUUID(ctx.Params(":uuid"))
 			if err != nil {
@@ -489,6 +490,38 @@ func RegisterRoutes(m *macaron.Macaron) {
 				return
 			}
 
+			//Attachement without issue or release attached should not be returned
+			if attach.IsNotAttached() {
+				ctx.Error(404)
+				return
+			}
+			//Check issue access
+			if attach.IssueID != 0 {
+				iss, err = GetIssueByID(attach.IssueID)
+				if err != nil {{
+					ctx.ServerError("GetAttachmentByUUID.GetIssueByID", err)
+					return
+				}
+				if !iss.Repo.CanRead(models.UnitTypeIssues){
+					ctx.Error(403)
+					return
+				}
+			}
+
+			//Check release access
+			if attach.ReleaseID != 0 {
+				rel, err = GetReleaseByID(attach.ReleaseID)
+				if err != nil {{
+					ctx.ServerError("GetAttachmentByUUID.GetReleaseByID", err)
+					return
+				}
+				if !rel.Repo.CanRead(models.UnitTypeIssues){
+					ctx.Error(403)
+					return
+				}
+			}
+
+			//If we have matched a access release or issue
 			fr, err := os.Open(attach.LocalPath())
 			if err != nil {
 				ctx.ServerError("Open", err)
@@ -675,6 +708,10 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Combo("/new").Get(context.RepoRef(), repo.NewIssue).
 				Post(bindIgnErr(auth.CreateIssueForm{}), repo.NewIssuePost)
 		}, context.RepoMustNotBeArchived(), reqRepoIssueReader)
+
+		//Should be able to create issue (a user that can create release can create issue) 
+		m.Post("/attachments", repo.UploadAttachment, context.RepoMustNotBeArchived(), reqRepoIssueReader)
+
 		// FIXME: should use different URLs but mostly same logic for comments of issue and pull reuqest.
 		// So they can apply their own enable/disable logic on routers.
 		m.Group("/issues", func() {
@@ -770,7 +807,6 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Get("/new", repo.NewRelease)
 			m.Post("/new", bindIgnErr(auth.NewReleaseForm{}), repo.NewReleasePost)
 			m.Post("/delete", repo.DeleteRelease)
-			m.Post("/attachments", repo.UploadAttachment)
 		}, reqSignIn, repo.MustBeNotEmpty, context.RepoMustNotBeArchived(), reqRepoReleaseWriter, context.RepoRef())
 		m.Group("/releases", func() {
 			m.Get("/edit/*", repo.EditRelease)

Original file line number	Diff line number	Diff line change
`@@ -147,8 +147,8 @@ func createTag(gitRepo git.Repository, rel Release) error {`
`147`	`147`	`}`
`148`	`148`	`return nil`
`149`	`149`	`}`
`150`		`-/* TODO set this at upload`
`151`		`-func addReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error) {`
	`150`	`+`
	`151`	`+func linkReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error) {`
`152`	`152`	`// Check attachments`
`153`	`153`	`var attachments = make([]*Attachment, 0)`
`154`	`154`	`for _, uuid := range attachmentUUIDs {`
`@@ -159,6 +159,10 @@ func addReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error`
`159`	`159`	`}`
`160`	`160`	`return fmt.Errorf("getAttachmentByUUID [%s]: %v", uuid, err)`
`161`	`161`	`}`
	`162`	`+ if !attach.IsNotAttached(){`
	`163`	`+ log.Error("getAttachmentByUUID [%s]: skipping already linked attachement", uuid)`
	`164`	`+ continue`
	`165`	`+ }`
`162`	`166`	`attachments = append(attachments, attach)`
`163`	`167`	`}`
`164`	`168`
`@@ -172,7 +176,6 @@ func addReleaseAttachments(releaseID int64, attachmentUUIDs []string) (err error`
`172`	`176`
`173`	`177`	`return`
`174`	`178`	`}`
`175`		`-*/`
`176`	`179`
`177`	`180`	`// CreateRelease creates a new release of repository.`
`178`	`181`	`func CreateRelease(gitRepo git.Repository, rel Release, attachmentUUIDs []string) error {`
`@@ -193,7 +196,7 @@ func CreateRelease(gitRepo git.Repository, rel Release, attachmentUUIDs []stri`
`193`	`196`	`return err`
`194`	`197`	`}`
`195`	`198`
`196`		`- err = addReleaseAttachments(rel.ID, attachmentUUIDs)`
	`199`	`+ err = linkReleaseAttachments(rel.ID, attachmentUUIDs)`
`197`	`200`	`if err != nil {`
`198`	`201`	`return err`
`199`	`202`	`}`