From 4b7f0c6c388ee71ede7eb3fa7ffe14d77bcbdab9 Mon Sep 17 00:00:00 2001
From: a1012112796 <1012112796@qq.com>
Date: Sat, 18 Jun 2022 05:52:47 +0800
Subject: [PATCH] fix permission check for delete tag (#19985) (#20001)

fix #19970

by the way, fix some error response about protected tags.

Signed-off-by: a1012112796 <1012112796@qq.com>
---
 routers/api/v1/repo/release.go      |  6 ++++++
 routers/api/v1/repo/release_tags.go |  7 +++++++
 routers/api/v1/repo/tag.go          | 14 ++++++++++++++
 routers/web/repo/branch.go          |  6 ++++++
 routers/web/repo/release.go         |  6 +++++-
 services/release/release.go         | 14 ++++++++++++++
 templates/swagger/v1_json.tmpl      | 12 ++++++++++++
 7 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/routers/api/v1/repo/release.go b/routers/api/v1/repo/release.go
index 299eaddbc8..da9f0f7a55 100644
--- a/routers/api/v1/repo/release.go
+++ b/routers/api/v1/repo/release.go
@@ -344,6 +344,8 @@ func DeleteRelease(ctx *context.APIContext) {
 	//     "$ref": "#/responses/empty"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "405":
+	//     "$ref": "#/responses/empty"
 
 	id := ctx.ParamsInt64(":id")
 	rel, err := models.GetReleaseByID(id)
@@ -357,6 +359,10 @@ func DeleteRelease(ctx *context.APIContext) {
 		return
 	}
 	if err := releaseservice.DeleteReleaseByID(id, ctx.User, false); err != nil {
+		if models.IsErrProtectedTagName(err) {
+			ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
+			return
+		}
 		ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
 		return
 	}
diff --git a/routers/api/v1/repo/release_tags.go b/routers/api/v1/repo/release_tags.go
index 4b853d44bb..8acbb619f7 100644
--- a/routers/api/v1/repo/release_tags.go
+++ b/routers/api/v1/repo/release_tags.go
@@ -92,6 +92,8 @@ func DeleteReleaseByTag(ctx *context.APIContext) {
 	//     "$ref": "#/responses/empty"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "405":
+	//     "$ref": "#/responses/empty"
 
 	tag := ctx.Params(":tag")
 
@@ -111,7 +113,12 @@ func DeleteReleaseByTag(ctx *context.APIContext) {
 	}
 
 	if err = releaseservice.DeleteReleaseByID(release.ID, ctx.User, false); err != nil {
+		if models.IsErrProtectedTagName(err) {
+			ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
+			return
+		}
 		ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
+		return
 	}
 
 	ctx.Status(http.StatusNoContent)
diff --git a/routers/api/v1/repo/tag.go b/routers/api/v1/repo/tag.go
index 13a625bafb..621b742e91 100644
--- a/routers/api/v1/repo/tag.go
+++ b/routers/api/v1/repo/tag.go
@@ -176,6 +176,8 @@ func CreateTag(ctx *context.APIContext) {
 	//     "$ref": "#/responses/Tag"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "405":
+	//     "$ref": "#/responses/empty"
 	//   "409":
 	//     "$ref": "#/responses/conflict"
 	form := web.GetForm(ctx).(*api.CreateTagOption)
@@ -196,6 +198,11 @@ func CreateTag(ctx *context.APIContext) {
 			ctx.Error(http.StatusConflict, "tag exist", err)
 			return
 		}
+		if models.IsErrProtectedTagName(err) {
+			ctx.Error(http.StatusMethodNotAllowed, "CreateNewTag", "user not allowed to create protected tag")
+			return
+		}
+
 		ctx.InternalServerError(err)
 		return
 	}
@@ -236,6 +243,8 @@ func DeleteTag(ctx *context.APIContext) {
 	//     "$ref": "#/responses/empty"
 	//   "404":
 	//     "$ref": "#/responses/notFound"
+	//   "405":
+	//     "$ref": "#/responses/empty"
 	//   "409":
 	//     "$ref": "#/responses/conflict"
 	tagName := ctx.Params("*")
@@ -256,7 +265,12 @@ func DeleteTag(ctx *context.APIContext) {
 	}
 
 	if err = releaseservice.DeleteReleaseByID(tag.ID, ctx.User, true); err != nil {
+		if models.IsErrProtectedTagName(err) {
+			ctx.Error(http.StatusMethodNotAllowed, "delTag", "user not allowed to delete protected tag")
+			return
+		}
 		ctx.Error(http.StatusInternalServerError, "DeleteReleaseByID", err)
+		return
 	}
 
 	ctx.Status(http.StatusNoContent)
diff --git a/routers/web/repo/branch.go b/routers/web/repo/branch.go
index 29b8acd61c..806814efde 100644
--- a/routers/web/repo/branch.go
+++ b/routers/web/repo/branch.go
@@ -370,6 +370,12 @@ func CreateBranch(ctx *context.Context) {
 		err = repo_service.CreateNewBranchFromCommit(ctx.User, ctx.Repo.Repository, ctx.Repo.CommitID, form.NewBranchName)
 	}
 	if err != nil {
+		if models.IsErrProtectedTagName(err) {
+			ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
+			ctx.Redirect(ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL())
+			return
+		}
+
 		if models.IsErrTagAlreadyExists(err) {
 			e := err.(models.ErrTagAlreadyExists)
 			ctx.Flash.Error(ctx.Tr("repo.branch.tag_collision", e.TagName))
diff --git a/routers/web/repo/release.go b/routers/web/repo/release.go
index b8e0d58e80..8068802808 100644
--- a/routers/web/repo/release.go
+++ b/routers/web/repo/release.go
@@ -519,7 +519,11 @@ func DeleteTag(ctx *context.Context) {
 
 func deleteReleaseOrTag(ctx *context.Context, isDelTag bool) {
 	if err := releaseservice.DeleteReleaseByID(ctx.FormInt64("id"), ctx.User, isDelTag); err != nil {
-		ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
+		if models.IsErrProtectedTagName(err) {
+			ctx.Flash.Error(ctx.Tr("repo.release.tag_name_protected"))
+		} else {
+			ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
+		}
 	} else {
 		if isDelTag {
 			ctx.Flash.Success(ctx.Tr("repo.release.deletion_tag_success"))
diff --git a/services/release/release.go b/services/release/release.go
index 5fa506bc61..4314b64ae7 100644
--- a/services/release/release.go
+++ b/services/release/release.go
@@ -295,6 +295,20 @@ func DeleteReleaseByID(id int64, doer *user_model.User, delTag bool) error {
 	}
 
 	if delTag {
+		protectedTags, err := models.GetProtectedTags(rel.RepoID)
+		if err != nil {
+			return fmt.Errorf("GetProtectedTags: %v", err)
+		}
+		isAllowed, err := models.IsUserAllowedToControlTag(protectedTags, rel.TagName, rel.PublisherID)
+		if err != nil {
+			return err
+		}
+		if !isAllowed {
+			return models.ErrProtectedTagName{
+				TagName: rel.TagName,
+			}
+		}
+
 		if stdout, err := git.NewCommand("tag", "-d", rel.TagName).
 			SetDescription(fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID)).
 			RunInDir(repo.RepoPath()); err != nil && !strings.Contains(err.Error(), "not found") {
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 791ada03fd..70b98c56b5 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -8515,6 +8515,9 @@
           },
           "404": {
             "$ref": "#/responses/notFound"
+          },
+          "405": {
+            "$ref": "#/responses/empty"
           }
         }
       }
@@ -8598,6 +8601,9 @@
           },
           "404": {
             "$ref": "#/responses/notFound"
+          },
+          "405": {
+            "$ref": "#/responses/empty"
           }
         }
       },
@@ -9366,6 +9372,9 @@
           "404": {
             "$ref": "#/responses/notFound"
           },
+          "405": {
+            "$ref": "#/responses/empty"
+          },
           "409": {
             "$ref": "#/responses/conflict"
           }
@@ -9453,6 +9462,9 @@
           "404": {
             "$ref": "#/responses/notFound"
           },
+          "405": {
+            "$ref": "#/responses/empty"
+          },
           "409": {
             "$ref": "#/responses/conflict"
           }