Fix get release draft permission check#36659
Merged
silverwind merged 10 commits intogo-gitea:mainfrom Feb 22, 2026
Merged
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/api
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens API access control around draft releases to ensure they’re only visible to users with write permission and (when authenticated via token) an appropriate write-level repository scope, and extends the same protection to draft release attachments.
Changes:
- Enforce draft-release visibility checks in
GetReleaseandListReleasesusing a combined repo-permission + token-scope (write:repository) gate. - Apply the same draft visibility restriction to release attachment APIs (list/get) and shared release-repo matching.
- Add integration tests and fixtures to validate draft release and draft attachment access behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/integration/api_releases_test.go | Adds a draft-release GET integration test (needs additional scope-coverage updates). |
| tests/integration/api_releases_attachment_test.go | Adds a draft-release attachment access test and new API structs usage. |
| routers/api/v1/repo/release_attachment.go | Blocks draft attachment access for unauthorized users (contains a redundant extra release DB lookup). |
| routers/api/v1/repo/release.go | Introduces helper functions to enforce write-scope for draft release visibility and draft inclusion in listing. |
| models/fixtures/attachment.yml | Adds a fixture attachment linked to a draft release for integration testing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
silverwind
approved these changes
Feb 22, 2026
GiteaBot
added
lgtm/need 1
Zettat123
approved these changes
Feb 22, 2026
GiteaBot
added
lgtm/done
lunny
added
the
reviewed/wait-merge
GiteaBot
removed
the
reviewed/wait-merge
GiteaBot
added a commit
to GiteaBot/gitea
that referenced
this pull request
Feb 22, 2026
Draft release and it's attachments need a write permission to access. --------- Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Giteabot <teabot@gitea.io>
wxiaoguang
reviewed
Feb 23, 2026
| release_service "code.gitea.io/gitea/services/release" | ||
| ) | ||
|
|
||
| func hasRepoWriteScope(ctx *context.APIContext) bool { |
Contributor
There was a problem hiding this comment.
The name is not right. It will be definitely abused in the future.
It returns true for anonymous user.
wxiaoguang
reviewed
Feb 23, 2026
Comment on lines
+38
to
+42
| if !canAccessDraftRelease(ctx) { | ||
| if !ctx.Written() { | ||
| ctx.APIErrorNotFound() | ||
| } | ||
| return false |
Contributor
There was a problem hiding this comment.
Why use this new error pattern?
You should make canAccessDraftRelease write reponse if it returns false
(Many places)
Contributor
|
Following up: Fix release draft access check logic #36720 |
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Feb 23, 2026
* giteaofficial/main: (81 commits) Add keyboard shortcuts for repository file and code search (go-gitea#36416) Refactor text utility classes to Tailwind CSS (go-gitea#36703) Prevent redirect bypasses via backslash-encoded paths (go-gitea#36660) Fix force push time-line commit comments of pull request (go-gitea#36653) Fix get release draft permission check (go-gitea#36659) Move `X_FRAME_OPTIONS` setting from `cors` to `security` section (go-gitea#30256) Update JS and PY deps (go-gitea#36708) Move jobparser from act repository to Gitea (go-gitea#36699) Fix push time bug (go-gitea#36693) Add icon to buttons "Close with Comment", "Close Pull Request", "Close Issue" (go-gitea#36654) various fixes (go-gitea#36697) Add AI Contribution Policy to CONTRIBUTING.md (go-gitea#36651) Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (go-gitea#36688) Rework e2e tests (go-gitea#36634) Remove unused functions (go-gitea#36672) Add migration http transport for push/sync mirror lfs (go-gitea#36665) Fix track time issue id (go-gitea#36664) Refactor inline style attributes (go-gitea#36652) Update Nix flake (go-gitea#36679) Upgrade gogit to 5.16.5 (go-gitea#36680) ... # Conflicts: # web_src/js/features/repo-issue-content.ts
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Feb 26, 2026
* main: (24 commits) Instance-wide (global) info banner and maintenance mode (go-gitea#36571) Add created_by filter to SearchIssues (go-gitea#36670) Inline and lazy-load EasyMDE CSS, fix border colors (go-gitea#36714) Fix release draft access check logic (go-gitea#36720) Change image transparency grid to CSS (go-gitea#36711) Avoid opening new tab when downloading actions logs (go-gitea#36740) Add validation constraints for repository creation fields (go-gitea#36671) Fix SVG height calculation in diff viewer (go-gitea#36748) Fix path resolving (go-gitea#36734) [skip ci] Updated translations via Crowdin Fix track time list permission check (go-gitea#36662) Fix incorrect setting loading order (go-gitea#36735) Use case-insensitive matching for Git error "Not a valid object name" (go-gitea#36728) feat: Add workflow dependencies visualization (go-gitea#36248) Add keyboard shortcuts for repository file and code search (go-gitea#36416) Refactor text utility classes to Tailwind CSS (go-gitea#36703) Prevent redirect bypasses via backslash-encoded paths (go-gitea#36660) Fix force push time-line commit comments of pull request (go-gitea#36653) Fix get release draft permission check (go-gitea#36659) Move `X_FRAME_OPTIONS` setting from `cors` to `security` section (go-gitea#30256) ... # Conflicts: # web_src/css/base.css # web_src/css/index.css
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft release and it's attachments need a write permission to access.