Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with no action unit access permission can also see the commit status #26685

Open
yp05327 opened this issue Aug 23, 2023 · 8 comments · May be fixed by #30156
Open

User with no action unit access permission can also see the commit status #26685

yp05327 opened this issue Aug 23, 2023 · 8 comments · May be fixed by #30156
Assignees
@Zettat123
Labels
type/bug

Comments

@yp05327
Copy link
Contributor

yp05327 commented Aug 23, 2023

Description

User's permission:
image

image

Gitea Version

latest

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

build

Database

None
@yp05327 yp05327 changed the title User with no action unit permission can also see the commit status User with no action unit access permission can also see the commit status Aug 23, 2023
@lunny
Copy link
Member

lunny commented Aug 23, 2023

It's commit status not actions' special feature.

@yp05327
Copy link
Contributor Author

yp05327 commented Aug 24, 2023

It's commit status not actions' special feature.

Reasonable answer. But, if click details, you will get 404 page.
image
Should we hidden this when using Gitea action and user have no unit permission?

@lunny
Copy link
Member

lunny commented Aug 24, 2023

It's commit status not actions' special feature.

Reasonable answer. But, if click details, you will get 404 page. image Should we hidden this when using Gitea action and user have no unit permission?

Wow, I have no idea how to handle now.

@Zettat123
Copy link
Contributor

Zettat123 commented Mar 27, 2024
edited
Loading

I encountered a similar issue. If the repo's action unit is disabled, even though I'm a repo administrator, I'll still get a 404 page when clicking the "Details" link

@yp05327
Copy link
Contributor Author

yp05327 commented Mar 27, 2024

I think this should be hidden when user does not have permission or the unit is disabled.

@lunny
Copy link
Member

lunny commented Mar 27, 2024

But you don't know if the commit status comes from actions or external sites.

@Zettat123
Copy link
Contributor

But you don't know if the commit status comes from actions or external sites.

Maybe we can check the TargetURL of a commit status. If a status comes from Gitea Actions, its TargetURL should have a prefix like /{owner}/{repo}/actions

@Zettat123 Zettat123 self-assigned this Mar 27, 2024
@Zettat123 Zettat123 linked a pull request Mar 28, 2024 that will close this issue
Open
@yp05327
Copy link
Contributor Author

yp05327 commented May 14, 2024

Actually, I noticed another related issue.
If user has no access to code unit, but have access to action unit,
you would see the workflow file name, branch name, commit id and so on.
And they also have links which will get 404.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Zettat123 Zettat123

Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Hide the "Details" link of commit status when the user cannot access actions Zettat123/gitea
3 participants
@lunny @Zettat123 @yp05327