Fix milestone appliance

Fix missing permission check Signed-off-by: Jonas Franz <info@jonasfranz.software>
2018-06-18 15:40:52 +02:00 · 2018-06-18 15:40:52 +02:00 · c528505c6d
commit c528505c6d
parent 85414d8b75
1 changed files with 16 additions and 9 deletions
--- a/routers/api/v1/repo/issue.go
+++ b/routers/api/v1/repo/issue.go
@ -165,7 +165,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 	//     "$ref": "#/responses/Issue"
 	var deadlineUnix util.TimeStamp
-	if form.Deadline != nil {
+	if form.Deadline != nil && ctx.Repo.IsWriter() {
 		deadlineUnix = util.TimeStamp(form.Deadline.Unix())
 	}
@ -178,15 +178,22 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 		DeadlineUnix: deadlineUnix,
 	}
-	// Get all assignee IDs
+	var assigneeIDs = make([]int64, 0)
-	assigneeIDs, err := models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees)
+	var err error
-	if err != nil {
+	if ctx.Repo.IsWriter() {
-		if models.IsErrUserNotExist(err) {
+		issue.MilestoneID = form.Milestone
-			ctx.Error(422, "", fmt.Sprintf("Assignee does not exist: [name: %s]", err))
+		assigneeIDs, err = models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees)
-		} else {
+		if err != nil {
-			ctx.Error(500, "AddAssigneeByName", err)
+			if models.IsErrUserNotExist(err) {
 				ctx.Error(422, "", fmt.Sprintf("Assignee does not exist: [name: %s]", err))
 			} else {
 				ctx.Error(500, "AddAssigneeByName", err)
 			}
 			return
 		}
-		return
+	} else {
 		// setting labels is only allowed if user is writter
 		form.Labels = make([]int64, 0)
 	}
 	if err := models.NewIssue(ctx.Repo.Repository, issue, form.Labels, assigneeIDs, nil); err != nil {