fix: require CanUpdate for project background deletion

RemoveProjectBackground previously used checkProjectBackgroundRights
which only checks CanRead, allowing read-only users to delete project
backgrounds. Added checkProjectBackgroundWriteRights that checks
CanUpdate and use it in RemoveProjectBackground.

Ref: GHSA-564f-wx8x-878h
This commit is contained in:
kolaente 2026-03-20 10:15:11 +01:00 committed by kolaente
parent f60f3af70b
commit f066eb3ea4
1 changed files with 27 additions and 1 deletions

View File

@ -328,6 +328,32 @@ func checkProjectBackgroundRights(s *xorm.Session, c *echo.Context) (project *mo
return
}
func checkProjectBackgroundWriteRights(s *xorm.Session, c *echo.Context) (project *models.Project, auth web.Auth, err error) {
auth, err = auth2.GetAuthFromClaims(c)
if err != nil {
return nil, auth, echo.NewHTTPError(http.StatusBadRequest, "Invalid auth token: "+err.Error()).Wrap(err)
}
projectID, err := strconv.ParseInt(c.Param("project"), 10, 64)
if err != nil {
return nil, auth, echo.NewHTTPError(http.StatusBadRequest, "Invalid project ID: "+err.Error()).Wrap(err)
}
project = &models.Project{ID: projectID}
can, err := project.CanUpdate(s, auth)
if err != nil {
_ = s.Rollback()
return nil, auth, err
}
if !can {
_ = s.Rollback()
log.Infof("Tried to modify project background of project %d while not having the permissions for it (User: %v)", projectID, auth)
return nil, auth, echo.NewHTTPError(http.StatusForbidden, "Forbidden")
}
return
}
// GetProjectBackground serves a previously set background from a project
// It has no knowledge of the provider that was responsible for setting the background.
// @Summary Get the project background
@ -417,7 +443,7 @@ func RemoveProjectBackground(c *echo.Context) error {
s := db.NewSession()
defer s.Close()
project, auth, err := checkProjectBackgroundRights(s, c)
project, auth, err := checkProjectBackgroundWriteRights(s, c)
if err != nil {
_ = s.Rollback()
return err