fix: correctly check permissions
This commit is contained in:
parent
b4d8fd75d2
commit
9ce4dbf015
1 changed files with 18 additions and 7 deletions
25
index.ts
25
index.ts
|
|
@ -665,11 +665,15 @@ async function assertPermissions() {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Otherwise the actor must have write access, i.e. be a collaborator/member.
|
// Otherwise the actor must have at least write access. We query the effective
|
||||||
// Forgejo: GET .../collaborators/{user} returns 204 if a collaborator, 404 if not.
|
// permission endpoint rather than the bare collaborators endpoint, because the
|
||||||
// We use a raw fetch (not forgejoFetch) because the 204 response has no JSON body.
|
// latter only lists *direct* collaborators and 404s for users who inherit
|
||||||
|
// access through an organization team (e.g. the "owners" team).
|
||||||
|
// Forgejo: GET .../collaborators/{user}/permission returns
|
||||||
|
// { permission: "admin" | "write" | "read" | "none", ... }
|
||||||
|
// accounting for direct collaboration, team membership, and org ownership.
|
||||||
const { forgejoToken } = getForgejoConfig()
|
const { forgejoToken } = getForgejoConfig()
|
||||||
const url = forgejoApiUrl("repos", context.repo.owner, context.repo.repo, "collaborators", actor)
|
const url = forgejoApiUrl("repos", context.repo.owner, context.repo.repo, "collaborators", actor, "permission")
|
||||||
let res: Response
|
let res: Response
|
||||||
try {
|
try {
|
||||||
res = await fetch(url, { headers: { Authorization: `token ${forgejoToken}` } })
|
res = await fetch(url, { headers: { Authorization: `token ${forgejoToken}` } })
|
||||||
|
|
@ -678,9 +682,16 @@ async function assertPermissions() {
|
||||||
throw new Error(`Could not verify permissions for "${actor}": ${error.message}`)
|
throw new Error(`Could not verify permissions for "${actor}": ${error.message}`)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (res.status === 204 || res.ok) {
|
if (res.ok) {
|
||||||
console.log(" permission: write (collaborator)")
|
const { permission } = (await res.json().catch(() => ({}))) as { permission?: string }
|
||||||
return
|
if (permission === "admin" || permission === "write") {
|
||||||
|
console.log(` permission: ${permission}`)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
throw new Error(
|
||||||
|
`User "${actor}" is not authorized to trigger this action ` +
|
||||||
|
`(requires write access to ${context.repo.owner}/${context.repo.repo}, has "${permission ?? "none"}").`,
|
||||||
|
)
|
||||||
}
|
}
|
||||||
if (res.status === 404) {
|
if (res.status === 404) {
|
||||||
throw new Error(
|
throw new Error(
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue