From 324d6711dafad9a166a049276c0819e5cfcc22ed Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 23 Nov 2022 16:18:07 +0800
Subject: [PATCH] permission check

---
 routers/api/v1/api.go    |  7 ++++++-
 routers/web/repo/http.go | 13 +++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index d67bd28b80..5f22e099e0 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -199,7 +199,12 @@ func repoAssignment() func(ctx *context.APIContext) {
 				return
 			}
 
-			ctx.Repo.Permission.AccessMode = perm_model.AccessModeAdmin
+			if task.IsForkPullRequest {
+				ctx.Repo.Permission.AccessMode = perm_model.AccessModeRead
+			} else {
+				ctx.Repo.Permission.AccessMode = perm_model.AccessModeWrite
+			}
+
 			if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
 				ctx.Error(http.StatusInternalServerError, "LoadUnits", err)
 				return
diff --git a/routers/web/repo/http.go b/routers/web/repo/http.go
index 8c3e25c273..efb61174c4 100644
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -199,12 +199,25 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 					ctx.PlainText(http.StatusForbidden, "User permission denied")
 					return
 				}
+
+				if task.IsForkPullRequest {
+					if accessMode > perm.AccessModeRead {
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return
+					}
+				} else {
+					if accessMode > perm.AccessModeWrite {
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return
+					}
+				}
 			} else {
 				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
 				if err != nil {
 					ctx.ServerError("GetUserRepoPermission", err)
 					return
 				}
+
 				if !p.CanAccess(accessMode, unitType) {
 					ctx.PlainText(http.StatusForbidden, "User permission denied")
 					return