Fix vulnerability reported in #3962

author: Unknwon <u@gogs.io> 2016-12-22 19:35:06 -0500
committer: Unknwon <u@gogs.io> 2016-12-22 19:35:06 -0500
commit: f471ef1bc7b583533c4adcbab010547c98662b5c (patch)
tree: b39fee57a173a5c02a6720c79a7723dff1f18368 /models/release.go
parent: 7ebe0a99169f2a143ccb20da5d1918a99ccaaf7d (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/models/release.go b/models/release.go
index c79ff222..bac0e0f3 100644
--- a/models/release.go
+++ b/models/release.go
@@ -178,13 +178,18 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) {
 	return err
 }
 
-// DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
-func DeleteReleaseByID(id int64) error {
+// DeleteReleaseByRepoID deletes a release and corresponding Git tag by given ID.
+func DeleteReleaseByRepoID(repoID, id int64) error {
 	rel, err := GetReleaseByID(id)
 	if err != nil {
 		return fmt.Errorf("GetReleaseByID: %v", err)
 	}
 
+	// Mark sure the delete operation againsts same repository.
+	if repoID != rel.RepoID {
+		return nil
+	}
+
 	repo, err := GetRepositoryByID(rel.RepoID)
 	if err != nil {
 		return fmt.Errorf("GetRepositoryByID: %v", err)
author	Unknwon <u@gogs.io>	2016-12-22 19:35:06 -0500
committer	Unknwon <u@gogs.io>	2016-12-22 19:35:06 -0500
commit	f471ef1bc7b583533c4adcbab010547c98662b5c (patch)
tree	b39fee57a173a5c02a6720c79a7723dff1f18368 /models/release.go
parent	7ebe0a99169f2a143ccb20da5d1918a99ccaaf7d (diff)