Merge pull request #804 from reasonerjt/dev

fix #801, add permission check before filtering access log of a project.
2024-06-26 23:05:04 +02:00 · 2016-09-14 16:05:10 +08:00 · 2016-09-14 16:05:10 +08:00 · 1c216d902a
commit 1c216d902a
parent e6b3638f9c e5c464f205
1 changed files with 5 additions and 0 deletions
--- a/api/project.go
+++ b/api/project.go
@ -338,6 +338,11 @@ func (p *ProjectAPI) FilterAccessLog() {
 	var query models.AccessLog
 	p.DecodeJSONReq(&query)

+	if !checkProjectPermission(p.userID, p.projectID) {
+		log.Warningf("Current user, user id: %d does not have permission to read accesslog of project, id: %d", p.userID, p.projectID)
+		p.RenderError(http.StatusForbidden, "")
+		return
+	}
 	query.ProjectID = p.projectID
 	query.BeginTime = time.Unix(query.BeginTimestamp, 0)
 	query.EndTime = time.Unix(query.EndTimestamp, 0)