diff --git a/cmd/hook.go b/cmd/hook.go
index b3e900afee..ca876f02a3 100644
--- a/cmd/hook.go
+++ b/cmd/hook.go
@@ -65,6 +65,7 @@ func runHookPreReceive(c *cli.Context) error {
username := os.Getenv(models.EnvRepoUsername)
reponame := os.Getenv(models.EnvRepoName)
userID, _ := strconv.ParseInt(os.Getenv(models.EnvPusherID), 10, 64)
+ prID, _ := strconv.ParseInt(os.Getenv(models.ProtectedBranchPRID), 10, 64)
buf := bytes.NewBuffer(nil)
scanner := bufio.NewScanner(os.Stdin)
@@ -95,6 +96,7 @@ func runHookPreReceive(c *cli.Context) error {
UserID: userID,
GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
GitObjectDirectory: os.Getenv(private.GitObjectDirectory),
+ ProtectedBranchID: prID,
})
switch statusCode {
case http.StatusInternalServerError:
diff --git a/cmd/serv.go b/cmd/serv.go
index 2ea89757db..32dd8cbd3e 100644
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -191,6 +191,7 @@ func runServ(c *cli.Context) error {
os.Setenv(models.EnvPusherName, results.UserName)
os.Setenv(models.EnvPusherID, strconv.FormatInt(results.UserID, 10))
os.Setenv(models.ProtectedBranchRepoID, strconv.FormatInt(results.RepoID, 10))
+ os.Setenv(models.ProtectedBranchPRID, fmt.Sprintf("%d", 0))
//LFS token authentication
if verb == lfsAuthenticateVerb {
@@ -239,8 +240,6 @@ func runServ(c *cli.Context) error {
gitcmd = exec.Command(verb, repoPath)
}
- os.Setenv(models.ProtectedBranchRepoID, fmt.Sprintf("%d", results.RepoID))
-
gitcmd.Dir = setting.RepoRootPath
gitcmd.Stdout = os.Stdout
gitcmd.Stdin = os.Stdin
diff --git a/models/branches.go b/models/branches.go
index df3b69aa21..fa4215d6a0 100644
--- a/models/branches.go
+++ b/models/branches.go
@@ -19,6 +19,8 @@ import (
const (
// ProtectedBranchRepoID protected Repo ID
ProtectedBranchRepoID = "GITEA_REPO_ID"
+ // ProtectedBranchPRID protected Repo PR ID
+ ProtectedBranchPRID = "GITEA_PR_ID"
)
// ProtectedBranch struct
diff --git a/models/helper_environment.go b/models/helper_environment.go
index 199eb6062d..0460fc3df5 100644
--- a/models/helper_environment.go
+++ b/models/helper_environment.go
@@ -12,26 +12,34 @@ import (
// PushingEnvironment returns an os environment to allow hooks to work on push
func PushingEnvironment(doer *User, repo *Repository) []string {
+ return FullPushingEnvironment(doer, doer, repo, 0)
+}
+
+// FullPushingEnvironment returns an os environment to allow hooks to work on push
+func FullPushingEnvironment(author, committer *User, repo *Repository, prID int64) []string {
isWiki := "false"
if strings.HasSuffix(repo.Name, ".wiki") {
isWiki = "true"
}
- sig := doer.NewGitSig()
+ authorSig := author.NewGitSig()
+ committerSig := committer.NewGitSig()
// We should add "SSH_ORIGINAL_COMMAND=gitea-internal",
// once we have hook and pushing infrastructure working correctly
return append(os.Environ(),
- "GIT_AUTHOR_NAME="+sig.Name,
- "GIT_AUTHOR_EMAIL="+sig.Email,
- "GIT_COMMITTER_NAME="+sig.Name,
- "GIT_COMMITTER_EMAIL="+sig.Email,
+ "GIT_AUTHOR_NAME="+authorSig.Name,
+ "GIT_AUTHOR_EMAIL="+authorSig.Email,
+ "GIT_COMMITTER_NAME="+committerSig.Name,
+ "GIT_COMMITTER_EMAIL="+committerSig.Email,
EnvRepoName+"="+repo.Name,
EnvRepoUsername+"="+repo.MustOwnerName(),
EnvRepoIsWiki+"="+isWiki,
- EnvPusherName+"="+doer.Name,
- EnvPusherID+"="+fmt.Sprintf("%d", doer.ID),
+ EnvPusherName+"="+committer.Name,
+ EnvPusherID+"="+fmt.Sprintf("%d", committer.ID),
ProtectedBranchRepoID+"="+fmt.Sprintf("%d", repo.ID),
+ ProtectedBranchPRID+"="+fmt.Sprintf("%d", prID),
+ "SSH_ORIGINAL_COMMAND=gitea-internal",
)
}
diff --git a/models/pull.go b/models/pull.go
index eac36235bb..6ee2ec555d 100644
--- a/models/pull.go
+++ b/models/pull.go
@@ -876,7 +876,7 @@ func (pr *PullRequest) UpdatePatch() (err error) {
if err = pr.GetHeadRepo(); err != nil {
return fmt.Errorf("GetHeadRepo: %v", err)
} else if pr.HeadRepo == nil {
- log.Trace("PullRequest[%d].UpdatePatch: ignored cruppted data", pr.ID)
+ log.Trace("PullRequest[%d].UpdatePatch: ignored corrupted data", pr.ID)
return nil
}
diff --git a/modules/private/hook.go b/modules/private/hook.go
index 7e2a475d4b..caa3819555 100644
--- a/modules/private/hook.go
+++ b/modules/private/hook.go
@@ -29,11 +29,12 @@ type HookOptions struct {
UserName string
GitObjectDirectory string
GitAlternativeObjectDirectories string
+ ProtectedBranchID int64
}
// HookPreReceive check whether the provided commits are allowed
func HookPreReceive(ownerName, repoName string, opts HookOptions) (int, string) {
- reqURL := setting.LocalURL + fmt.Sprintf("api/internal/hook/pre-receive/%s/%s?old=%s&new=%s&ref=%s&userID=%d&gitObjectDirectory=%s&gitAlternativeObjectDirectories=%s",
+ reqURL := setting.LocalURL + fmt.Sprintf("api/internal/hook/pre-receive/%s/%s?old=%s&new=%s&ref=%s&userID=%d&gitObjectDirectory=%s&gitAlternativeObjectDirectories=%s&prID=%d",
url.PathEscape(ownerName),
url.PathEscape(repoName),
url.QueryEscape(opts.OldCommitID),
@@ -42,6 +43,7 @@ func HookPreReceive(ownerName, repoName string, opts HookOptions) (int, string)
opts.UserID,
url.QueryEscape(opts.GitObjectDirectory),
url.QueryEscape(opts.GitAlternativeObjectDirectories),
+ opts.ProtectedBranchID,
)
resp, err := newInternalRequest(reqURL, "GET").Response()
diff --git a/modules/pull/merge.go b/modules/pull/merge.go
index e12ede81d6..5685336a2b 100644
--- a/modules/pull/merge.go
+++ b/modules/pull/merge.go
@@ -231,7 +231,17 @@ func Merge(pr *models.PullRequest, doer *models.User, baseGitRepo *git.Repositor
}
}
- env := models.PushingEnvironment(doer, pr.BaseRepo)
+ headUser, err := models.GetUserByName(pr.HeadUserName)
+ if err != nil {
+ if !models.IsErrUserNotExist(err) {
+ log.Error("Can't find user: %s for head repository - %v", pr.HeadUserName, err)
+ return err
+ }
+ log.Error("Can't find user: %s for head repository - defaulting to doer: %s - %v", pr.HeadUserName, doer.Name, err)
+ headUser = doer
+ }
+
+ env := models.FullPushingEnvironment(headUser, doer, pr.BaseRepo, pr.ID)
// Push back to upstream.
if err := git.NewCommand("push", "origin", pr.BaseBranch).RunInDirTimeoutEnvPipeline(env, -1, tmpBasePath, nil, &errbuf); err != nil {
diff --git a/routers/private/hook.go b/routers/private/hook.go
index 3da5e38edb..1071c57bc0 100644
--- a/routers/private/hook.go
+++ b/routers/private/hook.go
@@ -31,6 +31,7 @@ func HookPreReceive(ctx *macaron.Context) {
userID := ctx.QueryInt64("userID")
gitObjectDirectory := ctx.QueryTrim("gitObjectDirectory")
gitAlternativeObjectDirectories := ctx.QueryTrim("gitAlternativeObjectDirectories")
+ prID := ctx.QueryInt64("prID")
branchName := strings.TrimPrefix(refFullName, git.BranchPrefix)
repo, err := models.GetRepositoryByOwnerAndName(ownerName, repoName)
@@ -85,7 +86,24 @@ func HookPreReceive(ctx *macaron.Context) {
}
}
- if !protectBranch.CanUserPush(userID) {
+ canPush := protectBranch.CanUserPush(userID)
+ if !canPush && prID > 0 {
+ pr, err := models.GetPullRequestByID(prID)
+ if err != nil {
+ log.Error("Unable to get PullRequest %d Error: %v", prID, err)
+ ctx.JSON(http.StatusInternalServerError, map[string]interface{}{
+ "err": fmt.Sprintf("Unable to get PullRequest %d Error: %v", prID, err),
+ })
+ return
+ }
+ if !protectBranch.HasEnoughApprovals(pr) {
+ log.Warn("Forbidden: User %d cannot push to protected branch: %s in %-v and pr #%d does not have enough approvals", userID, branchName, repo, pr.Index)
+ ctx.JSON(http.StatusForbidden, map[string]interface{}{
+ "err": fmt.Sprintf("protected branch %s can not be pushed to and pr #%d does not have enough approvals", branchName, prID),
+ })
+ return
+ }
+ } else if !canPush {
log.Warn("Forbidden: User %d cannot push to protected branch: %s in %-v", userID, branchName, repo)
ctx.JSON(http.StatusForbidden, map[string]interface{}{
"err": fmt.Sprintf("protected branch %s can not be pushed to", branchName),