Mathieu Fenniak 3653b34ec7 [v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294) ... Backport: https://codeberg.org/forgejo/forgejo/pulls/12292 When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch. Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12294 Reviewed-by: 0ko <0ko@noreply.codeberg.org>		2026-04-29 05:29:23 +02:00
..
actions	[v14.0/forgejo] fix: when expanding a dynamic matrix, original 'needs' access was lost (#11166)	2026-02-15 23:55:05 +01:00
activities	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
admin	feat: cache derived keys for faster keying (#10114)	2025-11-16 14:29:14 +01:00
asymkey	fix: use correct GPG key for export	2026-01-06 10:33:22 -07:00
auth	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
avatars	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
db	[v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294)	2026-04-29 05:29:23 +02:00
dbfs	fix: garbage collect lingering actions logs (#10009)	2025-11-18 18:59:01 +01:00
fixtures	test: backport from #9906 test data	2026-03-08 20:07:16 -06:00
forgefed	log instrumentation & test package (#10371)	2025-12-09 15:37:50 +01:00
forgejo/semver	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
forgejo_migrations	[v14.0/forgejo] migration: update existing foreign key migrations to automatically fix inconsistencies (#10621)	2025-12-29 03:49:03 +01:00
forgejo_migrations_legacy	[v14.0/forgejo] migration: update existing foreign key migrations to automatically fix inconsistencies (#10621)	2025-12-29 03:49:03 +01:00
git	[v14.0/forgejo] fix: add forgejo doctor cleanup-commit-status command to recover from #10671 (#10781)	2026-01-12 13:11:04 +01:00
gitea_migrations	[v14.0/forgejo] fix: use ALTER TABLE in SQLite DropTableColumns(), allowing unexpected database sources to work better in migrations (#10903)	2026-01-17 22:34:10 +01:00
issues	[v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294)	2026-04-29 05:29:23 +02:00
moderation	feat: render a link to poster profile next to the ID within shadow copy details (#10194)	2025-12-09 15:19:10 +01:00
organization	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
packages	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
perm	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
project	chore: add unit tests	2026-03-08 20:07:29 -06:00
pull	fix: do not ignore automerge while a PR is checking for conflicts (#8189)	2025-06-17 10:58:07 +02:00
quota	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
repo	[v14.0/forgejo] fix: make /repos/search?uid=-2 return zero results, no repos with that owner (#12149)	2026-04-16 21:00:40 +02:00
secret	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
shared/types	chore: branding import path (#7337)	2025-03-27 19:40:14 +00:00
system	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
unit	feat(build): add support for the base.Messenger, $.locale.Tr, Form structs to lint-locale-usage (#9095)	2025-09-30 03:25:45 +02:00
unittest	[v14.0/forgejo] fix: prevent panic on gitlab import (releases/issues) (#11484)	2026-03-05 03:03:15 +01:00
user	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
webhook	fix: paginate GET /api/v1/admin/hooks response (#9915)	2025-11-06 00:08:13 +01:00
error.go	fix: don't allow credentials in migrate/push mirror URL	2025-08-30 08:07:23 +02:00
main_test.go	[v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672)	2026-01-05 12:14:11 +01:00
org.go	chore: branding import path (#7337)	2025-03-27 19:40:14 +00:00
org_team.go	chore: branding import path (#7337)	2025-03-27 19:40:14 +00:00
org_team_test.go	Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367)	2025-03-28 22:22:21 +00:00
org_test.go	Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367)	2025-03-28 22:22:21 +00:00
repo.go	fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130)	2025-11-17 01:07:29 +01:00
repo_test.go	Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367)	2025-03-28 22:22:21 +00:00
repo_transfer.go	chore: branding import path (#7337)	2025-03-27 19:40:14 +00:00
repo_transfer_test.go	Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367)	2025-03-28 22:22:21 +00:00