fixed vulnerabilities on deleting release (#399)

models/release.go

@@ -189,7 +189,7 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) {
 }
 
 // DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
-func DeleteReleaseByID(id int64) error {
+func DeleteReleaseByID(id int64, u *User) error {
 	rel, err := GetReleaseByID(id)
 	if err != nil {
 		return fmt.Errorf("GetReleaseByID: %v", err)
@@ -200,6 +200,13 @@ func DeleteReleaseByID(id int64) error {
 		return fmt.Errorf("GetRepositoryByID: %v", err)
 	}
 
+	has, err := HasAccess(u, repo, AccessModeWrite)
+	if err != nil {
+		return fmt.Errorf("HasAccess: %v", err)
+	} else if !has {
+		return fmt.Errorf("DeleteReleaseByID: permission denied")
+	}
+
 	_, stderr, err := process.ExecDir(-1, repo.RepoPath(),
 		fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
 		"git", "tag", "-d", rel.TagName)

routers/repo/release.go

@@ -296,7 +296,7 @@ func EditReleasePost(ctx *context.Context, form auth.EditReleaseForm) {
 
 // DeleteRelease delete a release
 func DeleteRelease(ctx *context.Context) {
-	if err := models.DeleteReleaseByID(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeleteReleaseByID(ctx.QueryInt64("id"), ctx.User); err != nil {
 		ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("repo.release.deletion_success"))