Pull Request access requires code access #13592

New Issue

Closed

opened 2025-11-02 10:47:23 -06:00 by GiteaMirror · 7 comments

GiteaMirror commented 2025-11-02 10:47:23 -06:00

Owner

Copy Link

Originally created by @hakito on GitHub (Oct 14, 2024).

Description

Our Product Owner needs access to Pull Requests to review completed feature branches.

I gave him Write Access to Pull Requests on /org/company/teams/po/edit

However, when he tried to go to PR page he got a 404 error (If I recall correctly). I also tried with Read access, but it also did not work.

I had to give him Code read access as well. The expecation would be, that with PR permission it would be possible to comment on the PR, but without access to the other tabs (code).

Gitea Version

1.22.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker

Database

None

Originally created by @hakito on GitHub (Oct 14, 2024). ### Description Our Product Owner needs access to Pull Requests to review completed feature branches. I gave him _Write_ Access to Pull Requests on `/org/company/teams/po/edit` However, when he tried to go to PR page he got a 404 error (If I recall correctly). I also tried with _Read_ access, but it also did not work. I had to give him _Code_ read access as well. The expecation would be, that with PR permission it would be possible to comment on the PR, but without access to the other tabs (code). ### Gitea Version 1.22.3 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker ### Database None

GiteaMirror added the type/bug label 2025-11-02 10:47:23 -06:00

GiteaMirror closed this issue 2025-11-02 10:47:24 -06:00

GiteaMirror commented 2025-11-02 10:47:24 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Oct 14, 2024):

-> Make owner/repo/pulls handlers use "PR reader" permission #32254

@wxiaoguang commented on GitHub (Oct 14, 2024): -> Make owner/repo/pulls handlers use "PR reader" permission #32254

GiteaMirror commented 2025-11-02 10:47:25 -06:00

Author

Owner

Copy Link

@yp05327 commented on GitHub (Oct 15, 2024):

IIRC, I have asked this question before, but no responses. I will try to find it. 🤔

@yp05327 commented on GitHub (Oct 15, 2024): IIRC, I have asked this question before, but no responses. I will try to find it. 🤔

GiteaMirror commented 2025-11-02 10:47:25 -06:00

Author

Owner

Copy Link

@yp05327 commented on GitHub (Oct 15, 2024):

It is here:
https://github.com/go-gitea/gitea/issues/22985#issuecomment-1436222437
And the answer is:
https://github.com/go-gitea/gitea/issues/22985#issuecomment-1652861623

ps: maybe this is outdated. But actually some operations of PR still depends on code unit permission. and it is not documented, so users may confused about it.

@yp05327 commented on GitHub (Oct 15, 2024): It is here: https://github.com/go-gitea/gitea/issues/22985#issuecomment-1436222437 And the answer is: https://github.com/go-gitea/gitea/issues/22985#issuecomment-1652861623 ps: maybe this is outdated. But actually some operations of PR still depends on code unit permission. and it is not documented, so users may confused about it.

GiteaMirror commented 2025-11-02 10:47:25 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Oct 15, 2024):

It is here: #22985 (comment) And the answer is: #22985 (comment)

ps: maybe this is outdated. But actually some operations of PR still depends on code unit permission. and it is not documented, so users may confused about it.

That's not related. By design "reader" could always create issues and edit their own issues. "writer" could manage issues. It is not that intuitive but it was indeed designed as that. Just like any GitHub user (reader) could open issues in Gitea's repo.

@wxiaoguang commented on GitHub (Oct 15, 2024): > It is here: [#22985 (comment)](https://github.com/go-gitea/gitea/issues/22985#issuecomment-1436222437) And the answer is: [#22985 (comment)](https://github.com/go-gitea/gitea/issues/22985#issuecomment-1652861623) > > ps: maybe this is outdated. But actually some operations of PR still depends on code unit permission. and it is not documented, so users may confused about it. That's not related. By design "reader" could always create issues and edit their own issues. "writer" could manage issues. It is not that intuitive but it was indeed designed as that. Just like any GitHub user (reader) could open issues in Gitea's repo.

GiteaMirror commented 2025-11-02 10:47:25 -06:00

Author

Owner

Copy Link

@yp05327 commented on GitHub (Oct 15, 2024):

I'm not talking about issues, but the PRs below.
About issues, I have already understood. Thanks for your explanation.

At that time, user without code permission but have PR read permission can access the PR, and the problem is that they can also review and approve it even they have no access to the code. This is what I want to say, as @hakito has mentioned it:

but without access to the other tabs (code)

And it seems that it is related to this change:
https://github.com/go-gitea/gitea/pull/30519/files#diff-3f5521b3af1ddd518b1958e0799d7ab00254d39af04eb96dc00d59d2644eb30fR1564
All reqRepoCodeReader was moved to the parent group, but actually pull request does not have it. So the logic changed since this change I think.

@yp05327 commented on GitHub (Oct 15, 2024): I'm not talking about issues, but the PRs below. About issues, I have already understood. Thanks for your explanation. At that time, user without code permission but have PR read permission can access the PR, and the problem is that they can also review and approve it even they have no access to the code. This is what I want to say, as @hakito has mentioned it: > but without access to the other tabs (code) And it seems that it is related to this change: https://github.com/go-gitea/gitea/pull/30519/files#diff-3f5521b3af1ddd518b1958e0799d7ab00254d39af04eb96dc00d59d2644eb30fR1564 All `reqRepoCodeReader` was moved to the parent group, but actually pull request does not have it. So the logic changed since this change I think. 

GiteaMirror commented 2025-11-02 10:47:26 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Oct 15, 2024):

Yes, it is related to #30519, I made that change which is not ideal (or buggy), that's why I proposed a quick fix

@wxiaoguang commented on GitHub (Oct 15, 2024): Yes, it is related to #30519, I made that change which is not ideal (or buggy), that's why I proposed a quick fix

GiteaMirror commented 2025-11-02 10:47:26 -06:00

Author

Owner

Copy Link

@yp05327 commented on GitHub (Oct 15, 2024):

I have created a new issue about whether user can access to the other tabs if they have no code permission: #32264

@yp05327 commented on GitHub (Oct 15, 2024): I have created a new issue about whether user can access to the other tabs if they have no code permission: #32264

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#13592