Validate that the tag doesn't exist when creating a tag via the web #33241
Conversation
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/XS
|
To reproduce the bug, you can do the following:
|
Is it possible to write a test for this case? |
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
|
2 approvals now, would you like to merge it as-is, or there are still changes to do? |
|
Implementing test and changes 👍 |
pull-request-size
bot
added
size/S
pull-request-size
bot
added
size/M
|
Added your finding as comment in 7a5595c |
Hmm just realized the But it also disappears with other form validation errors (while running my dev instance on the main branch): It looks like it's a combination of:
|
|
If we need to handle the "error form", I think we can use "form-fetch-action", then we do not need to reload the page or re-fill the form, then the logic could be simpler? |
This comment was marked as outdated.
This comment was marked as outdated.
|
But now, the "tag only" button is in |
pull-request-size
bot
added
size/L
github-actions
bot
added
the
modifies/templates
|
By reading the code again, I found there are too many legacy bugs and I think it's worth to rewrite it. Major changes:
Maybe it's not easy to backport, if we need the backport, |
|
Done from my side, added some tests and comments, does the new logic look good to you? |
routers/web/repo/release.go
Outdated
| return | ||
| } | ||
| ctx.Data["Tags"] = tags | ||
| ctx.Data["TagNameReleaseExists"] = rel != nil |
There was a problem hiding this comment.
Big fan of the test refactor. Everything looks good to me, the only problem that I see now is the "Create Tag Only" problem we discussed earlier:
To reproduce:
- Have an existing tag e.g. "v1.0"
- Try creating a tag with the same name
It looks like this happens because the "error form" page we return now has a tag_name that points to an existing Release, which would set the highlighted line to true.
Would it make sense to set this to something like:
| ctx.Data["TagNameReleaseExists"] = rel != nil | |
| ctx.Data["TagNameReleaseExists"] = rel != nil && !rel.IsTag |
There was a problem hiding this comment.
Hmm, I think the problem is: we shouldn't stop users from creating new "tag-only" if the error occurs, no matter whether the release exists. So I think this line should be completely removed.
There was a problem hiding this comment.
Made some changes in 57aef6d
// We should still show the "tag only" button if the user clicks it, no matter the release exists or not.
// Because if error occurs, end users need to have the chance to edit the name and submit the form with "tag-only" again.
// It is still not completely right, because there could still be cases like this:
// * user visit "new release" page, see the "tag only" button
// * input something, click other buttons but not "tag only"
// * error occurs, the "new release" page is rendered again, but the "tag only" button is gone
// Such cases are not able to be handled by current code, it needs frontend code to toggle the "tag-only" button if the input changes.
ctx.Data["ShowCreateTagOnlyButton"] = form.TagOnly || rel == nilDoes it sound right?
There was a problem hiding this comment.
Yes it sounds about right
Hmm, I think the problem is: we shouldn't stop users from creating new "tag-only" if the error occurs, no matter whether the release exists. So I think this line should be completely removed.
Hmm it looks like the only case where we do hide it is when a tag_name field is passed which refers to an existing tag (I guess we hide it to avoid any confusion by users). I think it is fine to follow your alternative approach and have the button always appear since the user would be shown an error in case they do press it, but it's up to you
|
Not easy to backport and the changes are quite a lot. Maybe we only keep this fix in 1.24? (If there is a strong requirement to backport .... I could try to manually backport .....) |
* giteaofficial/main: (21 commits) Support public code/issue access for private repositories (go-gitea#33127) Validate that the tag doesn't exist when creating a tag via the web (go-gitea#33241) [skip ci] Updated translations via Crowdin Switch back to `vue-tsc` (go-gitea#33248) Let API create and edit system webhooks, attempt 2 (go-gitea#33180) Fix incorrect ref "blob" (go-gitea#33240) Refactor RefName (go-gitea#33234) Refactor context RefName and RepoAssignment (go-gitea#33226) [skip ci] Updated translations via Crowdin Fix upload file form (go-gitea#33230) Fix mirror bug (go-gitea#33224) Remove unused CSS styles and move some styles to proper files (go-gitea#33217) Refactor context repository (go-gitea#33202) [skip ci] Updated translations via Crowdin Fix unpin hint on the pinned pull requests (go-gitea#33207) fix(cache): cache test triggered by non memory cache (go-gitea#33220) Update README.md (go-gitea#33149) Fix editor markdown not incrementing in a numbered list (go-gitea#33187) Some small refactors (go-gitea#33144) Fix sync fork for consistency (go-gitea#33147) ...
Found while investigating #33210.
This line no longer makes sense because the form field "TagName" is required, so this would mean that this code path would never be covered. Because it isn't covered, we end up going down the "update release" logic where we eventually set
Release.IsTagto false (meaning it will now be treated as a release instead of a tag).This snapshot rewrites the condition to ensure that we aren't trying to create a tag that already exists.