From 0657d25583502c50e9dd5f735b8f7e6a9021cde7 Mon Sep 17 00:00:00 2001
From: Ross Golder <ross@golder.org>
Date: Thu, 23 Oct 2025 22:22:55 +0700
Subject: [PATCH] Remove redundant Repo.CanWrite checks from action handlers -
 permissions are enforced at route level

---
 routers/api/v1/repo/actions_run.go | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/routers/api/v1/repo/actions_run.go b/routers/api/v1/repo/actions_run.go
index fc2f9008e0..da51f362fd 100644
--- a/routers/api/v1/repo/actions_run.go
+++ b/routers/api/v1/repo/actions_run.go
@@ -107,11 +107,6 @@ func RerunWorkflowRun(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	_, run, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
@@ -192,11 +187,6 @@ func CancelWorkflowRun(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	runID, _, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
@@ -293,11 +283,6 @@ func ApproveWorkflowRun(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	runID, _, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {
@@ -396,11 +381,6 @@ func RerunWorkflowJob(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
-	if !ctx.Repo.CanWrite(unit.TypeActions) {
-		ctx.APIError(403, "User does not have write access to actions")
-		return
-	}
-
 	runID, _, err := getRunID(ctx)
 	if err != nil {
 		if errors.Is(err, util.ErrNotExist) {