mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-14 13:18:05 +02:00
f25811942c
The pre-receive hook cached the result of CanWriteCode() after the first ref in a batch push, but CanMaintainerWriteToBranch depends on the current branch name. A user holding a per-branch maintainer-edit grant (an open PR with "allow edits from maintainers") could batch that branch with protected branches or tags and have the cached approval reused, escalating to full repository write. Evaluate the permission fresh for every ref; the pusher and base permission remain cached via loadPusherAndPermission. Assisted-by: Claude:claude-opus-4-8