diff --git a/routers/web/shared/actions/runners.go b/routers/web/shared/actions/runners.go index f174bfb1cd4..21a2bb8fc1d 100644 --- a/routers/web/shared/actions/runners.go +++ b/routers/web/shared/actions/runners.go @@ -373,16 +373,18 @@ func RunnerBulkActionPost(ctx *context.Context) { return } - var runnerIDs []int64 - if rCtx.IsAdmin { - // ATTENTION: it completely depends on the assumption that the doer is "site admin" - // So it doesn't do extra permission check to the runner IDs - // In the future, if you need to support such operation on non-admin pages, be careful! - runnerIDs = ctx.FormStringInt64s("ids") - } else { + if !rCtx.IsAdmin { ctx.HTTPError(http.StatusForbidden, "bulk actions are admin-only") return } + // ATTENTION: it completely depends on the assumption that the doer is "site admin" + // So it doesn't do extra permission check to the runner IDs + // In the future, if you need to support such operation on non-admin pages, be careful! + runnerIDs := ctx.FormStringInt64s("ids") + if len(runnerIDs) == 0 { + ctx.HTTPError(http.StatusBadRequest, "missing runner IDs") + return + } action := ctx.FormString("action") var successKey, failedKey string diff --git a/templates/shared/actions/runner_list.tmpl b/templates/shared/actions/runner_list.tmpl index 1b287cdabc2..03400fa3a79 100644 --- a/templates/shared/actions/runner_list.tmpl +++ b/templates/shared/actions/runner_list.tmpl @@ -44,9 +44,9 @@