From 6e86c4cde8e32731857d5d51468594103e5dcdba Mon Sep 17 00:00:00 2001 From: Giteabot Date: Tue, 14 Jul 2026 20:06:17 -0700 Subject: [PATCH] fix(actions): prevent bulk actions from affecting all runners (#38453) (#38457) Backport #38453 Co-authored-by: xkm --- routers/web/shared/actions/runners.go | 16 +++++++++------- templates/shared/actions/runner_list.tmpl | 6 +++--- tests/integration/actions_runner_modify_test.go | 7 +++++++ web_src/js/features/admin/common.ts | 10 +--------- 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/routers/web/shared/actions/runners.go b/routers/web/shared/actions/runners.go index f174bfb1cd4..21a2bb8fc1d 100644 --- a/routers/web/shared/actions/runners.go +++ b/routers/web/shared/actions/runners.go @@ -373,16 +373,18 @@ func RunnerBulkActionPost(ctx *context.Context) { return } - var runnerIDs []int64 - if rCtx.IsAdmin { - // ATTENTION: it completely depends on the assumption that the doer is "site admin" - // So it doesn't do extra permission check to the runner IDs - // In the future, if you need to support such operation on non-admin pages, be careful! - runnerIDs = ctx.FormStringInt64s("ids") - } else { + if !rCtx.IsAdmin { ctx.HTTPError(http.StatusForbidden, "bulk actions are admin-only") return } + // ATTENTION: it completely depends on the assumption that the doer is "site admin" + // So it doesn't do extra permission check to the runner IDs + // In the future, if you need to support such operation on non-admin pages, be careful! + runnerIDs := ctx.FormStringInt64s("ids") + if len(runnerIDs) == 0 { + ctx.HTTPError(http.StatusBadRequest, "missing runner IDs") + return + } action := ctx.FormString("action") var successKey, failedKey string diff --git a/templates/shared/actions/runner_list.tmpl b/templates/shared/actions/runner_list.tmpl index 1b287cdabc2..03400fa3a79 100644 --- a/templates/shared/actions/runner_list.tmpl +++ b/templates/shared/actions/runner_list.tmpl @@ -44,9 +44,9 @@
- - - + +