From a9af93cb216e9b5f4d1841d18593589143fbdc9c Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 20 May 2022 17:57:49 +0100
Subject: [PATCH] Nuke the incorrect permission report on /api/v1/notifications
 (#19761)

The permissions created in convertRepo use a minimal perm.AccessModeRead instead of
correctly computing the permission for the repository. This incorrect permission is
then reported to the user.

I do not believe that reporting the permissions is helpful and therefore I propose
we simply null these out. The user can check their permissions using a different
endpoint.

Fix #19759

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/convert/notification.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/convert/notification.go b/modules/convert/notification.go
index f304eadf69..1efba5745c 100644
--- a/modules/convert/notification.go
+++ b/modules/convert/notification.go
@@ -25,6 +25,11 @@ func ToNotificationThread(n *models.Notification) *api.NotificationThread {
 	// since user only get notifications when he has access to use minimal access mode
 	if n.Repository != nil {
 		result.Repository = ToRepo(n.Repository, perm.AccessModeRead)
+
+		// This permission is not correct and we should not be reporting it
+		for repository := result.Repository; repository != nil; repository = repository.Parent {
+			repository.Permissions = nil
+		}
 	}
 
 	// handle Subject