From 6c1a31ffaaddf8ced7c30bf5b1e6e82d66f8c6ee Mon Sep 17 00:00:00 2001
From: Lanre Adelowo <adelowomailbox@gmail.com>
Date: Mon, 20 Aug 2018 06:04:01 +0100
Subject: [PATCH] User shouldn't be able to approve or reject his/her own PR
 (#4729)

* Make sure author cannot reject/approve their own PR

* Disable buttons in templates too

* Remove unneccessary if check since the switch below catches it

* Fix IsOwner check

* Update template and remove new template variable

* Add alert template and redirect to diff page on review failure

* Redirect to files diff as a little update to #4632
---
 options/locale/locale_en-US.ini     |  2 ++
 routers/repo/pull_review.go         | 24 ++++++++++++++++++++++--
 templates/repo/diff/new_review.tmpl |  6 +++---
 templates/repo/pulls/files.tmpl     |  1 +
 4 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 82925e9c0..4b2b20204 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -814,6 +814,8 @@ issues.dependency.add_error_dep_not_exist = Dependency does not exist.
 issues.dependency.add_error_dep_exists = Dependency already exists.
 issues.dependency.add_error_cannot_create_circular = You cannot create a dependency with two issues blocking each other.
 issues.dependency.add_error_dep_not_same_repo = Both issues must be in the same repository.
+issues.review.self.approval = You cannot approve your own pull request.
+issues.review.self.rejection = You cannot request changes on your own pull request.
 issues.review.approve = "approved these changes %s"
 issues.review.comment = "reviewed %s"
 issues.review.content.empty = You need to leave a comment indicating the requested change(s).
diff --git a/routers/repo/pull_review.go b/routers/repo/pull_review.go
index 7ca02ac80..1269a7a7e 100644
--- a/routers/repo/pull_review.go
+++ b/routers/repo/pull_review.go
@@ -103,14 +103,34 @@ func SubmitReview(ctx *context.Context, form auth.SubmitReviewForm) {
 	var err error
 
 	reviewType := form.ReviewType()
-	if reviewType == models.ReviewTypeUnknown {
+
+	switch reviewType {
+	case models.ReviewTypeUnknown:
 		ctx.ServerError("GetCurrentReview", fmt.Errorf("unknown ReviewType: %s", form.Type))
 		return
+
+	// can not approve/reject your own PR
+	case models.ReviewTypeApprove, models.ReviewTypeReject:
+
+		if issue.Poster.ID == ctx.User.ID {
+
+			var translated string
+
+			if reviewType == models.ReviewTypeApprove {
+				translated = ctx.Tr("repo.issues.review.self.approval")
+			} else {
+				translated = ctx.Tr("repo.issues.review.self.rejection")
+			}
+
+			ctx.Flash.Error(translated)
+			ctx.Redirect(fmt.Sprintf("%s/pulls/%d/files", ctx.Repo.RepoLink, issue.Index))
+			return
+		}
 	}
 
 	if form.HasEmptyContent() {
 		ctx.Flash.Error(ctx.Tr("repo.issues.review.content.empty"))
-		ctx.Redirect(fmt.Sprintf("%s/pulls/%d", ctx.Repo.RepoLink, issue.Index))
+		ctx.Redirect(fmt.Sprintf("%s/pulls/%d/files", ctx.Repo.RepoLink, issue.Index))
 		return
 	}
 
diff --git a/templates/repo/diff/new_review.tmpl b/templates/repo/diff/new_review.tmpl
index 2b49ac729..68d8f893f 100644
--- a/templates/repo/diff/new_review.tmpl
+++ b/templates/repo/diff/new_review.tmpl
@@ -16,11 +16,11 @@
 							  placeholder="{{$.i18n.Tr "repo.diff.review.placeholder"}}"></textarea>
 				</div>
 				<div class="ui divider"></div>
-				<button type="submit" name="type" value="approve"
+				<button type="submit" name="type" value="approve" {{ if and $.IsSigned ($.Issue.IsPoster $.SignedUser.ID) }} disabled {{ end }}
 						class="ui submit green tiny button btn-submit">{{$.i18n.Tr "repo.diff.review.approve"}}</button>
 				<button type="submit" name="type" value="comment"
-						class="ui submit tiny basic button btn-submit">{{$.i18n.Tr "repo.diff.review.comment"}}</button>
-				<button type="submit" name="type" value="reject"
+					        class="ui submit tiny basic button btn-submit">{{$.i18n.Tr "repo.diff.review.comment"}}</button>
+				<button type="submit" name="type" value="reject" {{ if and $.IsSigned ($.Issue.IsPoster $.SignedUser.ID) }} disabled {{ end }}
 						class="ui submit red tiny button btn-submit">{{$.i18n.Tr "repo.diff.review.reject"}}</button>
 			</form>
 		</div>
diff --git a/templates/repo/pulls/files.tmpl b/templates/repo/pulls/files.tmpl
index 7663788c6..fb46919f8 100644
--- a/templates/repo/pulls/files.tmpl
+++ b/templates/repo/pulls/files.tmpl
@@ -11,6 +11,7 @@
 		<div class="ui divider"></div>
 		{{template "repo/issue/view_title" .}}
 		{{template "repo/pulls/tab_menu" .}}
+		{{template "base/alert" .}}
 		<div class="ui bottom attached tab pull segment active">
 			{{template "repo/diff/box" .}}
 		</div>