Fix non-admins unable to automerge PRs from forks (#36833)

Make `handlePullRequestAutoMerge` correctly check the permissions of the merging user against pr.BaseRepo. --------- Co-authored-by: Michael Hoang <enzime@users.noreply.github.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-03-20 03:40:27 +00:00 · 2026-03-06 11:03:12 +11:00
parent 9c2c9c5a00
commit c710ce34fb
2 changed files with 39 additions and 76 deletions
--- a/services/automerge/automerge.go
+++ b/services/automerge/automerge.go
@@ -245,9 +245,9 @@ func handlePullRequestAutoMerge(pullID int64, sha string) {
 		return
 	}

-	perm, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
+	perm, err := access_model.GetUserRepoPermission(ctx, pr.BaseRepo, doer)
 	if err != nil {
-		log.Error("GetUserRepoPermission %-v: %v", pr.HeadRepo, err)
+		log.Error("GetUserRepoPermission %-v: %v", pr.BaseRepo, err)
 		return
 	}