FIX

Author: NorthRealm

routers/api/v1/repo/action.go

@@ -1103,6 +1103,10 @@ func DeleteActionRun(ctx *context.APIContext) {
 		ctx.APIErrorInternal(err)
 		return
 	}
+	if run.RepoID != ctx.Repo.Repository.ID {
+		ctx.APIError(http.StatusNotFound, fmt.Errorf("run with id %d: %w", runID, util.ErrNotExist))
+		return
+	}
 	if !run.Status.IsDone() {
 		ctx.APIError(http.StatusBadRequest, "this workflow run is not done")
 		return

tests/integration/api_actions_delete_run_test.go

@@ -18,6 +18,16 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestAPIActionsDeleteRunCheckPermission(t *testing.T) {
+	defer prepareTestEnvActionsArtifacts(t)()
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	session := loginUser(t, user.Name)
+	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
+	testAPIActionsDeleteRun(t, repo, token, http.StatusNotFound)
+}
+
 func TestAPIActionsDeleteRun(t *testing.T) {
 	defer prepareTestEnvActionsArtifacts(t)()