Fix bug that collaborators are able to modify settings of repository

2 files changed, 28 insertions, 22 deletions

diff --git a/modules/middleware/context.go b/modules/middleware/context.go
index 8e7ac4209e..c641449a87 100644
--- a/modules/middleware/context.go
+++ b/modules/middleware/context.go
@@ -47,22 +47,23 @@ type Context struct {
 	csrfToken string
 
 	Repo struct {
-		IsOwner    bool
-		IsWatching bool
-		IsBranch   bool
-		IsTag      bool
-		IsCommit   bool
-		HasAccess  bool
-		Repository *models.Repository
-		Owner      *models.User
-		Commit     *git.Commit
-		Tag        *git.Tag
-		GitRepo    *git.Repository
-		BranchName string
-		TagName    string
-		CommitId   string
-		RepoLink   string
-		CloneLink  struct {
+		IsOwner     bool
+		IsTrueOwner bool
+		IsWatching  bool
+		IsBranch    bool
+		IsTag       bool
+		IsCommit    bool
+		HasAccess   bool
+		Repository  *models.Repository
+		Owner       *models.User
+		Commit      *git.Commit
+		Tag         *git.Tag
+		GitRepo     *git.Repository
+		BranchName  string
+		TagName     string
+		CommitId    string
+		RepoLink    string
+		CloneLink   struct {
 			SSH   string
 			HTTPS string
 			Git   string
diff --git a/modules/middleware/repo.go b/modules/middleware/repo.go
index 7ba211c71f..1cfae0b771 100644
--- a/modules/middleware/repo.go
+++ b/modules/middleware/repo.go
@@ -35,9 +35,8 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 		}
 
 		var (
-			user        *models.User
-			err         error
-			isTrueOwner bool
+			user *models.User
+			err  error
 		)
 
 		userName := params["username"]
@@ -52,10 +51,10 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 				ctx.Handle(500, "RepoAssignment(HasAccess)", err)
 				return
 			}
-			isTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
+			ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
 		}
 
-		if !isTrueOwner {
+		if !ctx.Repo.IsTrueOwner {
 			user, err = models.GetUserByName(userName)
 			if err != nil {
 				if err == models.ErrUserNotExist {
@@ -82,6 +81,11 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 		}
 		ctx.Repo.Owner = user
 
+		// Organization owner team members are true owners as well.
+		if ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOrgOwner(ctx.User.Id) {
+			ctx.Repo.IsTrueOwner = true
+		}
+
 		// get repository
 		repo, err := models.GetRepositoryByName(user.Id, repoName)
 		if err != nil {
@@ -154,6 +158,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 		ctx.Data["Owner"] = user
 		ctx.Data["RepoLink"] = ctx.Repo.RepoLink
 		ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner
+		ctx.Data["IsRepositoryTrueOwner"] = ctx.Repo.IsTrueOwner
 		ctx.Data["BranchName"] = ""
 
 		if setting.SshPort != 22 {
@@ -257,7 +262,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 
 func RequireOwner() martini.Handler {
 	return func(ctx *Context) {
-		if !ctx.Repo.IsOwner {
+		if !ctx.Repo.IsTrueOwner {
 			if !ctx.IsSigned {
 				ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI))
 				ctx.Redirect("/user/login")