Prevent DeleteUser API abuse (#10125)

* fix & co * word suggestions from @jolheiser
author: 6543 <6543@obermui.de> 2020-02-03 17:46:33 +0100
committer: GitHub <noreply@github.com> 2020-02-03 18:46:33 +0200
commit: ea50f60df231ba75c32d03118e0c8af17c325324 (patch)
tree: 4dffef4d291ce6090e12d441a264860ab24cbbe2 /routers/api/v1/admin
parent: 29151b90c62d4f997a5503c3e0d42468f404a73c (diff)
download: gitea-ea50f60df231ba75c32d03118e0c8af17c325324.tar.gz
gitea-ea50f60df231ba75c32d03118e0c8af17c325324.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 28acc062cb..0fbb9cdfe2 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -7,6 +7,7 @@ package admin
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -227,6 +228,11 @@ func DeleteUser(ctx *context.APIContext) {
 		return
 	}
 
+	if u.IsOrganization() {
+		ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", u.Name))
+		return
+	}
+
 	if err := models.DeleteUser(u); err != nil {
 		if models.IsErrUserOwnRepos(err) ||
 			models.IsErrUserHasOrgs(err) {
author	6543 <6543@obermui.de>	2020-02-03 17:46:33 +0100
committer	GitHub <noreply@github.com>	2020-02-03 18:46:33 +0200
commit	ea50f60df231ba75c32d03118e0c8af17c325324 (patch)
tree	4dffef4d291ce6090e12d441a264860ab24cbbe2 /routers/api/v1/admin
parent	29151b90c62d4f997a5503c3e0d42468f404a73c (diff)
download	gitea-ea50f60df231ba75c32d03118e0c8af17c325324.tar.gz gitea-ea50f60df231ba75c32d03118e0c8af17c325324.zip