diff options
| author | Lauris BH <lauris@nix.lv> | 2018-07-05 01:45:15 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-07-05 01:45:15 +0300 |
| commit | 4a8ee0b5ccbdc75bab29836a54db4e7af7b7ff3f (patch) | |
| tree | ae7807472db7d6b4691a5cbfea6626dcf7af02d0 /routers/api/v1 | |
| parent | b46066f17c79b4b4196a61e710120d874af6ee5a (diff) | |
| download | gitea-4a8ee0b5ccbdc75bab29836a54db4e7af7b7ff3f.tar.gz gitea-4a8ee0b5ccbdc75bab29836a54db4e7af7b7ff3f.zip | |
Check that repositories can only be migrated to own user or organizations (#4366)
* Repositories can only migrated to own user or organizations
* Add check for organization that user does not belong to
* Allow admin to migrate repositories for other users
Diffstat (limited to 'routers/api/v1')
| -rw-r--r-- | routers/api/v1/repo/repo.go | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index ccfe0440c8..c6c5d4aec3 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -306,16 +306,23 @@ func Migrate(ctx *context.APIContext, form auth.MigrateRepoForm) { return } - if ctxUser.IsOrganization() && !ctx.User.IsAdmin { - // Check ownership of organization. - isOwner, err := ctxUser.IsOwnedBy(ctx.User.ID) - if err != nil { - ctx.Error(500, "IsOwnedBy", err) - return - } else if !isOwner { - ctx.Error(403, "", "Given user is not owner of organization.") + if !ctx.User.IsAdmin { + if !ctxUser.IsOrganization() && ctx.User.ID != ctxUser.ID { + ctx.Error(403, "", "Given user is not an organization.") return } + + if ctxUser.IsOrganization() { + // Check ownership of organization. + isOwner, err := ctxUser.IsOwnedBy(ctx.User.ID) + if err != nil { + ctx.Error(500, "IsOwnedBy", err) + return + } else if !isOwner { + ctx.Error(403, "", "Given user is not owner of organization.") + return + } + } } remoteAddr, err := form.ParseRemoteAddr(ctx.User) |