Do not allow organisation owners add themselves as collaborator (#20043)

We're already checking for repo owners, but we also need to check for organisation owners that try to add themselves as collaborator Closes #17966
author: Wim <wim@42.be> 2022-09-28 01:25:40 +0200
committer: GitHub <noreply@github.com> 2022-09-28 01:25:40 +0200
commit: 889a41c6a834debafc16cb76abade0fdc8c2bd5b (patch)
tree: 7972567fdefe30c1ed6feb06c37a4dfccc6516c5 /routers/web/repo
parent: dabc06d13b02fec3887dbf4f7f2f4eeb44efcf89 (diff)
download: gitea-889a41c6a834debafc16cb76abade0fdc8c2bd5b.tar.gz
gitea-889a41c6a834debafc16cb76abade0fdc8c2bd5b.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index 267940c8d2..e7abec0d3e 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -917,6 +917,19 @@ func CollaborationPost(ctx *context.Context) {
 		return
 	}
 
+	// find the owner team of the organization the repo belongs too and
+	// check if the user we're trying to add is an owner.
+	if ctx.Repo.Repository.Owner.IsOrganization() {
+		if isOwner, err := organization.IsOrganizationOwner(ctx, ctx.Repo.Repository.Owner.ID, u.ID); err != nil {
+			ctx.ServerError("IsOrganizationOwner", err)
+			return
+		} else if isOwner {
+			ctx.Flash.Error(ctx.Tr("repo.settings.add_collaborator_owner"))
+			ctx.Redirect(setting.AppSubURL + ctx.Req.URL.EscapedPath())
+			return
+		}
+	}
+
 	if err = repo_module.AddCollaborator(ctx.Repo.Repository, u); err != nil {
 		ctx.ServerError("AddCollaborator", err)
 		return
author	Wim <wim@42.be>	2022-09-28 01:25:40 +0200
committer	GitHub <noreply@github.com>	2022-09-28 01:25:40 +0200
commit	889a41c6a834debafc16cb76abade0fdc8c2bd5b (patch)
tree	7972567fdefe30c1ed6feb06c37a4dfccc6516c5 /routers/web/repo
parent	dabc06d13b02fec3887dbf4f7f2f4eeb44efcf89 (diff)
download	gitea-889a41c6a834debafc16cb76abade0fdc8c2bd5b.tar.gz gitea-889a41c6a834debafc16cb76abade0fdc8c2bd5b.zip