diff options
| author | zeripath <art27@cantab.net> | 2020-08-16 21:27:08 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-16 16:27:08 -0400 |
| commit | d1e67d7adefeff79c9aa5128c09eb53bd6e473a9 (patch) | |
| tree | adbc4f54953bc2f50802638efcd14e8e3d4be1fa /routers | |
| parent | f50364a5b04cd42587d09075c3787b3f2486db19 (diff) | |
| download | gitea-d1e67d7adefeff79c9aa5128c09eb53bd6e473a9.tar.gz gitea-d1e67d7adefeff79c9aa5128c09eb53bd6e473a9.zip | |
Fix bug preventing transfer to private organization (#12497)
* Fix bug preventing transfer to private organization
The code assessing whether a private organization was visible to a user before
allowing transfer was incorrect due to testing membership the wrong way round
This PR fixes this issue and renames the function performing the test to be
clearer.
Further looking at the API for transfer repository - no testing was
performed to ensure that the acting user could actually see the new
owning organization.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* change IsUserPartOfOrg everywhere
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/api/v1/repo/transfer.go | 11 | ||||
| -rw-r--r-- | routers/repo/setting.go | 2 |
2 files changed, 11 insertions, 2 deletions
diff --git a/routers/api/v1/repo/transfer.go b/routers/api/v1/repo/transfer.go index 847028d106..b1271b7721 100644 --- a/routers/api/v1/repo/transfer.go +++ b/routers/api/v1/repo/transfer.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/convert" "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs" repo_service "code.gitea.io/gitea/services/repository" ) @@ -53,13 +54,21 @@ func Transfer(ctx *context.APIContext, opts api.TransferRepoOption) { newOwner, err := models.GetUserByName(opts.NewOwner) if err != nil { if models.IsErrUserNotExist(err) { - ctx.Error(http.StatusNotFound, "GetUserByName", err) + ctx.Error(http.StatusNotFound, "", "The new owner does not exist or cannot be found") return } ctx.InternalServerError(err) return } + if newOwner.Type == models.UserTypeOrganization { + if !ctx.User.IsAdmin && newOwner.Visibility == structs.VisibleTypePrivate && !newOwner.HasMemberWithUserID(ctx.User.ID) { + // The user shouldn't know about this organization + ctx.Error(http.StatusNotFound, "", "The new owner does not exist or cannot be found") + return + } + } + var teams []*models.Team if opts.TeamIDs != nil { if !newOwner.IsOrganization() { diff --git a/routers/repo/setting.go b/routers/repo/setting.go index 02331c232b..e03bf556be 100644 --- a/routers/repo/setting.go +++ b/routers/repo/setting.go @@ -418,7 +418,7 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) { } if newOwner.Type == models.UserTypeOrganization { - if !ctx.User.IsAdmin && newOwner.Visibility == structs.VisibleTypePrivate && !ctx.User.IsUserPartOfOrg(newOwner.ID) { + if !ctx.User.IsAdmin && newOwner.Visibility == structs.VisibleTypePrivate && !newOwner.HasMemberWithUserID(ctx.User.ID) { // The user shouldn't know about this organization ctx.RenderWithErr(ctx.Tr("form.enterred_invalid_owner_name"), tplSettingsOptions, nil) return |