From 6f4ba6884c85e5603e7510c0e0d114bc9f86965f Mon Sep 17 00:00:00 2001
From: Ethan Koenig <etk39@cornell.edu>
Date: Thu, 29 Dec 2016 08:17:32 -0500
Subject: Repo permission bug fixes (#513)

---
 routers/api/v1/api.go       | 8 +++-----
 routers/api/v1/repo/repo.go | 4 ++++
 2 files changed, 7 insertions(+), 5 deletions(-)

(limited to 'routers')

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index cfba8d7130..547dbceb4e 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -239,7 +239,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Get("", user.IsStarring)
 					m.Put("", user.Star)
 					m.Delete("", user.Unstar)
-				}, context.ExtractOwnerAndRepo())
+				}, repoAssignment())
 			})
 
 			m.Get("/subscriptions", user.GetMyWatchedRepos)
@@ -258,11 +258,9 @@ func RegisterRoutes(m *macaron.Macaron) {
 
 		m.Group("/repos", func() {
 			m.Post("/migrate", bind(auth.MigrateRepoForm{}), repo.Migrate)
-			m.Combo("/:username/:reponame", context.ExtractOwnerAndRepo()).
-				Get(repo.Get).
-				Delete(repo.Delete)
 
 			m.Group("/:username/:reponame", func() {
+				m.Combo("").Get(repo.Get).Delete(repo.Delete)
 				m.Group("/hooks", func() {
 					m.Combo("").Get(repo.ListHooks).
 						Post(bind(api.CreateHookOption{}), repo.CreateHook)
@@ -330,7 +328,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Get("", user.IsWatching)
 					m.Put("", user.Watch)
 					m.Delete("", user.Unwatch)
-				}, context.ExtractOwnerAndRepo())
+				})
 				m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig)
 				m.Group("/pulls", func() {
 					m.Combo("").Get(bind(api.ListPullRequestsOptions{}), repo.ListPullRequests).Post(reqRepoWriter(), bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index 35e6554273..fea625fbe7 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -275,6 +275,10 @@ func GetByID(ctx *context.APIContext) {
 // Delete one repository
 // see https://github.com/gogits/go-gogs-client/wiki/Repositories#delete
 func Delete(ctx *context.APIContext) {
+	if !ctx.Repo.IsAdmin() {
+		ctx.Error(403, "", "Must have admin rights")
+		return
+	}
 	owner := ctx.Repo.Owner
 	repo := ctx.Repo.Repository
 
-- 
cgit v1.2.3