fix users being able bypass limits with repo transfers

TheFox0x7 · TheFox0x7 · commit 3d1c79d05a32 · 2025-03-26T22:23:21.000+01:00
diff --git a/routers/api/v1/repo/transfer.go b/routers/api/v1/repo/transfer.go
@@ -68,6 +68,10 @@ func Transfer(ctx *context.APIContext) {
 		return
 	}
 
+	if !newOwner.CanCreateRepo() {
+		ctx.APIError(http.StatusForbidden, "The new owner cannot have more repositories")
+	}
+
 	if newOwner.Type == user_model.UserTypeOrganization {
 		if !ctx.Doer.IsAdmin && newOwner.Visibility == api.VisibleTypePrivate && !organization.OrgFromUser(newOwner).HasMemberWithUserID(ctx, ctx.Doer.ID) {
 			// The user shouldn't know about this organization
diff --git a/routers/web/repo/setting/setting.go b/routers/web/repo/setting/setting.go
@@ -779,6 +779,12 @@ func SettingsPost(ctx *context.Context) {
 			return
 		}
 
+		if !newOwner.CanCreateRepo() {
+			limit := util.Iif(newOwner.MaxRepoCreation != -1, newOwner.MaxRepoCreation, setting.Repository.MaxCreationLimit)
+			ctx.RenderWithErr(ctx.TrN(limit, "repo.form.reach_limit_of_creation_1", "repo.form.reach_limit_of_creation_n", limit), tplSettingsOptions, nil)
+			return
+		}
+
 		if newOwner.Type == user_model.UserTypeOrganization {
 			if !ctx.Doer.IsAdmin && newOwner.Visibility == structs.VisibleTypePrivate && !organization.OrgFromUser(newOwner).HasMemberWithUserID(ctx, ctx.Doer.ID) {
 				// The user shouldn't know about this organization
