From 12cd28ec2db9fe33ac7ed2db209a8316475ac5ef Mon Sep 17 00:00:00 2001 From: Ion Jaureguialzo Sarasola Date: Tue, 6 Jul 2021 00:04:43 +0200 Subject: [PATCH 1/2] Check user instead of organization --- routers/api/v1/repo/repo.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 5d397191a6138..5dd9943db05ca 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -374,16 +374,16 @@ func Generate(ctx *context.APIContext) { ctxUser := ctx.User var err error if form.Owner != ctxUser.Name { - ctxUser, err = models.GetOrgByName(form.Owner) + ctxUser, err = models.GetUserByName(form.Owner) if err != nil { - if models.IsErrOrgNotExist(err) { + if models.IsErrUserNotExist(err) { ctx.JSON(http.StatusNotFound, map[string]interface{}{ - "error": "request owner `" + form.Name + "` is not exist", + "error": "request owner `" + form.Owner + "` does not exist", }) return } - ctx.Error(http.StatusInternalServerError, "GetOrgByName", err) + ctx.Error(http.StatusInternalServerError, "GetUserByName", err) return } From 99bbd9986159241cbc23d1bc0a8534f6cacb9b0d Mon Sep 17 00:00:00 2001 From: Ion Jaureguialzo Sarasola Date: Thu, 15 Jul 2021 12:21:40 +0200 Subject: [PATCH 2/2] Enforce that only admins can copy a repo to another user --- routers/api/v1/repo/repo.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 9c534a1948ad8..5e0228fdbefa6 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -387,6 +387,11 @@ func Generate(ctx *context.APIContext) { return } + if !ctx.User.IsAdmin && !ctxUser.IsOrganization() { + ctx.Error(http.StatusForbidden, "", "Only admin can generate repository for other user.") + return + } + if !ctx.User.IsAdmin { canCreate, err := ctxUser.CanCreateOrgRepo(ctx.User.ID) if err != nil {