Check user instead of organization when creating a repo from a template via API #16346

zeripath · 2021-07-05T22:41:13Z

ijaureguialzo commented

2021-07-05 22:41:13 +00:00

(Migrated from github.com)

API documentation for repos/generate action implemented on #15958 says for the owner parameter: The organization or person who will own the new repository.

Current code only checks if destination owner is an organization and error is given if trying to copy a template to another user.

Checking for user instead of organization allows for both targets.

API documentation for repos/generate action implemented on #15958 says for the `owner` parameter: _The organization or person who will own the new repository_. Current code only checks if destination owner is an organization and error is given if trying to copy a template to another user. Checking for user instead of organization allows for both targets.

zeripath requested changes 2021-07-13 19:11:05 +00:00

zeripath left a comment

Use SUDO instead.

zeripath approved these changes 2021-07-14 20:02:58 +00:00

a1012112796 (Migrated from github.com) reviewed 2021-07-15 01:28:31 +00:00

a1012112796 (Migrated from github.com) left a comment

index 9c534a194..5e0228fdb 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -387,6 +387,11 @@ func Generate(ctx *context.APIContext) {
                        return
                }
 
+               if !ctx.User.IsAdmin && !ctxUser.IsOrganization() {
+                       ctx.Error(http.StatusForbidden, "", "Only admin can generate repository for other user.")
+                       return
+               }
+
                if !ctx.User.IsAdmin {
                        canCreate, err := ctxUser.CanCreateOrgRepo(ctx.User.ID)
                        if err != nil {

My suggestion about permission check.

``` DIFF index 9c534a194..5e0228fdb 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -387,6 +387,11 @@ func Generate(ctx *context.APIContext) { return } + if !ctx.User.IsAdmin && !ctxUser.IsOrganization() { + ctx.Error(http.StatusForbidden, "", "Only admin can generate repository for other user.") + return + } + if !ctx.User.IsAdmin { canCreate, err := ctxUser.CanCreateOrgRepo(ctx.User.ID) if err != nil { ``` My suggestion about permission check.