From 28971c7c156631c6e0fc823360e20d2e4f9be861 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Fri, 1 Oct 2021 10:16:28 +0200 Subject: [PATCH] Check user instead of organization when creating a repo from a template via API (#16346) (#17195) * Check user instead of organization * Enforce that only admins can copy a repo to another user Co-authored-by: Ion Jaureguialzo Sarasola --- routers/api/v1/repo/repo.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index b671ef2435..5e0228fdbe 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -374,16 +374,21 @@ func Generate(ctx *context.APIContext) { ctxUser := ctx.User var err error if form.Owner != ctxUser.Name { - ctxUser, err = models.GetOrgByName(form.Owner) + ctxUser, err = models.GetUserByName(form.Owner) if err != nil { - if models.IsErrOrgNotExist(err) { + if models.IsErrUserNotExist(err) { ctx.JSON(http.StatusNotFound, map[string]interface{}{ - "error": "request owner `" + form.Name + "` is not exist", + "error": "request owner `" + form.Owner + "` does not exist", }) return } - ctx.Error(http.StatusInternalServerError, "GetOrgByName", err) + ctx.Error(http.StatusInternalServerError, "GetUserByName", err) + return + } + + if !ctx.User.IsAdmin && !ctxUser.IsOrganization() { + ctx.Error(http.StatusForbidden, "", "Only admin can generate repository for other user.") return }