From 6f4ba6884c85e5603e7510c0e0d114bc9f86965f Mon Sep 17 00:00:00 2001 From: Ethan Koenig Date: Thu, 29 Dec 2016 08:17:32 -0500 Subject: [PATCH] Repo permission bug fixes (#513) --- modules/context/api.go | 30 ------------------------------ routers/api/v1/api.go | 8 +++----- routers/api/v1/repo/repo.go | 4 ++++ 3 files changed, 7 insertions(+), 35 deletions(-) diff --git a/modules/context/api.go b/modules/context/api.go index 7a3ff990b6..725a3461aa 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -75,36 +75,6 @@ func APIContexter() macaron.Handler { } } -// ExtractOwnerAndRepo returns a handler that populates the `Repo.Owner` and -// `Repo.Repository` fields of an APIContext -func ExtractOwnerAndRepo() macaron.Handler { - return func(ctx *APIContext) { - owner, err := models.GetUserByName(ctx.Params(":username")) - if err != nil { - if models.IsErrUserNotExist(err) { - ctx.Error(422, "", err) - } else { - ctx.Error(500, "GetUserByName", err) - } - return - } - - repo, err := models.GetRepositoryByName(owner.ID, ctx.Params(":reponame")) - if err != nil { - if models.IsErrRepoNotExist(err) { - ctx.Status(404) - } else { - ctx.Error(500, "GetRepositoryByName", err) - } - return - } - ctx.Repo.Owner = owner - ctx.Data["Owner"] = owner - ctx.Repo.Repository = repo - ctx.Data["Repository"] = repo - } -} - // ReferencesGitRepo injects the GitRepo into the Context func ReferencesGitRepo() macaron.Handler { return func(ctx *APIContext) { diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index cfba8d7130..547dbceb4e 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -239,7 +239,7 @@ func RegisterRoutes(m *macaron.Macaron) { m.Get("", user.IsStarring) m.Put("", user.Star) m.Delete("", user.Unstar) - }, context.ExtractOwnerAndRepo()) + }, repoAssignment()) }) m.Get("/subscriptions", user.GetMyWatchedRepos) @@ -258,11 +258,9 @@ func RegisterRoutes(m *macaron.Macaron) { m.Group("/repos", func() { m.Post("/migrate", bind(auth.MigrateRepoForm{}), repo.Migrate) - m.Combo("/:username/:reponame", context.ExtractOwnerAndRepo()). - Get(repo.Get). - Delete(repo.Delete) m.Group("/:username/:reponame", func() { + m.Combo("").Get(repo.Get).Delete(repo.Delete) m.Group("/hooks", func() { m.Combo("").Get(repo.ListHooks). Post(bind(api.CreateHookOption{}), repo.CreateHook) @@ -330,7 +328,7 @@ func RegisterRoutes(m *macaron.Macaron) { m.Get("", user.IsWatching) m.Put("", user.Watch) m.Delete("", user.Unwatch) - }, context.ExtractOwnerAndRepo()) + }) m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig) m.Group("/pulls", func() { m.Combo("").Get(bind(api.ListPullRequestsOptions{}), repo.ListPullRequests).Post(reqRepoWriter(), bind(api.CreatePullRequestOption{}), repo.CreatePullRequest) diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 35e6554273..fea625fbe7 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -275,6 +275,10 @@ func GetByID(ctx *context.APIContext) { // Delete one repository // see https://github.com/gogits/go-gogs-client/wiki/Repositories#delete func Delete(ctx *context.APIContext) { + if !ctx.Repo.IsAdmin() { + ctx.Error(403, "", "Must have admin rights") + return + } owner := ctx.Repo.Owner repo := ctx.Repo.Repository