Repo permission bug fixes (#513)

tokarchuk/v1.17
Ethan Koenig 8 years ago committed by Lunny Xiao
parent ac51caa517
commit 6f4ba6884c
  1. 30
      modules/context/api.go
  2. 8
      routers/api/v1/api.go
  3. 4
      routers/api/v1/repo/repo.go

@ -75,36 +75,6 @@ func APIContexter() macaron.Handler {
}
}
// ExtractOwnerAndRepo returns a handler that populates the `Repo.Owner` and
// `Repo.Repository` fields of an APIContext
func ExtractOwnerAndRepo() macaron.Handler {
return func(ctx *APIContext) {
owner, err := models.GetUserByName(ctx.Params(":username"))
if err != nil {
if models.IsErrUserNotExist(err) {
ctx.Error(422, "", err)
} else {
ctx.Error(500, "GetUserByName", err)
}
return
}
repo, err := models.GetRepositoryByName(owner.ID, ctx.Params(":reponame"))
if err != nil {
if models.IsErrRepoNotExist(err) {
ctx.Status(404)
} else {
ctx.Error(500, "GetRepositoryByName", err)
}
return
}
ctx.Repo.Owner = owner
ctx.Data["Owner"] = owner
ctx.Repo.Repository = repo
ctx.Data["Repository"] = repo
}
}
// ReferencesGitRepo injects the GitRepo into the Context
func ReferencesGitRepo() macaron.Handler {
return func(ctx *APIContext) {

@ -239,7 +239,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Get("", user.IsStarring)
m.Put("", user.Star)
m.Delete("", user.Unstar)
}, context.ExtractOwnerAndRepo())
}, repoAssignment())
})
m.Get("/subscriptions", user.GetMyWatchedRepos)
@ -258,11 +258,9 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Group("/repos", func() {
m.Post("/migrate", bind(auth.MigrateRepoForm{}), repo.Migrate)
m.Combo("/:username/:reponame", context.ExtractOwnerAndRepo()).
Get(repo.Get).
Delete(repo.Delete)
m.Group("/:username/:reponame", func() {
m.Combo("").Get(repo.Get).Delete(repo.Delete)
m.Group("/hooks", func() {
m.Combo("").Get(repo.ListHooks).
Post(bind(api.CreateHookOption{}), repo.CreateHook)
@ -330,7 +328,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Get("", user.IsWatching)
m.Put("", user.Watch)
m.Delete("", user.Unwatch)
}, context.ExtractOwnerAndRepo())
})
m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig)
m.Group("/pulls", func() {
m.Combo("").Get(bind(api.ListPullRequestsOptions{}), repo.ListPullRequests).Post(reqRepoWriter(), bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

@ -275,6 +275,10 @@ func GetByID(ctx *context.APIContext) {
// Delete one repository
// see https://github.com/gogits/go-gogs-client/wiki/Repositories#delete
func Delete(ctx *context.APIContext) {
if !ctx.Repo.IsAdmin() {
ctx.Error(403, "", "Must have admin rights")
return
}
owner := ctx.Repo.Owner
repo := ctx.Repo.Repository

Loading…
Cancel
Save