Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-01-28 10:09:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

api: verify owner access to delete repos (#8101)

Browse Source
This commit is contained in:
ᴊᴏᴇ ᴄʜᴇɴ
2026-01-22 22:52:57 -05:00
committed by GitHub
parent 560f92ec5f
commit 27f1250d00
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/route/api/v1/api.go
View File

@@ -144,7 +144,7 @@ func reqRepoWriter() macaron.Handler {
}
}
// reqRepoWriter makes sure the context user has at least admin access to the repository.
// reqRepoAdmin makes sure the context user has at least admin access to the repository.
func reqRepoAdmin() macaron.Handler {
return func(c *context.Context) {
if !c.Repo.IsAdmin() {
@@ -154,6 +154,16 @@ func reqRepoAdmin() macaron.Handler {
}
}
// reqRepoOwner makes sure the context user has owner access to the repository.
func reqRepoOwner() macaron.Handler {
return func(c *context.Context) {
if !c.Repo.IsOwner() {
c.Status(http.StatusForbidden)
return
}
}
}
func mustEnableIssues(c *context.APIContext) {
if !c.Repo.Repository.EnableIssues || c.Repo.Repository.EnableExternalTracker {
c.NotFound()
@@ -247,7 +257,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Group("/repos", func() {
m.Post("/migrate", bind(form.MigrateRepo{}), repo.Migrate)
m.Delete("/:username/:reponame", repoAssignment(), repo.Delete)
m.Delete("/:username/:reponame", repoAssignment(), reqRepoOwner(), repo.Delete)
m.Group("/:username/:reponame", func() {
m.Group("/hooks", func() {