From 961a79e8f9f2b3190ea804bcf635e4b43b123272 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?=
 =?UTF-8?q?=C9=B4?= <jc@unknwon.io>
Date: Thu, 22 Jan 2026 22:52:57 -0500
Subject: [PATCH] api: verify owner access to delete repos (#8101)

---
 internal/route/api/v1/api.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/internal/route/api/v1/api.go b/internal/route/api/v1/api.go
index 79d346fe6..ae9b2969f 100644
--- a/internal/route/api/v1/api.go
+++ b/internal/route/api/v1/api.go
@@ -148,7 +148,7 @@ func reqRepoWriter() macaron.Handler {
 	}
 }
 
-// reqRepoWriter makes sure the context user has at least admin access to the repository.
+// reqRepoAdmin makes sure the context user has at least admin access to the repository.
 func reqRepoAdmin() macaron.Handler {
 	return func(c *context.Context) {
 		if !c.Repo.IsAdmin() {
@@ -158,6 +158,16 @@ func reqRepoAdmin() macaron.Handler {
 	}
 }
 
+// reqRepoOwner makes sure the context user has owner access to the repository.
+func reqRepoOwner() macaron.Handler {
+	return func(c *context.Context) {
+		if !c.Repo.IsOwner() {
+			c.Status(http.StatusForbidden)
+			return
+		}
+	}
+}
+
 func mustEnableIssues(c *context.APIContext) {
 	if !c.Repo.Repository.EnableIssues || c.Repo.Repository.EnableExternalTracker {
 		c.NotFound()
@@ -250,7 +260,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 
 		m.Group("/repos", func() {
 			m.Post("/migrate", bind(form.MigrateRepo{}), repo.Migrate)
-			m.Delete("/:username/:reponame", repoAssignment(), repo.Delete)
+			m.Delete("/:username/:reponame", repoAssignment(), reqRepoOwner(), repo.Delete)
 
 			m.Group("/:username/:reponame", func() {
 				m.Group("/hooks", func() {