update changelog

Signed-off-by: E99p1ant <i@github.red>
database: update access mode validation in ChangeCollaborationAccessMode
2026-05-06 11:46:39 +02:00 · 2026-04-05 23:36:05 +08:00 · 2026-04-05 23:34:51 +08:00
2 changed files with 6 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to Gogs are documented in this file.

 ## 0.15.0+dev (`main`)

+### Fixed
+
+- _Security:_ Repository collaborators with Admin access could escalate their own or others' access mode to Owner via the web UI.
+
 ### Removed

 - The `gogs cert` subcommand. [#8153](https://github.com/gogs/gogs/pull/8153)
--- a/internal/database/repo_collaboration.go
+++ b/internal/database/repo_collaboration.go
@@ -125,8 +125,8 @@ func (r *Repository) GetCollaborators() ([]*Collaborator, error) {

 // ChangeCollaborationAccessMode sets new access mode for the collaboration.
 func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
-	// Discard invalid input
-	if mode <= AccessModeNone || mode > AccessModeOwner {
+	// Collaborators can hold at most Admin access; Owner is reserved for the repository owner.
+	if mode <= AccessModeNone || mode > AccessModeAdmin {
 		return nil
 	}
Author	SHA1	Message	Date
E99p1ant	ac5fe23244	update changelog Signed-off-by: E99p1ant <i@github.red>	2026-04-05 23:36:05 +08:00
E99p1ant	a7550fe27a	database: update access mode validation in `ChangeCollaborationAccessMode` Signed-off-by: E99p1ant <i@github.red>	2026-04-05 23:34:51 +08:00