From 155caa8e0a72227f165410ad2e88da846eae537a Mon Sep 17 00:00:00 2001 From: Lauris BH Date: Thu, 5 Jul 2018 02:18:06 +0300 Subject: [PATCH] Check that repositories can only be migrated to own user or organizations (#4366) (#4370) * Repositories can only migrated to own user or organizations * Add check for organization that user does not belong to * Allow admin to migrate repositories for other users --- integrations/api_repo_test.go | 27 +++++++++++++++++++++++++++ routers/api/v1/repo/repo.go | 23 +++++++++++++++-------- 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go index 12429c88a..c789cc9ee 100644 --- a/integrations/api_repo_test.go +++ b/integrations/api_repo_test.go @@ -235,3 +235,30 @@ func TestAPIGetRepoByIDUnauthorized(t *testing.T) { req := NewRequestf(t, "GET", "/api/v1/repositories/2") sess.MakeRequest(t, req, http.StatusNotFound) } + +func TestAPIRepoMigrate(t *testing.T) { + testCases := []struct { + ctxUserID, userID int64 + cloneURL, repoName string + expectedStatus int + }{ + {ctxUserID: 1, userID: 2, cloneURL: "https://github.com/go-gitea/git.git", repoName: "git-admin", expectedStatus: http.StatusCreated}, + {ctxUserID: 2, userID: 2, cloneURL: "https://github.com/go-gitea/git.git", repoName: "git-own", expectedStatus: http.StatusCreated}, + {ctxUserID: 2, userID: 1, cloneURL: "https://github.com/go-gitea/git.git", repoName: "git-bad", expectedStatus: http.StatusForbidden}, + {ctxUserID: 2, userID: 3, cloneURL: "https://github.com/go-gitea/git.git", repoName: "git-org", expectedStatus: http.StatusCreated}, + {ctxUserID: 2, userID: 6, cloneURL: "https://github.com/go-gitea/git.git", repoName: "git-bad-org", expectedStatus: http.StatusForbidden}, + } + + prepareTestEnv(t) + for _, testCase := range testCases { + user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User) + session := loginUser(t, user.Name) + + req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOption{ + CloneAddr: testCase.cloneURL, + UID: int(testCase.userID), + RepoName: testCase.repoName, + }) + session.MakeRequest(t, req, testCase.expectedStatus) + } +} diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index ccfe0440c..c6c5d4aec 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -306,16 +306,23 @@ func Migrate(ctx *context.APIContext, form auth.MigrateRepoForm) { return } - if ctxUser.IsOrganization() && !ctx.User.IsAdmin { - // Check ownership of organization. - isOwner, err := ctxUser.IsOwnedBy(ctx.User.ID) - if err != nil { - ctx.Error(500, "IsOwnedBy", err) - return - } else if !isOwner { - ctx.Error(403, "", "Given user is not owner of organization.") + if !ctx.User.IsAdmin { + if !ctxUser.IsOrganization() && ctx.User.ID != ctxUser.ID { + ctx.Error(403, "", "Given user is not an organization.") return } + + if ctxUser.IsOrganization() { + // Check ownership of organization. + isOwner, err := ctxUser.IsOwnedBy(ctx.User.ID) + if err != nil { + ctx.Error(500, "IsOwnedBy", err) + return + } else if !isOwner { + ctx.Error(403, "", "Given user is not owner of organization.") + return + } + } } remoteAddr, err := form.ParseRemoteAddr(ctx.User)