Merge pull request #1728 from Bugagazavr/permissions-fix

Disallow to deactivate repo without admin permissions
2024-06-13 10:59:37 +00:00 · 2016-07-21 16:59:39 -07:00 · 2016-07-21 16:59:39 -07:00 · 182aebf236
parent 2240ac354c 041fab56b9
commit 182aebf236
2 changed files with 19 additions and 2 deletions
--- a/router/middleware/session/user.go
+++ b/router/middleware/session/user.go
@ -85,6 +85,23 @@ func MustAdmin() gin.HandlerFunc {
 	}
 }

+func MustRepoAdmin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		user := User(c)
+		perm := Perm(c)
+		switch {
+		case user == nil:
+			c.String(401, "User not authorized")
+			c.Abort()
+		case perm.Admin == false:
+			c.String(403, "User not authorized")
+			c.Abort()
+		default:
+			c.Next()
+		}
+	}
+}
+
 func MustUser() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		user := User(c)
--- a/router/router.go
+++ b/router/router.go
@ -84,8 +84,8 @@ func Load(middleware ...gin.HandlerFunc) http.Handler {

 			// requires push permissions
 			repo.PATCH("", session.MustPush, server.PatchRepo)
-			repo.DELETE("", session.MustPush, server.DeleteRepo)
-			repo.POST("/chown", session.MustPush, server.ChownRepo)
+			repo.DELETE("", session.MustRepoAdmin(), server.DeleteRepo)
+			repo.POST("/chown", session.MustRepoAdmin(), server.ChownRepo)

 			repo.POST("/builds/:number", session.MustPush, server.PostBuild)
 			repo.DELETE("/builds/:number/:job", session.MustPush, server.DeleteBuild)