Merge pull request #1728 from Bugagazavr/permissions-fix

Disallow to deactivate repo without admin permissions
This commit is contained in:
Brad Rydzewski 2016-07-21 16:59:39 -07:00 committed by GitHub
commit 182aebf236
2 changed files with 19 additions and 2 deletions

View file

@ -85,6 +85,23 @@ func MustAdmin() gin.HandlerFunc {
}
}
func MustRepoAdmin() gin.HandlerFunc {
return func(c *gin.Context) {
user := User(c)
perm := Perm(c)
switch {
case user == nil:
c.String(401, "User not authorized")
c.Abort()
case perm.Admin == false:
c.String(403, "User not authorized")
c.Abort()
default:
c.Next()
}
}
}
func MustUser() gin.HandlerFunc {
return func(c *gin.Context) {
user := User(c)

View file

@ -84,8 +84,8 @@ func Load(middleware ...gin.HandlerFunc) http.Handler {
// requires push permissions
repo.PATCH("", session.MustPush, server.PatchRepo)
repo.DELETE("", session.MustPush, server.DeleteRepo)
repo.POST("/chown", session.MustPush, server.ChownRepo)
repo.DELETE("", session.MustRepoAdmin(), server.DeleteRepo)
repo.POST("/chown", session.MustRepoAdmin(), server.ChownRepo)
repo.POST("/builds/:number", session.MustPush, server.PostBuild)
repo.DELETE("/builds/:number/:job", session.MustPush, server.DeleteBuild)