rdelaage
/
gitea
mirror of https://github.com/go-gitea/gitea.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix bug that collaborators are able to modify settings of repository

This commit is contained in:
Unknown 2014-07-04 01:23:11 -04:00
parent 465dc962b5
commit cdffdeddc9
3 changed files with 29 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
modules/middleware/context.go
View File

@ -47,22 +47,23 @@ type Context struct {
csrfToken string csrfToken string
Repo struct { Repo struct {
IsOwner bool IsOwner bool
IsWatching bool IsTrueOwner bool
IsBranch bool IsWatching bool
IsTag bool IsBranch bool
IsCommit bool IsTag bool
HasAccess bool IsCommit bool
Repository *models.Repository HasAccess bool
Owner *models.User Repository *models.Repository
Commit *git.Commit Owner *models.User
Tag *git.Tag Commit *git.Commit
GitRepo *git.Repository Tag *git.Tag
BranchName string GitRepo *git.Repository
TagName string BranchName string
CommitId string TagName string
RepoLink string CommitId string
CloneLink struct { RepoLink string
CloneLink struct {
SSH string SSH string
HTTPS string HTTPS string
Git string Git string

17
modules/middleware/repo.go
View File

@ -35,9 +35,8 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
} }
var ( var (
user *models.User user *models.User
err error err error
isTrueOwner bool
) )
userName := params["username"] userName := params["username"]
@ -52,10 +51,10 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
ctx.Handle(500, "RepoAssignment(HasAccess)", err) ctx.Handle(500, "RepoAssignment(HasAccess)", err)
return return
} }
isTrueOwner = ctx.User.LowerName == strings.ToLower(userName) ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
} }
if !isTrueOwner { if !ctx.Repo.IsTrueOwner {
user, err = models.GetUserByName(userName) user, err = models.GetUserByName(userName)
if err != nil { if err != nil {
if err == models.ErrUserNotExist { if err == models.ErrUserNotExist {
@ -82,6 +81,11 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
} }
ctx.Repo.Owner = user ctx.Repo.Owner = user
// Organization owner team members are true owners as well.
if ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOrgOwner(ctx.User.Id) {
ctx.Repo.IsTrueOwner = true
}
// get repository // get repository
repo, err := models.GetRepositoryByName(user.Id, repoName) repo, err := models.GetRepositoryByName(user.Id, repoName)
if err != nil { if err != nil {
@ -154,6 +158,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
ctx.Data["Owner"] = user ctx.Data["Owner"] = user
ctx.Data["RepoLink"] = ctx.Repo.RepoLink ctx.Data["RepoLink"] = ctx.Repo.RepoLink
ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner
ctx.Data["IsRepositoryTrueOwner"] = ctx.Repo.IsTrueOwner
ctx.Data["BranchName"] = "" ctx.Data["BranchName"] = ""
if setting.SshPort != 22 { if setting.SshPort != 22 {
@ -257,7 +262,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
func RequireOwner() martini.Handler { func RequireOwner() martini.Handler {
return func(ctx *Context) { return func(ctx *Context) {
if !ctx.Repo.IsOwner { if !ctx.Repo.IsTrueOwner {
if !ctx.IsSigned { if !ctx.IsSigned {
ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI)) ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI))
ctx.Redirect("/user/login") ctx.Redirect("/user/login")

2
templates/repo/toolbar.tmpl
View File

@ -35,7 +35,7 @@
<li><a href="#">Pulse</a></li> <li><a href="#">Pulse</a></li>
<li><a href="#">Network</a></li> <li><a href="#">Network</a></li>
</ul> </ul>
</li> -->{{end}}{{if .IsRepositoryOwner}} </li> -->{{end}}{{if .IsRepositoryTrueOwner}}
<li class="{{if .IsRepoToolbarSetting}}active{{end}}"><a href="{{.RepoLink}}/settings">Settings</a> <li class="{{if .IsRepoToolbarSetting}}active{{end}}"><a href="{{.RepoLink}}/settings">Settings</a>
</li>{{end}} </li>{{end}}
</ul> </ul>