From cdffdeddc90a69e88fab92487ff5ccf90eb47c08 Mon Sep 17 00:00:00 2001 From: Unknown Date: Fri, 4 Jul 2014 01:23:11 -0400 Subject: [PATCH] Fix bug that collaborators are able to modify settings of repository --- modules/middleware/context.go | 33 +++++++++++++++++---------------- modules/middleware/repo.go | 17 +++++++++++------ templates/repo/toolbar.tmpl | 2 +- 3 files changed, 29 insertions(+), 23 deletions(-) diff --git a/modules/middleware/context.go b/modules/middleware/context.go index 8e7ac4209e5e..c641449a872f 100644 --- a/modules/middleware/context.go +++ b/modules/middleware/context.go @@ -47,22 +47,23 @@ type Context struct { csrfToken string Repo struct { - IsOwner bool - IsWatching bool - IsBranch bool - IsTag bool - IsCommit bool - HasAccess bool - Repository *models.Repository - Owner *models.User - Commit *git.Commit - Tag *git.Tag - GitRepo *git.Repository - BranchName string - TagName string - CommitId string - RepoLink string - CloneLink struct { + IsOwner bool + IsTrueOwner bool + IsWatching bool + IsBranch bool + IsTag bool + IsCommit bool + HasAccess bool + Repository *models.Repository + Owner *models.User + Commit *git.Commit + Tag *git.Tag + GitRepo *git.Repository + BranchName string + TagName string + CommitId string + RepoLink string + CloneLink struct { SSH string HTTPS string Git string diff --git a/modules/middleware/repo.go b/modules/middleware/repo.go index 7ba211c71f8e..1cfae0b77170 100644 --- a/modules/middleware/repo.go +++ b/modules/middleware/repo.go @@ -35,9 +35,8 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler { } var ( - user *models.User - err error - isTrueOwner bool + user *models.User + err error ) userName := params["username"] @@ -52,10 +51,10 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler { ctx.Handle(500, "RepoAssignment(HasAccess)", err) return } - isTrueOwner = ctx.User.LowerName == strings.ToLower(userName) + ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName) } - if !isTrueOwner { + if !ctx.Repo.IsTrueOwner { user, err = models.GetUserByName(userName) if err != nil { if err == models.ErrUserNotExist { @@ -82,6 +81,11 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler { } ctx.Repo.Owner = user + // Organization owner team members are true owners as well. + if ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOrgOwner(ctx.User.Id) { + ctx.Repo.IsTrueOwner = true + } + // get repository repo, err := models.GetRepositoryByName(user.Id, repoName) if err != nil { @@ -154,6 +158,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler { ctx.Data["Owner"] = user ctx.Data["RepoLink"] = ctx.Repo.RepoLink ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner + ctx.Data["IsRepositoryTrueOwner"] = ctx.Repo.IsTrueOwner ctx.Data["BranchName"] = "" if setting.SshPort != 22 { @@ -257,7 +262,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler { func RequireOwner() martini.Handler { return func(ctx *Context) { - if !ctx.Repo.IsOwner { + if !ctx.Repo.IsTrueOwner { if !ctx.IsSigned { ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI)) ctx.Redirect("/user/login") diff --git a/templates/repo/toolbar.tmpl b/templates/repo/toolbar.tmpl index e2652ee82994..6357b3c4c0e8 100644 --- a/templates/repo/toolbar.tmpl +++ b/templates/repo/toolbar.tmpl @@ -35,7 +35,7 @@
  • Pulse
  • Network
  • - -->{{end}}{{if .IsRepositoryOwner}} + -->{{end}}{{if .IsRepositoryTrueOwner}}
  • Settings
  • {{end}}