routes/api: add missing permission checks for routes

Permission check not enforced for deploy keys, collaborators, and hooks. Reported by @ManassehZhou #5764
author: unknwon <u@gogs.io> 2019-08-01 18:26:05 -0700
committer: unknwon <u@gogs.io> 2019-08-01 18:26:05 -0700
commit: 1592e578ed3ac7190baed6165b093002b931520c (patch)
tree: 519ab25462bcf0d24a80d5ea547ef9e7df0ccec7 /routes/api/v1
parent: e640683c97eec7f6452c24cce0e9bcff28ba0387 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/routes/api/v1/api.go b/routes/api/v1/api.go
index d73f57f3..54f7e7ef 100644
--- a/routes/api/v1/api.go
+++ b/routes/api/v1/api.go
@@ -236,12 +236,12 @@ func RegisterRoutes(m *macaron.Macaron) {
 						Post(bind(api.CreateHookOption{}), repo.CreateHook)
 					m.Combo("/:id").Patch(bind(api.EditHookOption{}), repo.EditHook).
 						Delete(repo.DeleteHook)
-				})
+				}, reqAdmin())
 				m.Group("/collaborators", func() {
 					m.Get("", repo.ListCollaborators)
 					m.Combo("/:collaborator").Get(repo.IsCollaborator).Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator).
 						Delete(repo.DeleteCollaborator)
-				})
+				}, reqAdmin())
 				m.Get("/raw/*", context.RepoRef(), repo.GetRawFile)
 				m.Get("/archive/*", repo.GetArchive)
 				m.Get("/forks", repo.ListForks)
@@ -260,7 +260,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
 					m.Combo("/:id").Get(repo.GetDeployKey).
 						Delete(repo.DeleteDeploykey)
-				})
+				}, reqAdmin())
 				m.Group("/issues", func() {
 					m.Combo("").Get(repo.ListIssues).Post(bind(api.CreateIssueOption{}), repo.CreateIssue)
 					m.Group("/comments", func() {
author	unknwon <u@gogs.io>	2019-08-01 18:26:05 -0700
committer	unknwon <u@gogs.io>	2019-08-01 18:26:05 -0700
commit	1592e578ed3ac7190baed6165b093002b931520c (patch)
tree	519ab25462bcf0d24a80d5ea547ef9e7df0ccec7 /routes/api/v1
parent	e640683c97eec7f6452c24cce0e9bcff28ba0387 (diff)