diff options
| author | unknwon <u@gogs.io> | 2019-08-01 18:36:05 -0700 |
|---|---|---|
| committer | unknwon <u@gogs.io> | 2019-08-01 18:36:05 -0700 |
| commit | c3af3ff1d0484de3bd789ee6c6e47f35d590e945 (patch) | |
| tree | fccc30a887775fe0518a4a87bd9c63c8f22bc207 /routes/api/v1 | |
| parent | 1592e578ed3ac7190baed6165b093002b931520c (diff) | |
routes/api: fix permission checks for routes
Reported by @ManassehZhou #5764
Diffstat (limited to 'routes/api/v1')
| -rw-r--r-- | routes/api/v1/api.go | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/routes/api/v1/api.go b/routes/api/v1/api.go index 54f7e7ef..7b58b4eb 100644 --- a/routes/api/v1/api.go +++ b/routes/api/v1/api.go @@ -112,6 +112,15 @@ func reqRepoWriter() macaron.Handler { } } +func reqRepoAdmin() macaron.Handler { + return func(c *context.Context) { + if !c.Repo.IsAdmin() { + c.Error(http.StatusForbidden) + return + } + } +} + func orgAssignment(args ...bool) macaron.Handler { var ( assignOrg bool @@ -236,12 +245,12 @@ func RegisterRoutes(m *macaron.Macaron) { Post(bind(api.CreateHookOption{}), repo.CreateHook) m.Combo("/:id").Patch(bind(api.EditHookOption{}), repo.EditHook). Delete(repo.DeleteHook) - }, reqAdmin()) + }, reqRepoAdmin()) m.Group("/collaborators", func() { m.Get("", repo.ListCollaborators) m.Combo("/:collaborator").Get(repo.IsCollaborator).Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator). Delete(repo.DeleteCollaborator) - }, reqAdmin()) + }, reqRepoAdmin()) m.Get("/raw/*", context.RepoRef(), repo.GetRawFile) m.Get("/archive/*", repo.GetArchive) m.Get("/forks", repo.ListForks) @@ -260,7 +269,7 @@ func RegisterRoutes(m *macaron.Macaron) { Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey) m.Combo("/:id").Get(repo.GetDeployKey). Delete(repo.DeleteDeploykey) - }, reqAdmin()) + }, reqRepoAdmin()) m.Group("/issues", func() { m.Combo("").Get(repo.ListIssues).Post(bind(api.CreateIssueOption{}), repo.CreateIssue) m.Group("/comments", func() { @@ -300,8 +309,8 @@ func RegisterRoutes(m *macaron.Macaron) { Delete(reqRepoWriter(), repo.DeleteMilestone) }) - m.Patch("/issue-tracker", bind(api.EditIssueTrackerOption{}), repo.IssueTracker) - m.Post("/mirror-sync", repo.MirrorSync) + m.Patch("/issue-tracker", reqRepoWriter(), bind(api.EditIssueTrackerOption{}), repo.IssueTracker) + m.Post("/mirror-sync", reqRepoWriter(), repo.MirrorSync) m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig) }, repoAssignment()) }, reqToken()) |