Fix bug that collaborators are able to modify settings of repository
This commit is contained in:
parent
465dc962b5
commit
cdffdeddc9
3 changed files with 29 additions and 23 deletions
|
@ -48,6 +48,7 @@ type Context struct {
|
|||
|
||||
Repo struct {
|
||||
IsOwner bool
|
||||
IsTrueOwner bool
|
||||
IsWatching bool
|
||||
IsBranch bool
|
||||
IsTag bool
|
||||
|
|
|
@ -37,7 +37,6 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
|
|||
var (
|
||||
user *models.User
|
||||
err error
|
||||
isTrueOwner bool
|
||||
)
|
||||
|
||||
userName := params["username"]
|
||||
|
@ -52,10 +51,10 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
|
|||
ctx.Handle(500, "RepoAssignment(HasAccess)", err)
|
||||
return
|
||||
}
|
||||
isTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
|
||||
ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
|
||||
}
|
||||
|
||||
if !isTrueOwner {
|
||||
if !ctx.Repo.IsTrueOwner {
|
||||
user, err = models.GetUserByName(userName)
|
||||
if err != nil {
|
||||
if err == models.ErrUserNotExist {
|
||||
|
@ -82,6 +81,11 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
|
|||
}
|
||||
ctx.Repo.Owner = user
|
||||
|
||||
// Organization owner team members are true owners as well.
|
||||
if ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOrgOwner(ctx.User.Id) {
|
||||
ctx.Repo.IsTrueOwner = true
|
||||
}
|
||||
|
||||
// get repository
|
||||
repo, err := models.GetRepositoryByName(user.Id, repoName)
|
||||
if err != nil {
|
||||
|
@ -154,6 +158,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
|
|||
ctx.Data["Owner"] = user
|
||||
ctx.Data["RepoLink"] = ctx.Repo.RepoLink
|
||||
ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner
|
||||
ctx.Data["IsRepositoryTrueOwner"] = ctx.Repo.IsTrueOwner
|
||||
ctx.Data["BranchName"] = ""
|
||||
|
||||
if setting.SshPort != 22 {
|
||||
|
@ -257,7 +262,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
|
|||
|
||||
func RequireOwner() martini.Handler {
|
||||
return func(ctx *Context) {
|
||||
if !ctx.Repo.IsOwner {
|
||||
if !ctx.Repo.IsTrueOwner {
|
||||
if !ctx.IsSigned {
|
||||
ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI))
|
||||
ctx.Redirect("/user/login")
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
<li><a href="#">Pulse</a></li>
|
||||
<li><a href="#">Network</a></li>
|
||||
</ul>
|
||||
</li> -->{{end}}{{if .IsRepositoryOwner}}
|
||||
</li> -->{{end}}{{if .IsRepositoryTrueOwner}}
|
||||
<li class="{{if .IsRepoToolbarSetting}}active{{end}}"><a href="{{.RepoLink}}/settings">Settings</a>
|
||||
</li>{{end}}
|
||||
</ul>
|
||||
|
|
Reference in a new issue