Repo permission bug fixes (#513)

ethantkoenig · lunny · commit 6f4ba6884c85 · 2016-12-29T21:17:32.000+08:00
diff --git a/modules/context/api.go b/modules/context/api.go
@@ -75,36 +75,6 @@ func APIContexter() macaron.Handler {
 	}
 }
 
-// ExtractOwnerAndRepo returns a handler that populates the `Repo.Owner` and
-// `Repo.Repository` fields of an APIContext
-func ExtractOwnerAndRepo() macaron.Handler {
-	return func(ctx *APIContext) {
-		owner, err := models.GetUserByName(ctx.Params(":username"))
-		if err != nil {
-			if models.IsErrUserNotExist(err) {
-				ctx.Error(422, "", err)
-			} else {
-				ctx.Error(500, "GetUserByName", err)
-			}
-			return
-		}
-
-		repo, err := models.GetRepositoryByName(owner.ID, ctx.Params(":reponame"))
-		if err != nil {
-			if models.IsErrRepoNotExist(err) {
-				ctx.Status(404)
-			} else {
-				ctx.Error(500, "GetRepositoryByName", err)
-			}
-			return
-		}
-		ctx.Repo.Owner = owner
-		ctx.Data["Owner"] = owner
-		ctx.Repo.Repository = repo
-		ctx.Data["Repository"] = repo
-	}
-}
-
 // ReferencesGitRepo injects the GitRepo into the Context
 func ReferencesGitRepo() macaron.Handler {
 	return func(ctx *APIContext) {
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -239,7 +239,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Get("", user.IsStarring)
 					m.Put("", user.Star)
 					m.Delete("", user.Unstar)
-				}, context.ExtractOwnerAndRepo())
+				}, repoAssignment())
 			})
 
 			m.Get("/subscriptions", user.GetMyWatchedRepos)
@@ -258,11 +258,9 @@ func RegisterRoutes(m *macaron.Macaron) {
 
 		m.Group("/repos", func() {
 			m.Post("/migrate", bind(auth.MigrateRepoForm{}), repo.Migrate)
-			m.Combo("/:username/:reponame", context.ExtractOwnerAndRepo()).
-				Get(repo.Get).
-				Delete(repo.Delete)
 
 			m.Group("/:username/:reponame", func() {
+				m.Combo("").Get(repo.Get).Delete(repo.Delete)
 				m.Group("/hooks", func() {
 					m.Combo("").Get(repo.ListHooks).
 						Post(bind(api.CreateHookOption{}), repo.CreateHook)
@@ -330,7 +328,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Get("", user.IsWatching)
 					m.Put("", user.Watch)
 					m.Delete("", user.Unwatch)
-				}, context.ExtractOwnerAndRepo())
+				})
 				m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig)
 				m.Group("/pulls", func() {
 					m.Combo("").Get(bind(api.ListPullRequestsOptions{}), repo.ListPullRequests).Post(reqRepoWriter(), bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
@@ -275,6 +275,10 @@ func GetByID(ctx *context.APIContext) {
 // Delete one repository
 // see https://github.com/gogits/go-gogs-client/wiki/Repositories#delete
 func Delete(ctx *context.APIContext) {
+	if !ctx.Repo.IsAdmin() {
+		ctx.Error(403, "", "Must have admin rights")
+		return
+	}
 	owner := ctx.Repo.Owner
 	repo := ctx.Repo.Repository
 
