From 0129e76ef5bdd6af30207ce7d99bdbe70c108d18 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Mon, 3 Feb 2020 18:44:06 +0100
Subject: [PATCH] Prevent DeleteUser API abuse (#10125) (#10128)

* fix & co

* word suggestions from @jolheiser
---
 routers/api/v1/admin/user.go | 6 ++++++
 routers/org/setting.go       | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 7387037d33..6df8ad9393 100644
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -7,6 +7,7 @@ package admin
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -226,6 +227,11 @@ func DeleteUser(ctx *context.APIContext) {
 		return
 	}
 
+	if u.IsOrganization() {
+		ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", u.Name))
+		return
+	}
+
 	if err := models.DeleteUser(u); err != nil {
 		if models.IsErrUserOwnRepos(err) ||
 			models.IsErrUserHasOrgs(err) {
diff --git a/routers/org/setting.go b/routers/org/setting.go
index 0aeefb50af..74fa4a7afb 100644
--- a/routers/org/setting.go
+++ b/routers/org/setting.go
@@ -115,7 +115,7 @@ func SettingsDeleteAvatar(ctx *context.Context) {
 	ctx.Redirect(ctx.Org.OrgLink + "/settings")
 }
 
-// SettingsDelete response for delete repository
+// SettingsDelete response for deleting an organization
 func SettingsDelete(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("org.settings")
 	ctx.Data["PageIsSettingsDelete"] = true