Fix bug that collaborators are able to modify settings of repository

This commit is contained in:
Unknown 2014-07-04 01:23:11 -04:00
parent 465dc962b5
commit cdffdeddc9
3 changed files with 29 additions and 23 deletions

View File

@ -47,22 +47,23 @@ type Context struct {
csrfToken string
Repo struct {
IsOwner bool
IsWatching bool
IsBranch bool
IsTag bool
IsCommit bool
HasAccess bool
Repository *models.Repository
Owner *models.User
Commit *git.Commit
Tag *git.Tag
GitRepo *git.Repository
BranchName string
TagName string
CommitId string
RepoLink string
CloneLink struct {
IsOwner bool
IsTrueOwner bool
IsWatching bool
IsBranch bool
IsTag bool
IsCommit bool
HasAccess bool
Repository *models.Repository
Owner *models.User
Commit *git.Commit
Tag *git.Tag
GitRepo *git.Repository
BranchName string
TagName string
CommitId string
RepoLink string
CloneLink struct {
SSH string
HTTPS string
Git string

View File

@ -35,9 +35,8 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
}
var (
user *models.User
err error
isTrueOwner bool
user *models.User
err error
)
userName := params["username"]
@ -52,10 +51,10 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
ctx.Handle(500, "RepoAssignment(HasAccess)", err)
return
}
isTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
}
if !isTrueOwner {
if !ctx.Repo.IsTrueOwner {
user, err = models.GetUserByName(userName)
if err != nil {
if err == models.ErrUserNotExist {
@ -82,6 +81,11 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
}
ctx.Repo.Owner = user
// Organization owner team members are true owners as well.
if ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOrgOwner(ctx.User.Id) {
ctx.Repo.IsTrueOwner = true
}
// get repository
repo, err := models.GetRepositoryByName(user.Id, repoName)
if err != nil {
@ -154,6 +158,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
ctx.Data["Owner"] = user
ctx.Data["RepoLink"] = ctx.Repo.RepoLink
ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner
ctx.Data["IsRepositoryTrueOwner"] = ctx.Repo.IsTrueOwner
ctx.Data["BranchName"] = ""
if setting.SshPort != 22 {
@ -257,7 +262,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
func RequireOwner() martini.Handler {
return func(ctx *Context) {
if !ctx.Repo.IsOwner {
if !ctx.Repo.IsTrueOwner {
if !ctx.IsSigned {
ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI))
ctx.Redirect("/user/login")

View File

@ -35,7 +35,7 @@
<li><a href="#">Pulse</a></li>
<li><a href="#">Network</a></li>
</ul>
</li> -->{{end}}{{if .IsRepositoryOwner}}
</li> -->{{end}}{{if .IsRepositoryTrueOwner}}
<li class="{{if .IsRepoToolbarSetting}}active{{end}}"><a href="{{.RepoLink}}/settings">Settings</a>
</li>{{end}}
</ul>