Mercurial > kallithea
comparison docs/api/api.rst @ 7314:083fbf531a5d stable
repos: only allow api repo creation in existing groups
Fix problem with '../something' paths being allowed; '..' will always exist and
can't be created.
This also introduce a small API change: Repository groups must now exist before
repositories can be created. This makes the API more explicit and simpler.
This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 29 May 2018 12:25:41 +0200 |
parents | 12b47803189f |
children | b3289fef0daa |
comparison
equal
deleted
inserted
replaced
7313:eeb8ddecaee2 | 7314:083fbf531a5d |
---|---|
748 error: null | 748 error: null |
749 | 749 |
750 create_repo | 750 create_repo |
751 ----------- | 751 ----------- |
752 | 752 |
753 Create a repository. If the repository name contains "/", all needed repository | 753 Create a repository. If the repository name contains "/", the repository will be |
754 groups will be created. For example "foo/bar/baz" will create repository groups | 754 created in the repository group indicated by that path. Any such repository |
755 "foo", "bar" (with "foo" as parent), and create "baz" repository with | 755 groups need to exist before calling this method, or the call will fail. |
756 "bar" as group. | 756 For example "foo/bar/baz" will create a repository "baz" inside the repository |
757 group "bar" which itself is in a repository group "foo", but both "foo" and | |
758 "bar" already need to exist before calling this method. | |
757 This command can only be executed using the api_key of a user with admin rights, | 759 This command can only be executed using the api_key of a user with admin rights, |
758 or that of a regular user with create repository permission. | 760 or that of a regular user with create repository permission. |
759 Regular users cannot specify owner parameter. | 761 Regular users cannot specify owner parameter. |
760 | 762 |
761 INPUT:: | 763 INPUT:: |