Mercurial > kallithea
comparison docs/api/api.rst @ 7296:caa482f8fb5f
repos: only allow api repo creation in existing groups
Fix problem with '../something' paths being allowed; '..' will always exist and
can't be created.
This also introduce a small API change: Repository groups must now exist before
repositories can be created. This makes the API more explicit and simpler.
This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 29 May 2018 12:25:41 +0200 |
parents | 19bc05bd8cf7 |
children | b3289fef0daa |
comparison
equal
deleted
inserted
replaced
7295:d314edb04d11 | 7296:caa482f8fb5f |
---|---|
794 error: null | 794 error: null |
795 | 795 |
796 create_repo | 796 create_repo |
797 ^^^^^^^^^^^ | 797 ^^^^^^^^^^^ |
798 | 798 |
799 Create a repository. If the repository name contains "/", all needed repository | 799 Create a repository. If the repository name contains "/", the repository will be |
800 groups will be created. For example "foo/bar/baz" will create repository groups | 800 created in the repository group indicated by that path. Any such repository |
801 "foo", "bar" (with "foo" as parent), and create "baz" repository with | 801 groups need to exist before calling this method, or the call will fail. |
802 "bar" as group. | 802 For example "foo/bar/baz" will create a repository "baz" inside the repository |
803 group "bar" which itself is in a repository group "foo", but both "foo" and | |
804 "bar" already need to exist before calling this method. | |
803 This command can only be executed using the api_key of a user with admin rights, | 805 This command can only be executed using the api_key of a user with admin rights, |
804 or that of a regular user with create repository permission. | 806 or that of a regular user with create repository permission. |
805 Regular users cannot specify owner parameter. | 807 Regular users cannot specify owner parameter. |
806 | 808 |
807 INPUT:: | 809 INPUT:: |