Mercurial > kallithea
diff docs/api/api.rst @ 7296:caa482f8fb5f
repos: only allow api repo creation in existing groups
Fix problem with '../something' paths being allowed; '..' will always exist and
can't be created.
This also introduce a small API change: Repository groups must now exist before
repositories can be created. This makes the API more explicit and simpler.
This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 29 May 2018 12:25:41 +0200 |
parents | 19bc05bd8cf7 |
children | b3289fef0daa |
line wrap: on
line diff
--- a/docs/api/api.rst Tue May 29 12:25:40 2018 +0200 +++ b/docs/api/api.rst Tue May 29 12:25:41 2018 +0200 @@ -796,10 +796,12 @@ create_repo ^^^^^^^^^^^ -Create a repository. If the repository name contains "/", all needed repository -groups will be created. For example "foo/bar/baz" will create repository groups -"foo", "bar" (with "foo" as parent), and create "baz" repository with -"bar" as group. +Create a repository. If the repository name contains "/", the repository will be +created in the repository group indicated by that path. Any such repository +groups need to exist before calling this method, or the call will fail. +For example "foo/bar/baz" will create a repository "baz" inside the repository +group "bar" which itself is in a repository group "foo", but both "foo" and +"bar" already need to exist before calling this method. This command can only be executed using the api_key of a user with admin rights, or that of a regular user with create repository permission. Regular users cannot specify owner parameter.