# HG changeset patch # User Mads Kiilerich # Date 1436228759 -7200 # Node ID 0b7b52bfaf5dcfa5db2d3fd850f72cd911eac424 # Parent 6620542597d36b4a3977cda971957da8d7f0b583 api: make update_repo check permissions to check owner like create_repo does Close loophole for reassigning repository owners. Test by Thomas De Schampheleire. diff -r 6620542597d3 -r 0b7b52bfaf5d kallithea/controllers/api/api.py --- a/kallithea/controllers/api/api.py Tue Jul 07 02:25:59 2015 +0200 +++ b/kallithea/controllers/api/api.py Tue Jul 07 02:25:59 2015 +0200 @@ -1561,6 +1561,12 @@ ): raise JSONRPCError('no permission to create (or move) repositories') + if not isinstance(owner, Optional): + #forbid setting owner for non-admins + raise JSONRPCError( + 'Only Kallithea admin can specify `owner` param' + ) + updates = { # update function requires this. 'repo_name': repo.repo_name diff -r 6620542597d3 -r 0b7b52bfaf5d kallithea/tests/api/api_base.py --- a/kallithea/tests/api/api_base.py Tue Jul 07 02:25:59 2015 +0200 +++ b/kallithea/tests/api/api_base.py Tue Jul 07 02:25:59 2015 +0200 @@ -1221,6 +1221,22 @@ fixture.destroy_repo(repo_name) fixture.destroy_repo(new_repo_name) + def test_api_update_repo_regular_user_change_owner(self): + repo_name = 'admin_owned' + fixture.create_repo(repo_name, repo_type=self.REPO_TYPE) + RepoModel().grant_user_permission(repo=repo_name, + user=self.TEST_USER_LOGIN, + perm='repository.admin') + updates = {'owner': TEST_USER_ADMIN_LOGIN} + id_, params = _build_data(self.apikey_regular, 'update_repo', + repoid=repo_name, **updates) + response = api_call(self, params) + try: + expected = 'Only Kallithea admin can specify `owner` param' + self._compare_error(id_, expected, given=response.body) + finally: + fixture.destroy_repo(repo_name) + def test_api_delete_repo(self): repo_name = 'api_delete_me' fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)