# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1609796753 -3600
# Node ID 7f3515800bd8e693de8383b52adf09254b4fc1e5
# Parent  7643d8ecbb205effd547986878b4e40ce4f83329
api: fix update_repo check for permission to create top level repos

The hg.create.repository permission only apply to creation (or renaming) of top
level repos - it is not relevant for other kinds of renaming.

Moving or renaming repos in other locations is now covered by other checks.

diff -r 7643d8ecbb20 -r 7f3515800bd8 kallithea/controllers/api/api.py
--- a/kallithea/controllers/api/api.py	Sat Jan 02 23:41:37 2021 +0100
+++ b/kallithea/controllers/api/api.py	Mon Jan 04 22:45:53 2021 +0100
@@ -1325,10 +1325,10 @@
             if not HasRepoPermissionLevel('admin')(repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
 
-            if (name != repo.repo_name and
+            if (name != repo.repo_name and repo.group_id is None and
                 not HasPermissionAny('hg.create.repository')()
             ):
-                raise JSONRPCError('no permission to create (or move) repositories')
+                raise JSONRPCError('no permission to create (or move) top level repositories')
 
             if not isinstance(owner, Optional):
                 # forbid setting owner for non-admins
@@ -1339,7 +1339,7 @@
         updates = {}
         repo_group = group
         if not isinstance(repo_group, Optional):
-            repo_group = get_repo_group_or_error(repo_group)
+            repo_group = get_repo_group_or_error(repo_group)  # TODO: repos can thus currently not be moved to root
             if repo_group.group_id != repo.group_id:
                 if not(HasPermissionAny('hg.admin')() or HasRepoGroupPermissionLevel('write')(repo_group.group_name)):
                     raise JSONRPCError("no permission to create (or move) repo in %s" % repo_group.group_name)
diff -r 7643d8ecbb20 -r 7f3515800bd8 kallithea/tests/api/api_base.py
--- a/kallithea/tests/api/api_base.py	Sat Jan 02 23:41:37 2021 +0100
+++ b/kallithea/tests/api/api_base.py	Mon Jan 04 22:45:53 2021 +0100
@@ -1144,7 +1144,7 @@
         finally:
             fixture.destroy_repo(repo_name)
 
-    def test_api_update_repo_regular_user_change_repo_name(self):
+    def test_api_update_repo_regular_user_change_top_level_repo_name(self):
         repo_name = 'admin_owned'
         new_repo_name = 'new_repo_name'
         fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)
@@ -1158,7 +1158,7 @@
                                   repoid=repo_name, **updates)
         response = api_call(self, params)
         try:
-            expected = 'no permission to create (or move) repositories'
+            expected = 'no permission to create (or move) top level repositories'
             self._compare_error(id_, expected, given=response.body)
         finally:
             fixture.destroy_repo(repo_name)