Mercurial > kallithea

changeset 8514:7f3515800bd8 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
api: fix update_repo check for permission to create top level repos The hg.create.repository permission only apply to creation (or renaming) of top level repos - it is not relevant for other kinds of renaming. Moving or renaming repos in other locations is now covered by other checks.
author Mads Kiilerich <mads@kiilerich.com>
date Mon, 04 Jan 2021 22:45:53 +0100
parents 7643d8ecbb20
children c9834271cd06 516a43cbd814
files kallithea/controllers/api/api.py kallithea/tests/api/api_base.py
diffstat 2 files changed, 5 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/api/api.py	Sat Jan 02 23:41:37 2021 +0100
+++ b/kallithea/controllers/api/api.py	Mon Jan 04 22:45:53 2021 +0100
@@ -1325,10 +1325,10 @@
             if not HasRepoPermissionLevel('admin')(repo.repo_name):
                 raise JSONRPCError('repository `%s` does not exist' % (repoid,))
 
-            if (name != repo.repo_name and
+            if (name != repo.repo_name and repo.group_id is None and
                 not HasPermissionAny('hg.create.repository')()
             ):
-                raise JSONRPCError('no permission to create (or move) repositories')
+                raise JSONRPCError('no permission to create (or move) top level repositories')
 
             if not isinstance(owner, Optional):
                 # forbid setting owner for non-admins
@@ -1339,7 +1339,7 @@
         updates = {}
         repo_group = group
         if not isinstance(repo_group, Optional):
-            repo_group = get_repo_group_or_error(repo_group)
+            repo_group = get_repo_group_or_error(repo_group)  # TODO: repos can thus currently not be moved to root
             if repo_group.group_id != repo.group_id:
                 if not(HasPermissionAny('hg.admin')() or HasRepoGroupPermissionLevel('write')(repo_group.group_name)):
                     raise JSONRPCError("no permission to create (or move) repo in %s" % repo_group.group_name)
--- a/kallithea/tests/api/api_base.py	Sat Jan 02 23:41:37 2021 +0100
+++ b/kallithea/tests/api/api_base.py	Mon Jan 04 22:45:53 2021 +0100
@@ -1144,7 +1144,7 @@
         finally:
             fixture.destroy_repo(repo_name)
 
-    def test_api_update_repo_regular_user_change_repo_name(self):
+    def test_api_update_repo_regular_user_change_top_level_repo_name(self):
         repo_name = 'admin_owned'
         new_repo_name = 'new_repo_name'
         fixture.create_repo(repo_name, repo_type=self.REPO_TYPE)
@@ -1158,7 +1158,7 @@
                                   repoid=repo_name, **updates)
         response = api_call(self, params)
         try:
-            expected = 'no permission to create (or move) repositories'
+            expected = 'no permission to create (or move) top level repositories'
             self._compare_error(id_, expected, given=response.body)
         finally:
             fixture.destroy_repo(repo_name)