summaryrefslogtreecommitdiffstats
path: root/routers/web/repo
diff options
context:
space:
mode:
authorWim <wim@42.be>2022-09-28 01:25:40 +0200
committerGitHub <noreply@github.com>2022-09-28 01:25:40 +0200
commit889a41c6a834debafc16cb76abade0fdc8c2bd5b (patch)
tree7972567fdefe30c1ed6feb06c37a4dfccc6516c5 /routers/web/repo
parentFeature: Case-insensitive "find files in repo" (#21269) (diff)
downloadforgejo-889a41c6a834debafc16cb76abade0fdc8c2bd5b.tar.xz
forgejo-889a41c6a834debafc16cb76abade0fdc8c2bd5b.zip
Do not allow organisation owners add themselves as collaborator (#20043)
We're already checking for repo owners, but we also need to check for organisation owners that try to add themselves as collaborator Closes #17966
Diffstat (limited to 'routers/web/repo')
-rw-r--r--routers/web/repo/setting.go13
1 files changed, 13 insertions, 0 deletions
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index 267940c8d2..e7abec0d3e 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -917,6 +917,19 @@ func CollaborationPost(ctx *context.Context) {
return
}
+ // find the owner team of the organization the repo belongs too and
+ // check if the user we're trying to add is an owner.
+ if ctx.Repo.Repository.Owner.IsOrganization() {
+ if isOwner, err := organization.IsOrganizationOwner(ctx, ctx.Repo.Repository.Owner.ID, u.ID); err != nil {
+ ctx.ServerError("IsOrganizationOwner", err)
+ return
+ } else if isOwner {
+ ctx.Flash.Error(ctx.Tr("repo.settings.add_collaborator_owner"))
+ ctx.Redirect(setting.AppSubURL + ctx.Req.URL.EscapedPath())
+ return
+ }
+ }
+
if err = repo_module.AddCollaborator(ctx.Repo.Repository, u); err != nil {
ctx.ServerError("AddCollaborator", err)
return