-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check user instead of organization when creating a repo from a template via API #16346
Conversation
Codecov Report
@@ Coverage Diff @@
## main #16346 +/- ##
==========================================
- Coverage 45.43% 45.42% -0.02%
==========================================
Files 717 717
Lines 84177 84180 +3
==========================================
- Hits 38250 38239 -11
- Misses 39780 39793 +13
- Partials 6147 6148 +1
Continue to review full report at Codecov.
|
Not sure in curent design, whether user can create new repo for another user, and if yes, which permission should be request ... /cc @lunny |
At least, admins should be able to do the copy to another user's account. I'm using this feature in a Learning Management System and before this feature was available, I had to use repos/migrate to create copies of the repos for the students from base repos owned by root user. This is much more convenient and efficient. |
Well for admins we have the sudo header |
At present just use Sudo. For other non-admin users we would need to think a bit more about authorization. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use SUDO instead.
It's not a problem of permissions, it's that this endpoint, using an API call token from a root account, doesn't work. Documentation says that the repo can be copied to an org or user, and it doesn't, it only copies if destination is an organization, that's what I was trying to solve. |
@zeripath should we realy enforce sudo header? @ijaureguialzo you can solve your problem with a sudo header |
Sorry, @6543, could you explain me how? I don't understand how sudo can solve my problem. My goal is to be able to copy an admin-owned private repo to another random user on the system (I'm creating tasks for my students). I'm using this PHP code to query the Gitea API: $request = self::$client->post("repos/$repositorio/generate", [
'headers' => [
'Authorization' => 'token ' . config('gitea.token'),
'Accept' => 'application/json',
],
'json' => [
"owner" => $username,
"name" => $destination,
"private" => true,
"git_content" => true,
"description" => $description,
]
]); The If I try to run that code and copy a repo named The log message itself is wrong, but looking at the source I realized that ever if I have full permissions, if I'm not the owner of the repository and the destination is not and org, the copy is not allowed; and documentation says it should be. With the patch I submitted, the copy is made correctly and fails if the destination user or organization doesn't exist. Thanks in advance for your time. |
I have to agree if the repo is private sudo wont work |
You're creating repos for other users. We don't have that functionality yet and haven't properly considered the consequences of doing so. We'd really need to completely double check that this actually does the permissions checks properly and really does handle all of the counters properly. |
Hmm, In my view. I'd like add a new api for admin to generate repo for other user. for example: like: |
That would be great but I don't have enough profiency with Gitea's code, so, can't help much with that. |
OK on deeper looking I think this would work |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
index 9c534a194..5e0228fdb 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -387,6 +387,11 @@ func Generate(ctx *context.APIContext) {
return
}
+ if !ctx.User.IsAdmin && !ctxUser.IsOrganization() {
+ ctx.Error(http.StatusForbidden, "", "Only admin can generate repository for other user.")
+ return
+ }
+
if !ctx.User.IsAdmin {
canCreate, err := ctxUser.CanCreateOrgRepo(ctx.User.ID)
if err != nil {
My suggestion about permission check.
Thank you for the approval @a1012112796. Will this changes make it to 1.15? I see it's marked for 1.16 milestone. |
I'm afraid it won't make 1.15. |
Great, thank you all for your help. |
…te via API (go-gitea#16346) * Check user instead of organization * Enforce that only admins can copy a repo to another user
…te via API (go-gitea#16346) * Check user instead of organization * Enforce that only admins can copy a repo to another user
API documentation for repos/generate action implemented on #15958 says for the
owner
parameter: The organization or person who will own the new repository.Current code only checks if destination owner is an organization and error is given if trying to copy a template to another user.
Checking for user instead of organization allows for both targets.