fix users being able bypass limits with repo transfers (#34031)

prevent user from being able to transfer repo to user who cannot have
more repositories

routers/api/v1/repo/transfer.go

@@ -108,22 +108,19 @@ func Transfer(ctx *context.APIContext) {
 	oldFullname := ctx.Repo.Repository.FullName()
 
 	if err := repo_service.StartRepositoryTransfer(ctx, ctx.Doer, newOwner, ctx.Repo.Repository, teams); err != nil {
-		if repo_model.IsErrRepoTransferInProgress(err) {
+		switch {
+		case repo_model.IsErrRepoTransferInProgress(err):
 			ctx.APIError(http.StatusConflict, err)
-			return
-		}
-
-		if repo_model.IsErrRepoAlreadyExist(err) {
+		case repo_model.IsErrRepoAlreadyExist(err):
 			ctx.APIError(http.StatusUnprocessableEntity, err)
+		case repo_service.IsRepositoryLimitReached(err):
+			ctx.APIError(http.StatusForbidden, err)
+		case errors.Is(err, user_model.ErrBlockedUser):
+			ctx.APIError(http.StatusForbidden, err)
+		default:
+			ctx.APIErrorInternal(err)
 			return
 		}
-
-		if errors.Is(err, user_model.ErrBlockedUser) {
-			ctx.APIError(http.StatusForbidden, err)
-		} else {
-			ctx.APIErrorInternal(err)
-		}
-		return
 	}
 
 	if ctx.Repo.Repository.Status == repo_model.RepositoryPendingTransfer {
@@ -169,6 +166,8 @@ func AcceptTransfer(ctx *context.APIContext) {
 			ctx.APIError(http.StatusNotFound, err)
 		case errors.Is(err, util.ErrPermissionDenied):
 			ctx.APIError(http.StatusForbidden, err)
+		case repo_service.IsRepositoryLimitReached(err):
+			ctx.APIError(http.StatusForbidden, err)
 		default:
 			ctx.APIErrorInternal(err)
 		}