1
1
mirror of https://github.com/go-gitea/gitea synced 2025-07-22 18:28:37 +00:00

fix users being able bypass limits with repo transfers (#34031)

prevent user from being able to transfer repo to user who cannot have
more repositories
This commit is contained in:
TheFox0x7
2025-03-31 22:19:32 +02:00
committed by GitHub
parent a2e8a289b2
commit 4d2323183d
6 changed files with 92 additions and 16 deletions

View File

@@ -20,10 +20,22 @@ import (
"code.gitea.io/gitea/modules/gitrepo"
"code.gitea.io/gitea/modules/globallock"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"
notify_service "code.gitea.io/gitea/services/notify"
)
type LimitReachedError struct{ Limit int }
func (LimitReachedError) Error() string {
return "Repository limit has been reached"
}
func IsRepositoryLimitReached(err error) bool {
_, ok := err.(LimitReachedError)
return ok
}
func getRepoWorkingLockKey(repoID int64) string {
return fmt.Sprintf("repo_working_%d", repoID)
}
@@ -49,6 +61,11 @@ func AcceptTransferOwnership(ctx context.Context, repo *repo_model.Repository, d
return err
}
if !doer.IsAdmin && !repoTransfer.Recipient.CanCreateRepo() {
limit := util.Iif(repoTransfer.Recipient.MaxRepoCreation >= 0, repoTransfer.Recipient.MaxRepoCreation, setting.Repository.MaxCreationLimit)
return LimitReachedError{Limit: limit}
}
if !repoTransfer.CanUserAcceptOrRejectTransfer(ctx, doer) {
return util.ErrPermissionDenied
}
@@ -399,6 +416,11 @@ func StartRepositoryTransfer(ctx context.Context, doer, newOwner *user_model.Use
return err
}
if !doer.IsAdmin && !newOwner.CanCreateRepo() {
limit := util.Iif(newOwner.MaxRepoCreation >= 0, newOwner.MaxRepoCreation, setting.Repository.MaxCreationLimit)
return LimitReachedError{Limit: limit}
}
var isDirectTransfer bool
oldOwnerName := repo.OwnerName