From 0129e76ef5bdd6af30207ce7d99bdbe70c108d18 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Mon, 3 Feb 2020 18:44:06 +0100 Subject: [PATCH] Prevent DeleteUser API abuse (#10125) (#10128) * fix & co * word suggestions from @jolheiser --- routers/api/v1/admin/user.go | 6 ++++++ routers/org/setting.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go index 7387037d33..6df8ad9393 100644 --- a/routers/api/v1/admin/user.go +++ b/routers/api/v1/admin/user.go @@ -7,6 +7,7 @@ package admin import ( "errors" + "fmt" "net/http" "code.gitea.io/gitea/models" @@ -226,6 +227,11 @@ func DeleteUser(ctx *context.APIContext) { return } + if u.IsOrganization() { + ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", u.Name)) + return + } + if err := models.DeleteUser(u); err != nil { if models.IsErrUserOwnRepos(err) || models.IsErrUserHasOrgs(err) { diff --git a/routers/org/setting.go b/routers/org/setting.go index 0aeefb50af..74fa4a7afb 100644 --- a/routers/org/setting.go +++ b/routers/org/setting.go @@ -115,7 +115,7 @@ func SettingsDeleteAvatar(ctx *context.Context) { ctx.Redirect(ctx.Org.OrgLink + "/settings") } -// SettingsDelete response for delete repository +// SettingsDelete response for deleting an organization func SettingsDelete(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("org.settings") ctx.Data["PageIsSettingsDelete"] = true