diff --git a/routes/api/v1/api.go b/routes/api/v1/api.go index 54f7e7efe..7b58b4eb1 100644 --- a/routes/api/v1/api.go +++ b/routes/api/v1/api.go @@ -112,6 +112,15 @@ func reqRepoWriter() macaron.Handler { } } +func reqRepoAdmin() macaron.Handler { + return func(c *context.Context) { + if !c.Repo.IsAdmin() { + c.Error(http.StatusForbidden) + return + } + } +} + func orgAssignment(args ...bool) macaron.Handler { var ( assignOrg bool @@ -236,12 +245,12 @@ func RegisterRoutes(m *macaron.Macaron) { Post(bind(api.CreateHookOption{}), repo.CreateHook) m.Combo("/:id").Patch(bind(api.EditHookOption{}), repo.EditHook). Delete(repo.DeleteHook) - }, reqAdmin()) + }, reqRepoAdmin()) m.Group("/collaborators", func() { m.Get("", repo.ListCollaborators) m.Combo("/:collaborator").Get(repo.IsCollaborator).Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator). Delete(repo.DeleteCollaborator) - }, reqAdmin()) + }, reqRepoAdmin()) m.Get("/raw/*", context.RepoRef(), repo.GetRawFile) m.Get("/archive/*", repo.GetArchive) m.Get("/forks", repo.ListForks) @@ -260,7 +269,7 @@ func RegisterRoutes(m *macaron.Macaron) { Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey) m.Combo("/:id").Get(repo.GetDeployKey). Delete(repo.DeleteDeploykey) - }, reqAdmin()) + }, reqRepoAdmin()) m.Group("/issues", func() { m.Combo("").Get(repo.ListIssues).Post(bind(api.CreateIssueOption{}), repo.CreateIssue) m.Group("/comments", func() { @@ -300,8 +309,8 @@ func RegisterRoutes(m *macaron.Macaron) { Delete(reqRepoWriter(), repo.DeleteMilestone) }) - m.Patch("/issue-tracker", bind(api.EditIssueTrackerOption{}), repo.IssueTracker) - m.Post("/mirror-sync", repo.MirrorSync) + m.Patch("/issue-tracker", reqRepoWriter(), bind(api.EditIssueTrackerOption{}), repo.IssueTracker) + m.Post("/mirror-sync", reqRepoWriter(), repo.MirrorSync) m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig) }, repoAssignment()) }, reqToken())