From a352455b81cf94cf8d2dfa4729426a0edcbc8f59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20=C5=BDen=C4=8D=C3=A1k?= Date: Thu, 1 Feb 2024 14:45:01 +0100 Subject: [PATCH] Use ctx.Org.Organization.IsOwnedBy --- routers/api/v1/org/member.go | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/routers/api/v1/org/member.go b/routers/api/v1/org/member.go index 7c803a927a..437532ad5c 100644 --- a/routers/api/v1/org/member.go +++ b/routers/api/v1/org/member.go @@ -9,7 +9,6 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/models/organization" - user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" api "code.gitea.io/gitea/modules/structs" @@ -237,7 +236,16 @@ func PublicizeMember(ctx *context.APIContext) { if ctx.Written() { return } - if userToPublicize.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin && !organization.IsUserOrgOwner(ctx, []*user_model.User{ctx.Doer}, ctx.Org.Organization.ID)[ctx.Doer.ID] { + allowed := userToPublicize.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin + if !allowed { + isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID) + if err != nil { + ctx.Error(http.StatusInternalServerError, "ChangeOrgUserStatus", err) + return + } + allowed = isOwner + } + if !allowed { ctx.Error(http.StatusForbidden, "", "Cannot publicize another member") return } @@ -279,7 +287,16 @@ func ConcealMember(ctx *context.APIContext) { if ctx.Written() { return } - if userToConceal.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin && !organization.IsUserOrgOwner(ctx, []*user_model.User{ctx.Doer}, ctx.Org.Organization.ID)[ctx.Doer.ID] { + allowed := userToConceal.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin + if !allowed { + isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID) + if err != nil { + ctx.Error(http.StatusInternalServerError, "ChangeOrgUserStatus", err) + return + } + allowed = isOwner + } + if !allowed { ctx.Error(http.StatusForbidden, "", "Cannot conceal another member") return }