Prevent DeleteUser API abuse (#10125)

* fix & co * word suggestions from @jolheiser
go-gitea · Feb 3, 2020 · ea50f60 · ea50f60
1 parent 29151b9
commit ea50f60
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
@@ -7,6 +7,7 @@ package admin
 
 import (
  "errors"
+ "fmt"
  "net/http"
 
  "code.gitea.io/gitea/models"
@@ -227,6 +228,11 @@ func DeleteUser(ctx *context.APIContext) {
  return
  }
 
+ if u.IsOrganization() {
+ ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", u.Name))
+ return
+ }
+
  if err := models.DeleteUser(u); err != nil {
  if models.IsErrUserOwnRepos(err) ||
  models.IsErrUserHasOrgs(err) {

diff --git a/routers/org/setting.go b/routers/org/setting.go
@@ -115,7 +115,7 @@ func SettingsDeleteAvatar(ctx *context.Context) {
  ctx.Redirect(ctx.Org.OrgLink + "/settings")
 }
 
-// SettingsDelete response for delete repository
+// SettingsDelete response for deleting an organization
 func SettingsDelete(ctx *context.Context) {
  ctx.Data["Title"] = ctx.Tr("org.settings")
  ctx.Data["PageIsSettingsDelete"] = true