Fix bug that collaborators are able to modify settings of repository

modules/middleware/context.go

@@ -47,22 +47,23 @@ type Context struct {
 	csrfToken string
 
 	Repo struct {
-		IsOwner    bool
+		IsOwner     bool
-		IsWatching bool
+		IsTrueOwner bool
-		IsBranch   bool
+		IsWatching  bool
-		IsTag      bool
+		IsBranch    bool
-		IsCommit   bool
+		IsTag       bool
-		HasAccess  bool
+		IsCommit    bool
-		Repository *models.Repository
+		HasAccess   bool
-		Owner      *models.User
+		Repository  *models.Repository
-		Commit     *git.Commit
+		Owner       *models.User
-		Tag        *git.Tag
+		Commit      *git.Commit
-		GitRepo    *git.Repository
+		Tag         *git.Tag
-		BranchName string
+		GitRepo     *git.Repository
-		TagName    string
+		BranchName  string
-		CommitId   string
+		TagName     string
-		RepoLink   string
+		CommitId    string
-		CloneLink  struct {
+		RepoLink    string
+		CloneLink   struct {
 			SSH   string
 			HTTPS string
 			Git   string

modules/middleware/repo.go

@@ -35,9 +35,8 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 		}
 
 		var (
-			user        *models.User
+			user *models.User
-			err         error
+			err  error
-			isTrueOwner bool
 		)
 
 		userName := params["username"]
@@ -52,10 +51,10 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 				ctx.Handle(500, "RepoAssignment(HasAccess)", err)
 				return
 			}
-			isTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
+			ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
 		}
 
-		if !isTrueOwner {
+		if !ctx.Repo.IsTrueOwner {
 			user, err = models.GetUserByName(userName)
 			if err != nil {
 				if err == models.ErrUserNotExist {
@@ -82,6 +81,11 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 		}
 		ctx.Repo.Owner = user
 
+		// Organization owner team members are true owners as well.
+		if ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOrgOwner(ctx.User.Id) {
+			ctx.Repo.IsTrueOwner = true
+		}
+
 		// get repository
 		repo, err := models.GetRepositoryByName(user.Id, repoName)
 		if err != nil {
@@ -154,6 +158,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 		ctx.Data["Owner"] = user
 		ctx.Data["RepoLink"] = ctx.Repo.RepoLink
 		ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner
+		ctx.Data["IsRepositoryTrueOwner"] = ctx.Repo.IsTrueOwner
 		ctx.Data["BranchName"] = ""
 
 		if setting.SshPort != 22 {
@@ -257,7 +262,7 @@ func RepoAssignment(redirect bool, args ...bool) martini.Handler {
 
 func RequireOwner() martini.Handler {
 	return func(ctx *Context) {
-		if !ctx.Repo.IsOwner {
+		if !ctx.Repo.IsTrueOwner {
 			if !ctx.IsSigned {
 				ctx.SetCookie("redirect_to", "/"+url.QueryEscape(ctx.Req.RequestURI))
 				ctx.Redirect("/user/login")

templates/repo/toolbar.tmpl

@@ -35,7 +35,7 @@
                             <li><a href="#">Pulse</a></li>
                             <li><a href="#">Network</a></li>
                         </ul>
-                    </li> -->{{end}}{{if .IsRepositoryOwner}}
+                    </li> -->{{end}}{{if .IsRepositoryTrueOwner}}
                     <li class="{{if .IsRepoToolbarSetting}}active{{end}}"><a href="{{.RepoLink}}/settings">Settings</a>
                     </li>{{end}}
                 </ul>