Fix system admin cannot fork or get private fork with API (go-gitea#33401)

lunny · GiteaBot · commit 060d4ed03535 · 2025-01-27T16:25:20.000Z
Fix go-gitea#33368
diff --git a/routers/api/v1/repo/fork.go b/routers/api/v1/repo/fork.go
@@ -132,13 +132,15 @@ func CreateFork(ctx *context.APIContext) {
 			}
 			return
 		}
-		isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID)
-		if err != nil {
-			ctx.Error(http.StatusInternalServerError, "IsOrgMember", err)
-			return
-		} else if !isMember {
-			ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))
-			return
+		if !ctx.Doer.IsAdmin {
+			isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID)
+			if err != nil {
+				ctx.Error(http.StatusInternalServerError, "IsOrgMember", err)
+				return
+			} else if !isMember {
+				ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))
+				return
+			}
 		}
 		forker = org.AsUser()
 	}
diff --git a/services/repository/fork.go b/services/repository/fork.go
@@ -258,9 +258,11 @@ type findForksOptions struct {
 }
 
 func (opts findForksOptions) ToConds() builder.Cond {
-	return builder.Eq{"fork_id": opts.RepoID}.And(
-		repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid),
-	)
+	cond := builder.Eq{"fork_id": opts.RepoID}
+	if opts.Doer != nil && opts.Doer.IsAdmin {
+		return cond
+	}
+	return cond.And(repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid))
 }
 
 // FindForks returns all the forks of the repository
diff --git a/tests/integration/api_fork_test.go b/tests/integration/api_fork_test.go
@@ -10,6 +10,7 @@ import (
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	org_model "code.gitea.io/gitea/models/organization"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
@@ -81,8 +82,8 @@ func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 		var forks []*api.Repository
 		DecodeJSON(t, resp, &forks)
 
-		assert.Len(t, forks, 1)
-		assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count"))
+		assert.Len(t, forks, 2)
+		assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count"))
 
 		assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1))
 
@@ -96,3 +97,31 @@ func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 		assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count"))
 	})
 }
+
+func TestGetPrivateReposForks(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user1Sess := loginUser(t, "user1")
+	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) // private repository
+	privateOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23})
+	user1Token := getTokenForLoggedInUser(t, user1Sess, auth_model.AccessTokenScopeWriteRepository)
+
+	forkedRepoName := "forked-repo"
+	// create fork from a private repository
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+repo2.FullName()+"/forks", &api.CreateForkOption{
+		Organization: &privateOrg.Name,
+		Name:         &forkedRepoName,
+	}).AddTokenAuth(user1Token)
+	MakeRequest(t, req, http.StatusAccepted)
+
+	// test get a private fork without clear permissions
+	req = NewRequest(t, "GET", "/api/v1/repos/"+repo2.FullName()+"/forks").AddTokenAuth(user1Token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	forks := []*api.Repository{}
+	DecodeJSON(t, resp, &forks)
+	assert.Len(t, forks, 1)
+	assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count"))
+	assert.EqualValues(t, "forked-repo", forks[0].Name)
+	assert.EqualValues(t, privateOrg.Name, forks[0].Owner.UserName)
+}
diff --git a/tests/integration/repo_fork_test.go b/tests/integration/repo_fork_test.go
@@ -118,7 +118,8 @@ func TestForkListLimitedAndPrivateRepos(t *testing.T) {
 		req := NewRequest(t, "GET", "/user2/repo1/forks")
 		resp := user1Sess.MakeRequest(t, req, http.StatusOK)
 		htmlDoc := NewHTMLParser(t, resp.Body)
-		assert.EqualValues(t, 1, htmlDoc.Find(forkItemSelector).Length())
+		// since user1 is an admin, he can get both of the forked repositories
+		assert.EqualValues(t, 2, htmlDoc.Find(forkItemSelector).Length())
 
 		assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1))
 		resp = user1Sess.MakeRequest(t, req, http.StatusOK)

Original file line number	Diff line number	Diff line change
`@@ -132,13 +132,15 @@ func CreateFork(ctx *context.APIContext) {`
`132`	`132`	`}`
`133`	`133`	`return`
`134`	`134`	`}`
`135`		`- isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID)`
`136`		`- if err != nil {`
`137`		`- ctx.Error(http.StatusInternalServerError, "IsOrgMember", err)`
`138`		`- return`
`139`		`- } else if !isMember {`
`140`		`- ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))`
`141`		`- return`
	`135`	`+ if !ctx.Doer.IsAdmin {`
	`136`	`+ isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID)`
	`137`	`+ if err != nil {`
	`138`	`+ ctx.Error(http.StatusInternalServerError, "IsOrgMember", err)`
	`139`	`+ return`
	`140`	`+ } else if !isMember {`
	`141`	`+ ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))`
	`142`	`+ return`
	`143`	`+ }`
`142`	`144`	`}`
`143`	`145`	`forker = org.AsUser()`
`144`	`146`	`}`
Original file line number	Diff line number	Diff line change
`@@ -258,9 +258,11 @@ type findForksOptions struct {`
`258`	`258`	`}`
`259`	`259`
`260`	`260`	`func (opts findForksOptions) ToConds() builder.Cond {`
`261`		`- return builder.Eq{"fork_id": opts.RepoID}.And(`
`262`		`- repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid),`
`263`		`- )`
	`261`	`+ cond := builder.Eq{"fork_id": opts.RepoID}`
	`262`	`+ if opts.Doer != nil && opts.Doer.IsAdmin {`
	`263`	`+ return cond`
	`264`	`+ }`
	`265`	`+ return cond.And(repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid))`
`264`	`266`	`}`
`265`	`267`
`266`	`268`	`// FindForks returns all the forks of the repository`