From 4485f6c6f3060b3ff3dd1d915da5242eb14029ba Mon Sep 17 00:00:00 2001
From: Kirill Zaitsev <kirik910@gmail.com>
Date: Thu, 21 Jul 2016 20:43:29 +0300
Subject: [PATCH] Disallow non admin users to deactivate repo

---
 router/middleware/session/user.go | 17 +++++++++++++++++
 router/router.go                  |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/router/middleware/session/user.go b/router/middleware/session/user.go
index 78f0a16bf..c1c0e09b4 100644
--- a/router/middleware/session/user.go
+++ b/router/middleware/session/user.go
@@ -85,6 +85,23 @@ func MustAdmin() gin.HandlerFunc {
 	}
 }
 
+func MustRepoAdmin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		user := User(c)
+		perm := Perm(c)
+		switch {
+		case user == nil:
+			c.String(401, "User not authorized")
+			c.Abort()
+		case perm.Admin == false:
+			c.String(403, "User not authorized")
+			c.Abort()
+		default:
+			c.Next()
+		}
+	}
+}
+
 func MustUser() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		user := User(c)
diff --git a/router/router.go b/router/router.go
index 8dd1a3609..1fba1a4d7 100644
--- a/router/router.go
+++ b/router/router.go
@@ -84,7 +84,7 @@ func Load(middleware ...gin.HandlerFunc) http.Handler {
 
 			// requires push permissions
 			repo.PATCH("", session.MustPush, server.PatchRepo)
-			repo.DELETE("", session.MustPush, server.DeleteRepo)
+			repo.DELETE("", session.MustRepoAdmin(), server.DeleteRepo)
 			repo.POST("/chown", session.MustPush, server.ChownRepo)
 
 			repo.POST("/builds/:number", session.MustPush, server.PostBuild)