From 251d7f524aa53ec1082cacbf8beb4b83446eb7b5 Mon Sep 17 00:00:00 2001
From: Ion Jaureguialzo Sarasola <ion@jaureguialzo.com>
Date: Thu, 15 Jul 2021 20:19:39 +0200
Subject: [PATCH] Check user instead of organization when creating a repo from
 a template via API (#16346)

* Check user instead of organization

* Enforce that only admins can copy a repo to another user
---
 routers/api/v1/repo/repo.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
index b671ef2435..5e0228fdbe 100644
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -374,16 +374,21 @@ func Generate(ctx *context.APIContext) {
 	ctxUser := ctx.User
 	var err error
 	if form.Owner != ctxUser.Name {
-		ctxUser, err = models.GetOrgByName(form.Owner)
+		ctxUser, err = models.GetUserByName(form.Owner)
 		if err != nil {
-			if models.IsErrOrgNotExist(err) {
+			if models.IsErrUserNotExist(err) {
 				ctx.JSON(http.StatusNotFound, map[string]interface{}{
-					"error": "request owner `" + form.Name + "` is not exist",
+					"error": "request owner `" + form.Owner + "` does not exist",
 				})
 				return
 			}
 
-			ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)
+			ctx.Error(http.StatusInternalServerError, "GetUserByName", err)
+			return
+		}
+
+		if !ctx.User.IsAdmin && !ctxUser.IsOrganization() {
+			ctx.Error(http.StatusForbidden, "", "Only admin can generate repository for other user.")
 			return
 		}