fix(projects): properly check if a user or link share is allowed to create a new project

2023-01-12 16:49:52 +01:00 · 2023-01-12 16:49:52 +01:00 · 154ac61d7c
commit 154ac61d7c
parent 03eb4ecd07
2 changed files with 11 additions and 2 deletions
--- a/pkg/integrations/link_sharing_test.go
+++ b/pkg/integrations/link_sharing_test.go
@ -276,7 +276,7 @@ func TestLinkSharing(t *testing.T) {
 		// Creating a project should always be forbidden
 		t.Run("Create", func(t *testing.T) {
 			t.Run("Nonexisting", func(t *testing.T) {
-				_, err := testHandlerProjectReadOnly.testCreateWithLinkShare(nil, map[string]string{"namespace": "999999"}, `{"title":"Lorem"}`)
+				_, err := testHandlerProjectReadOnly.testCreateWithLinkShare(nil, nil, `{"title":"Lorem"}`)
 				assert.Error(t, err)
 				assert.Contains(t, err.(*echo.HTTPError).Message, `Forbidden`)
 			})
--- a/pkg/models/project_rights.go
+++ b/pkg/models/project_rights.go
@ -161,7 +161,16 @@ func (p *Project) CanDelete(s *xorm.Session, a web.Auth) (bool, error) {

 // CanCreate checks if the user can create a project
 func (p *Project) CanCreate(s *xorm.Session, a web.Auth) (bool, error) {
-	return p.CanWrite(s, a)
+	if p.ParentProjectID != 0 {
+		parent := &Project{ID: p.ParentProjectID}
+		return parent.CanWrite(s, a)
+	}
+	// Check if we're dealing with a share auth
+	_, is := a.(*LinkSharing)
+	if is {
+		return false, nil
+	}
+	return true, nil
 }

 // IsAdmin returns whether the user has admin rights on the project or not