permissions checking too late for "add repo"

Issue #162 invalid
Thomas Waldmann created an issue

if you are a user without permission to create a repo and you click on "add repo", it'll show the form and you can fill in the details for repo creation.

but if you submit, it'll show 403 forbidden, because you're not allowed to create repos. this should be shown earlier, instead of the form.

the check for the POST of course still needs to be done.

Comments (2)

  1. Marcin Kuzminski repo owner

    I think the issue was cache involved there's 5s cache for such settings, and i think you revoke permission and wen't directly to add form, which expired during those 5s, and then on submit it return proper 403, if add reository permission is revoked, the button, and the form should be not available to users.

  2. Log in to comment