fix: replace all ctx.Org.IsOwner with proper IsOwnedBy method

The APIOrganization type doesn't have an IsOwner field. All ownership checks must use ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID) to properly verify organizational ownership in API context. Signed-off-by: SBALAVIGNESH123 <balavignesh449@gmail.com>
2025-12-10 00:27:03 +07:00 · 2025-12-10 00:27:03 +07:00 · e491cebc1c
parent 5ef7c05005
commit e491cebc1c
1 changed files with 18 additions and 3 deletions
--- a/routers/api/v1/org/org_actions_permissions.go
+++ b/routers/api/v1/org/org_actions_permissions.go
@ -160,7 +160,12 @@ func ListCrossRepoAccess(ctx *context.APIContext) {
 	//   "200":
 	//     "$ref": "#/responses/CrossRepoAccessList"

-	if !ctx.Org.IsOwner {
+	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	if !isOwner {
 		ctx.APIError(http.StatusForbidden, "Organization owner access required")
 		return
 	}
@ -209,7 +214,12 @@ func AddCrossRepoAccess(ctx *context.APIContext) {
 	//   "403":
 	//     "$ref": "#/responses/forbidden"

-	if !ctx.Org.IsOwner {
+	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	if !isOwner {
 		ctx.APIError(http.StatusForbidden, "Organization owner access required")
 		return
 	}
@ -264,7 +274,12 @@ func DeleteCrossRepoAccess(ctx *context.APIContext) {
 	//   "403":
 	//     "$ref": "#/responses/forbidden"

-	if !ctx.Org.IsOwner {
+	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	if !isOwner {
 		ctx.APIError(http.StatusForbidden, "Organization owner access required")
 		return
 	}