From 009f467902bed56b3406a5593b94cb23cd1504fd Mon Sep 17 00:00:00 2001
From: boxbeam <instantiable@gmail.com>
Date: Mon, 12 Feb 2024 12:49:30 -0500
Subject: [PATCH] fix(webserver): Check admin permissions for mutating
 repositories (#1442)

---
 ee/tabby-webserver/src/schema/mod.rs | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/ee/tabby-webserver/src/schema/mod.rs b/ee/tabby-webserver/src/schema/mod.rs
index d4646432feda..40c680fa9a87 100644
--- a/ee/tabby-webserver/src/schema/mod.rs
+++ b/ee/tabby-webserver/src/schema/mod.rs
@@ -28,7 +28,7 @@ use worker::{Worker, WorkerService};
 use self::{
     auth::UpdateOAuthCredentialInput,
     email::{EmailService, EmailSetting, EmailSettingInput},
-    repository::{RepositoryError, RepositoryService},
+    repository::RepositoryService,
     setting::{
         NetworkSetting, NetworkSettingInput, SecuritySetting, SecuritySettingInput, SettingService,
     },
@@ -351,18 +351,18 @@ impl Mutation {
         Ok(invitation.id)
     }
 
-    async fn create_repository(
-        ctx: &Context,
-        name: String,
-        git_url: String,
-    ) -> Result<ID, RepositoryError> {
-        ctx.locator
+    async fn create_repository(ctx: &Context, name: String, git_url: String) -> Result<ID> {
+        check_admin(ctx)?;
+        Ok(ctx
+            .locator
             .repository()
             .create_repository(name, git_url)
             .await
+            .map_err(anyhow::Error::from)?)
     }
 
     async fn delete_repository(ctx: &Context, id: ID) -> Result<bool> {
+        check_admin(ctx)?;
         Ok(ctx.locator.repository().delete_repository(&id).await?)
     }
 
@@ -372,6 +372,7 @@ impl Mutation {
         name: String,
         git_url: String,
     ) -> Result<bool> {
+        check_admin(ctx)?;
         Ok(ctx
             .locator
             .repository()