[API] Disallow changing the name of a repository record (by non-admin users)
Currently, a regular user can rename a repository, but the new name will resolve to a new empty repository: the content of the existing repository does not move with the name (but you can go back to the old content by renaming the repository record again).
Short term fix is to disallow changing the name attribute of a repository unless current_user.andand.is_admin.
Longer term fix is #4253.
#9 Updated by Radhika Chippada almost 6 years ago
- Subject changed from [API] Disallow changing the name of a repository record to [API] Disallow changing the name of a repository record (by non-admin users)
- Status changed from In Progress to Resolved
Both API and Workbench already disallow a non-admin user from changing a repository name.
- API: repository.rb -> permission_to_update method allows only admin user to update a repository. A unit test "active user cannot change repo name via can_manage permission" exists in api/test/unit/permission_test.rb
- Workbench: Workbench hides the "Attributes" tab from non-admin users. In addition, repository.rb -> editable_attributes returns an empty array for non-admin users and allows only admin users to update the object.