After upgrade, can't create repo in existing org

[muellert]

Description

I have recently upgraded gitea to 1.20.2, and since then, I can't create a repo in an existing org, but immediately get a 403. The log doesn't reveal any details, even though I configured the log level to be "trace". I can create a new org and then a repo inside it, and I can create a repo inside my user folder, but not in any other org, despite my having created them all.

This is how it looks like in the logs at loglevel Trace:

2023/08/13 23:06:21 ...s/process/manager.go:188:Add() [T] Start 64d945cd-2: GET: /repo/create?org=4 (request)
2023/08/13 23:06:21 ...eb/routing/logger.go:47:func1() [T] router: started   GET /repo/create?org=4 for 4.3.2.1:0
2023/08/13 23:06:21 ...ices/auth/session.go:51:SessionUser() [T] Session Authorization: Found user[2]
2023/08/13 23:06:21 ...ices/auth/session.go:67:SessionUser() [T] Session Authorization: Logged in user <User 2:username>    
2023/08/13 23:06:21 ...eb/routing/logger.go:102:func1() [I] router: completed GET /repo/create?org=4 for 4.3.2.1:0, 403 Forbidden in 5.1ms @ repo/repo.go:149(repo.Create)
2023/08/13 23:06:21 ...s/process/manager.go:231:remove() [T] Done 64d945cd-2: GET: /repo/create?org=4

Setting RUN_MODE=dev did not have any effect, btw.

Gitea Version

1.20.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

Git Version

2.30.2

Operating System

Debian 11.7 (amd64)

How are you running Gitea?

I am running a binary that I have downloaded from dl.gitea.io and installed via my Ansible role (on.gitea).

Database

PostgreSQL

[techknowlogick]

Which version did you upgrade from? And to confirm, you can't create a repo in an existing org, but does your specifying "existing" mean that you can create a repo in a newly created org?

[muellert]

I upgraded from 1.19.3 to 1.20.2. I can't create a repo in most orgs that existed when I was running 1.19.3, but I can create an org and then create a repo inside the new org. I also can create a repo under my username, which exists since I installed gitea the first time years ago.

[lunny]

Please check your file system's permission. If you are running Gitea as git, ensure all directories/files' owner is git.

[muellert]

Hi lunny, of course, I have checked that already. The newly created org and repo had the same ownerships, only the permissions were a bit more restrictive than some of the old repos (not all). Ie, the new org and repo had 0700, while some of the old repos and orgs have 0750 or even 0755.

[muellert]

I just upgraded to 1.20.3, and the problem persists.

[muellert]

Hi, why is there still a tag "needs feedback"? What else do you need, please? Is there maybe a way to up the log level enough to actually see what's going wrong? Because so far, I didn't find anything.

[CaiCandong]

Do you have a way for me to reproduce this issue? I checked the code, and it's possible to throw a 403 here. Maybe you should confirm if you have permission to create the repository.

gitea/routers/web/repo/repo.go

Lines 116 to 126 in f6e7798

	if !org.IsOrganization() {
	ctx.Error(http.StatusForbidden)
	return nil
	}
	if !ctx.Doer.IsAdmin {
	canCreate, err := organization.OrgFromUser(org).CanCreateOrgRepo(ctx.Doer.ID)
	if err != nil {
	ctx.ServerError("CanCreateOrgRepo", err)
	return nil
	} else if !canCreate {
	ctx.Error(http.StatusForbidden)

[eeyrjmr]

Is this a duplicate of this bug?
#18273

[muellert]

Is this a duplicate of this bug? #18273

I don't think so - I am the owner of the entire gitea instance and almost everything in it, and I can create new orgs and repos inside those new orgs. I just can't create repos inside old orgs which I have created before the upgrade, despite being an owner of that org.

[muellert]

Do you have a way for me to reproduce this issue? I checked the code, and it's possible to throw a 403 here. Maybe you should confirm if you have permission to create the repository.

gitea/routers/web/repo/repo.go

Lines 116 to 126 in f6e7798

	if !org.IsOrganization() {
	ctx.Error(http.StatusForbidden)
	return nil
	}
	if !ctx.Doer.IsAdmin {
	canCreate, err := organization.OrgFromUser(org).CanCreateOrgRepo(ctx.Doer.ID)
	if err != nil {
	ctx.ServerError("CanCreateOrgRepo", err)
	return nil
	} else if !canCreate {
	ctx.Error(http.StatusForbidden)

I haven't tried this, yet, but one could set up a new gitea instance with an old version, create an org, create a repo inside the org, then upgrade and see whether you can create another repo inside that org. If that works, then my data should be somehow corrupted. If not, then you are seeing the same, or a similar, problem like I do.

[eeyrjmr]

Is this a duplicate of this bug? #18273

I don't think so - I am the owner of the entire gitea instance and almost everything in it, and I can create new orgs and repos inside those new orgs. I just can't create repos inside old orgs which I have created before the upgrade, despite being an owner of that org.

Sorry, wrong issue. Its this one: #20643

Could you try the recommended workaround.

Once you updated 1.17.1, edit the team information then this team's permission should be recovered.

[muellert]

Clicking the "Update Settings" button did nothing for me, but updating the table in the database by hand worked. Thank you!

It would be great if it would "just work", though, and I have no idea how I had arrived in a situation where I could not create repos in orgs I own.

[wxiaoguang]

It should be this bug (and workaround)

• accepting or rejecting transfer to organization is disabled even when the user is the owner of repo and organization #26491 (comment)

There is a fix (a doctor sub fix):

• Add fix incorrect can_create_org_repo for org owner team #26683
• The fix has been backported to 1.20.4 (1.20 nightly)

[wxiaoguang]

1.20.4 has been released, you could use the doctor command to fix the legacy data. Or just use the workaround.

[muellert]

Hi, I have used the workaround almost immediately after I discovered it. But thank you for fixing this, anyway!