Description
- Gitea version (or commit ref): b1ad573
- Git version: any
- Operating system: any
- Database (use
[x]): any - Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL) https://try.gitea.io/test/frame-test
- No
- Not relevant
- Log gist:
Description
User can easily frame another user. How to reproduce:
- Create new repo.
- Configure local git to use victim's name/email.
- Add to this repo something illegal in victim's country (or something agressive about other group of people or just smething very shameful).
- Transfer ownership of repo to victim.
- Call the police (or press, victim's boss, victim's wife or anyone else who will hate victim for publishing such information).
From (2) there is no protection, because it's how git itself works (it allows unsigned commits by design).
But from (4) there should be some kind of protection. For example, on Github anyone cannot simply transfer repo ownership to anyone, new owner should confirm this transfer.
Between user/org, user should be able to transfer repo without confirmation if he has admin rights in this org. If transferring repo to another org, any org admin should be able to confirm this transfer. If transferring repo to another user, another user should confirm transfer. And actual transfer must be performed after confirmation. And if user has admin rights, he probably should be able to transfer repo without confirmation (as he implicitly has all privileges on server).
Upd: additionally, when transfer is pending and waiting for user confirmation, new repo owner should have temporary read access to repo if it's private - to make him able to investigate this repo content before accepting/rejecting transfer.
Screenshot
How it looks on Github:
