From 0ae8d33c761c4a948a9b136cfca76f581dc9280c Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jun 03 2015 11:35:15 +0000
Subject: Only people with access to the project can add/remove API token


---

diff --git a/pagure/ui/repo.py b/pagure/ui/repo.py
index b47307d..c55bea8 100644
--- a/pagure/ui/repo.py
+++ b/pagure/ui/repo.py
@@ -1049,6 +1049,11 @@ def add_token(repo, username=None):
     if not repo:
         flask.abort(404, 'Project not found')
 
+    if not is_repo_admin(repo):
+        flask.abort(
+            403,
+            'You are not allowed to change the settings for this project')
+
     acls = pagure.lib.get_acls(SESSION)
     form = pagure.forms.NewTokenForm(acls=acls)
 
@@ -1096,6 +1101,11 @@ def revoke_api_token(repo, token_id, username=None):
     if not repo:
         flask.abort(404, 'Project not found')
 
+    if not is_repo_admin(repo):
+        flask.abort(
+            403,
+            'You are not allowed to change the settings for this project')
+
     token = pagure.lib.get_api_token(SESSION, token_id)
 
     if not token \