refactor(org): simplify owner-team org repo creation logic (#37727)

This change cleans up org repo-creation authorization by making owner-team membership sufficient regardless of `can_create_org_repo`, and removes the now-obsolete doctor fix for owner teams. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com>
2026-05-18 03:38:01 +02:00 · 2026-05-16 14:26:33 +08:00 · 2026-05-16 14:26:33 +08:00 · 3607516ce2
commit 3607516ce2
parent 7e54514316
3 changed files with 18 additions and 62 deletions
--- a/models/organization/org_test.go
+++ b/models/organization/org_test.go
@ -456,6 +456,22 @@ func TestGetUsersWhoCanCreateOrgRepo(t *testing.T) {
 	assert.NotNil(t, users[5])
 }

+func TestCanCreateOrgRepoByOwnerTeamWithoutFlag(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
+	ownerTeam, err := org.GetOwnerTeam(t.Context())
+	require.NoError(t, err)
+
+	ownerTeam.CanCreateOrgRepo = false
+	_, err = db.GetEngine(t.Context()).ID(ownerTeam.ID).Cols("can_create_org_repo").Update(ownerTeam)
+	require.NoError(t, err)
+
+	ok, err := organization.CanCreateOrgRepo(t.Context(), org.ID, 2)
+	require.NoError(t, err)
+	assert.True(t, ok)
+}
+
 func TestUser_RemoveOrgRepo(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
--- a/models/organization/org_user.go
+++ b/models/organization/org_user.go
@ -8,6 +8,7 @@ import (
 	"fmt"

 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"

@ -104,7 +105,7 @@ func IsPublicMembership(ctx context.Context, orgID, uid int64) (bool, error) {
 // CanCreateOrgRepo returns true if user can create repo in organization
 func CanCreateOrgRepo(ctx context.Context, orgID, uid int64) (bool, error) {
 	return db.GetEngine(ctx).
-		Where(builder.Eq{"team.can_create_org_repo": true}).
+		Where(builder.Eq{"team.can_create_org_repo": true}.Or(builder.Eq{"team.authorize": perm.AccessModeOwner})).
 		Join("INNER", "team_user", "team_user.team_id = team.id").
 		And("team_user.uid = ?", uid).
 		And("team_user.org_id = ?", orgID).
--- a/services/doctor/fix8312.go
+++ b/services/doctor/fix8312.go
@ -1,61 +0,0 @@
-// Copyright 2023 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package doctor
-
-import (
-	"context"
-
-	"code.gitea.io/gitea/models/db"
-	org_model "code.gitea.io/gitea/models/organization"
-	"code.gitea.io/gitea/models/perm"
-	"code.gitea.io/gitea/modules/log"
-	org_service "code.gitea.io/gitea/services/org"
-
-	"xorm.io/builder"
-)
-
-func fixOwnerTeamCreateOrgRepo(ctx context.Context, logger log.Logger, autofix bool) error {
-	count := 0
-
-	err := db.Iterate(
-		ctx,
-		builder.Eq{"authorize": perm.AccessModeOwner, "can_create_org_repo": false},
-		func(ctx context.Context, team *org_model.Team) error {
-			team.CanCreateOrgRepo = true
-			count++
-
-			if !autofix {
-				return nil
-			}
-
-			return org_service.UpdateTeam(ctx, team, false, false)
-		},
-	)
-	if err != nil {
-		logger.Critical("Unable to iterate across repounits to fix incorrect can_create_org_repo: Error %v", err)
-		return err
-	}
-
-	if !autofix {
-		if count == 0 {
-			logger.Info("Found no team with incorrect can_create_org_repo")
-		} else {
-			logger.Warn("Found %d teams with incorrect can_create_org_repo", count)
-		}
-		return nil
-	}
-	logger.Info("Fixed %d teams with incorrect can_create_org_repo", count)
-
-	return nil
-}
-
-func init() {
-	Register(&Check{
-		Title:     "Check for incorrect can_create_org_repo for org owner teams",
-		Name:      "fix-owner-team-create-org-repo",
-		IsDefault: false,
-		Run:       fixOwnerTeamCreateOrgRepo,
-		Priority:  7,
-	})
-}