From 47531417e95e7cdfda1f4e73b0630fd5560062ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?=
 =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= <i.am.the.tablet@proton.me>
Date: Wed, 13 Aug 2025 16:17:12 -0400
Subject: [PATCH] add ownership check when moving repository to a new group

---
 services/group/group.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/services/group/group.go b/services/group/group.go
index e26a86f7ed..128c208a31 100644
--- a/services/group/group.go
+++ b/services/group/group.go
@@ -44,6 +44,15 @@ func NewGroup(ctx context.Context, g *group_model.Group) (err error) {
 
 func MoveRepositoryToGroup(ctx context.Context, repo *repo_model.Repository, newGroupID int64, groupSortOrder int) error {
 	sess := db.GetEngine(ctx)
+	if newGroupID > 0 {
+		newGroup, err := group_model.GetGroupByID(ctx, newGroupID)
+		if err != nil {
+			return err
+		}
+		if newGroup.OwnerID != repo.OwnerID {
+			return fmt.Errorf("repo[%d]'s ownerID is not equal to new parent group[%d]'s owner ID", repo.ID, newGroup.ID)
+		}
+	}
 	repo.GroupID = newGroupID
 	repo.GroupSortOrder = groupSortOrder
 	cnt, err := sess.