routes/api: fix permission checks for routes

Reported by @ManassehZhou #5764

routes/api/v1/api.go

@@ -112,6 +112,15 @@ func reqRepoWriter() macaron.Handler {
 	}
 }
 
+func reqRepoAdmin() macaron.Handler {
+	return func(c *context.Context) {
+		if !c.Repo.IsAdmin() {
+			c.Error(http.StatusForbidden)
+			return
+		}
+	}
+}
+
 func orgAssignment(args ...bool) macaron.Handler {
 	var (
 		assignOrg  bool
@@ -236,12 +245,12 @@ func RegisterRoutes(m *macaron.Macaron) {
 						Post(bind(api.CreateHookOption{}), repo.CreateHook)
 					m.Combo("/:id").Patch(bind(api.EditHookOption{}), repo.EditHook).
 						Delete(repo.DeleteHook)
-				}, reqAdmin())
+				}, reqRepoAdmin())
 				m.Group("/collaborators", func() {
 					m.Get("", repo.ListCollaborators)
 					m.Combo("/:collaborator").Get(repo.IsCollaborator).Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator).
 						Delete(repo.DeleteCollaborator)
-				}, reqAdmin())
+				}, reqRepoAdmin())
 				m.Get("/raw/*", context.RepoRef(), repo.GetRawFile)
 				m.Get("/archive/*", repo.GetArchive)
 				m.Get("/forks", repo.ListForks)
@@ -260,7 +269,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
 					m.Combo("/:id").Get(repo.GetDeployKey).
 						Delete(repo.DeleteDeploykey)
-				}, reqAdmin())
+				}, reqRepoAdmin())
 				m.Group("/issues", func() {
 					m.Combo("").Get(repo.ListIssues).Post(bind(api.CreateIssueOption{}), repo.CreateIssue)
 					m.Group("/comments", func() {
@@ -300,8 +309,8 @@ func RegisterRoutes(m *macaron.Macaron) {
 						Delete(reqRepoWriter(), repo.DeleteMilestone)
 				})
 
-				m.Patch("/issue-tracker", bind(api.EditIssueTrackerOption{}), repo.IssueTracker)
-				m.Post("/mirror-sync", repo.MirrorSync)
+				m.Patch("/issue-tracker", reqRepoWriter(), bind(api.EditIssueTrackerOption{}), repo.IssueTracker)
+				m.Post("/mirror-sync", reqRepoWriter(), repo.MirrorSync)
 				m.Get("/editorconfig/:filename", context.RepoRef(), repo.GetEditorconfig)
 			}, repoAssignment())
 		}, reqToken())