UI preventing org repo creation as well if user org limit is reached

[DrMaxNix]

Scenario

• On our instance we have MAX_CREATION_LIMIT = 0 to prevent random new users from spamming our instance
• There is an org which has a few members, which is being used for a collaborative project. These members should only be able to create repos inside this org, but not under their user account.
• Users have been put into a team Dev which has Create repositories enabled

Problem

• On the repo create page, the submit button Create Repository is disabled in case CanCreateRepo == false:

  gitea/templates/repo/create.tmpl

  Line 212 in 5c91d79

  <button class="ui primary button{{if not .CanCreateRepo}} disabled{{end}}">

• CanCreateRepo checks whether the user already has too many personal repos:

  gitea/models/user/user.go

  Lines 240 to 251 in 5c91d79

  	func (u *User) CanCreateRepo() bool {
  	if u.IsAdmin {
  	return true
  	}
  	if u.MaxRepoCreation <= -1 {
  	if setting.Repository.MaxCreationLimit <= -1 {
  	return true
  	}
  	return u.NumRepos < setting.Repository.MaxCreationLimit
  	}
  	return u.NumRepos < u.MaxRepoCreation
  	}

• But the submit button will be disabled for all available repo owners; Personal and also Orgs!
• This means the UI will not allow users to create org repos even though they have the Create repositories permission in their org!
• EDIT: This problem also affects repos which are created from migrations (this however is a backend issue!)

Solutions

• This is only a UI bug, the backend validation works as expected (I have tested this by removing the previously mentioned disable check from the template to force the button to be always enabled)
• The CanCreateRepo value should only influence creation of a personal repo
• Repo limit of the org is only checked after the form is submitted, this would be a good quick-fix for this issue (removing the disabled button check and the error banner from the template)
• For a long term solution we could hide the personal user account in the owners list the same way orgs are hidden when their limit is reached. This would make the disabled submit button and the banner completely obsolete, as the user is forced to select an owner that is allowed to have more repos created

Note that I was not able to reproduce the issue on the demo instance, because there is no repo count limit and also it seems like you can't create orgs there..

Screenshots

Trying to create a new repo testrepo45 under testorg organization, note the banner telling me there is a limit:

Submit button is disabled:

Repo create works anyway when enabling the submit button by hand:

Gitea Version

v1.21.9

[a1012112796]

I has try fix it in #15924, but sadly looks no one think it's a bug :( . maybe need a beter design about how to limit repository number for org. or repo number limit will looks meaningless if all user can create orgs.

[DrMaxNix]

This is definitely a bug! The validation on the frontend does not match the validation in the backend!
If the behaviour of the ui is actually wanted (which would be really weird), the backend validation would be wrong, which would not only still be a bug, but also a security problem!!!

[DrMaxNix]

Partially fixed by #34030, Migrations still affected

[wxiaoguang]

Yes, it is a bug, and thank you very much for finding the fix!

ps; although #15924 was also proposed, but it is incomplete and didn't persuade others to really understand the problem ......