From a2c50cbe38716db0a9d6aa1c495b1063c348d8be Mon Sep 17 00:00:00 2001
From: Anton Ignatov <aignatov@biosistemika.com>
Date: Tue, 20 Aug 2019 15:08:53 +0200
Subject: [PATCH 1/2] Add new permission check for share button

---
 app/permissions/repository.rb        | 5 +++++
 app/views/repositories/show.html.erb | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/permissions/repository.rb b/app/permissions/repository.rb
index 361c2f863..d67b62749 100644
--- a/app/permissions/repository.rb
+++ b/app/permissions/repository.rb
@@ -13,6 +13,11 @@ Canaid::Permissions.register_for(Repository) do
     user.is_admin_of_team?(repository.team)
   end
 
+  # repository: share
+  can :share_repository do |user, repository|
+    user.is_admin_of_team?(repository.team)
+  end
+
   # repository: create/import record
   can :create_repository_rows do |user, repository|
     if user.teams.include?(repository.team)
diff --git a/app/views/repositories/show.html.erb b/app/views/repositories/show.html.erb
index 7205fd0f6..e5ff5ba48 100644
--- a/app/views/repositories/show.html.erb
+++ b/app/views/repositories/show.html.erb
@@ -36,7 +36,7 @@
 
     <div id="datatables-buttons" class="datatables-buttons" style="display: inline;">
       <div class="new-repository-button">
-        <% if can_manage_repository?(@repository) %>
+        <% if can_share_repository?(@repository) %>
           <%= link_to team_repository_share_modal_path(current_team, repository_id: @repository),
                       class: 'btn btn-default share-repo-option', remote: true, id: 'shareRepoBtn' do %>
             <span class="fas fa-user-plus"></span>

From ed8ef7aa8f1450ee882f593bc87e494695249599 Mon Sep 17 00:00:00 2001
From: Anton Ignatov <aignatov@biosistemika.com>
Date: Tue, 20 Aug 2019 16:07:22 +0200
Subject: [PATCH 2/2] Fix permission check;

---
 app/controllers/repositories_controller.rb      | 7 ++++++-
 app/controllers/team_repositories_controller.rb | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 57cd235a0..5152867c6 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -9,7 +9,8 @@ class RepositoriesController < ApplicationController
   before_action :check_view_all_permissions, only: :index
   before_action :check_view_permissions, only: %i(export_repository show)
   before_action :check_manage_permissions, only:
-    %i(destroy destroy_modal rename_modal update share_modal)
+    %i(destroy destroy_modal rename_modal update)
+  before_action :check_share_permissions, only: :share_modal
   before_action :check_create_permissions, only:
     %i(create_modal create copy_modal copy)
   before_action :set_inline_name_editing, only: %i(show)
@@ -345,6 +346,10 @@ class RepositoriesController < ApplicationController
     render_403 unless can_manage_repository?(@repository)
   end
 
+  def check_share_permissions
+    render_403 unless can_share_repository?(@repository)
+  end
+
   def repository_params
     params.require(:repository).permit(:name)
   end
diff --git a/app/controllers/team_repositories_controller.rb b/app/controllers/team_repositories_controller.rb
index 229b67a74..12de39340 100644
--- a/app/controllers/team_repositories_controller.rb
+++ b/app/controllers/team_repositories_controller.rb
@@ -70,7 +70,7 @@ class TeamRepositoriesController < ApplicationController
   end
 
   def check_sharing_permissions
-    render_403 unless can_manage_repository?(@repository)
+    render_403 unless can_share_repository?(@repository)
   end
 
   def teams_to_share