From 3aabd1b1f99e4a313e39c3526f182e8171f040c8 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Sat, 30 May 2026 23:18:31 -0500
Subject: [PATCH] feat(permissions): only site admins can delete license
 packages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Delete button only visible to site admins (super admins)
- Delete handler checks ctx.IsUserSiteAdmin() and returns 404 otherwise
- Repo admins can still create, edit, revoke — but not delete
- IsSiteAdmin set in both repo and org context data

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 routers/web/org/licenses.go  | 1 +
 routers/web/repo/licenses.go | 6 +++++-
 services/context/repo.go     | 1 +
 templates/repo/licenses.tmpl | 4 +++-
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/routers/web/org/licenses.go b/routers/web/org/licenses.go
index fda53795e4..3587b66620 100644
--- a/routers/web/org/licenses.go
+++ b/routers/web/org/licenses.go
@@ -67,6 +67,7 @@ func Licenses(ctx *context.Context) {
 	}
 	ctx.Data["LicenseKeys"] = keys
 	ctx.Data["IsRepoAdmin"] = ctx.Org.IsOwner
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
 
 	ctx.HTML(http.StatusOK, tplOrgLicenses)
 }
diff --git a/routers/web/repo/licenses.go b/routers/web/repo/licenses.go
index b08499e99b..8a36f9de3a 100644
--- a/routers/web/repo/licenses.go
+++ b/routers/web/repo/licenses.go
@@ -225,8 +225,12 @@ func LicensesEditPackagePost(ctx *context.Context) {
 	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
 }
 
-// LicensesDeletePackage deletes a license package.
+// LicensesDeletePackage deletes a license package. Site admin only.
 func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
 	pkgID := ctx.PathParamInt64("id")
 	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
 		ctx.ServerError("DeleteLicensePackage", err)
diff --git a/services/context/repo.go b/services/context/repo.go
index 46c587e696..a7079af052 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -613,6 +613,7 @@ func repoAssignmentPrepareTemplateData(ctx *Context, data *repoAssignmentPrepare
 	ctx.Data["NumLicensePackages"] = numLicensePackages
 	ctx.Data["EnableLicenses"] = numLicensePackages > 0
 	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
 
 	// Load repo update config for platform-aware UI.
 	repoUpdateCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
diff --git a/templates/repo/licenses.tmpl b/templates/repo/licenses.tmpl
index 5f66a0eef0..4fd62a88eb 100644
--- a/templates/repo/licenses.tmpl
+++ b/templates/repo/licenses.tmpl
@@ -56,12 +56,14 @@
 										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
 											{{svg "octicon-pencil" 14}}
 										</a>
-										<form method="post" action="{{$.RepoLink}}/licenses/packages/{{.ID}}/delete" class="tw-inline" onsubmit="return confirm('Delete this package?')">
+										{{if $.IsSiteAdmin}}
+										<form method="post" action="{{$.RepoLink}}/licenses/packages/{{.ID}}/delete" class="tw-inline" onsubmit="return confirm('Delete this package? This action cannot be undone.')">
 											{{$.CsrfTokenHtml}}
 											<button class="ui tiny red button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
 												{{svg "octicon-trash" 14}}
 											</button>
 										</form>
+										{{end}}
 									</td>
 								{{end}}
 							</tr>