fix: replace all ctx.Org.IsOwner with proper IsOwnedBy method

SBALAVIGNESH123 · SBALAVIGNESH123 · commit fc3ef1fa6f38 · 2025-12-10T00:27:03.000+05:30
The APIOrganization type doesn't have an IsOwner field. All ownership checks must use ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID) to properly verify organizational ownership in API context.
diff --git a/routers/api/v1/org/org_actions_permissions.go b/routers/api/v1/org/org_actions_permissions.go
@@ -160,7 +160,12 @@ func ListCrossRepoAccess(ctx *context.APIContext) {
 	//   "200":
 	//     "$ref": "#/responses/CrossRepoAccessList"
 
-	if !ctx.Org.IsOwner {
+	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	if !isOwner {
 		ctx.APIError(http.StatusForbidden, "Organization owner access required")
 		return
 	}
@@ -209,7 +214,12 @@ func AddCrossRepoAccess(ctx *context.APIContext) {
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
 
-	if !ctx.Org.IsOwner {
+	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	if !isOwner {
 		ctx.APIError(http.StatusForbidden, "Organization owner access required")
 		return
 	}
@@ -264,7 +274,12 @@ func DeleteCrossRepoAccess(ctx *context.APIContext) {
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
 
-	if !ctx.Org.IsOwner {
+	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+	if !isOwner {
 		ctx.APIError(http.StatusForbidden, "Organization owner access required")
 		return
 	}
