go-gitea · lunny · Apr 2, 2026 · Mar 23, 2026 · Mar 23, 2026 · Apr 1, 2026
diff --git a/routers/api/v1/repo/fork.go b/routers/api/v1/repo/fork.go
@@ -141,6 +141,15 @@ func CreateFork(ctx *context.APIContext) {
 				ctx.APIError(http.StatusForbidden, fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))
 				return
 			}
+
+			canCreate, err := org.CanCreateOrgRepo(ctx, ctx.Doer.ID)
+			if err != nil {
+				ctx.APIErrorInternal(err)
+				return
+			} else if !canCreate {
+				ctx.APIError(http.StatusForbidden, "User is not allowed to create repositories in this organization.")
+				return
+			}
 		}
 		forker = org.AsUser()
 	}

diff --git a/tests/integration/api_fork_test.go b/tests/integration/api_fork_test.go
@@ -25,6 +25,23 @@ func TestCreateForkNoLogin(t *testing.T) {
 	MakeRequest(t, req, http.StatusUnauthorized)
 }
 
+func TestCreateForkOrgNoCreatePermission(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	user4Sess := loginUser(t, "user4")
+	org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3})
+
+	canCreate, err := org_model.OrgFromUser(org).CanCreateOrgRepo(t.Context(), 4)
+	assert.NoError(t, err)
+	assert.False(t, canCreate)
+
+	user4Token := getTokenForLoggedInUser(t, user4Sess, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteOrganization)
+	req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/forks", &api.CreateForkOption{
+		Organization: &org.Name,
+	}).AddTokenAuth(user4Token)
+	MakeRequest(t, req, http.StatusForbidden)
+}
+
 func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()