Organizations: compromise team read access by another team with write access

[imolein]

• Gitea version (or commit ref): 1.3.1
• Git version: 2.7.4
• Operating system: Ubuntu 16.04.3
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (https://try.gitea.io/imo-org)
  • No
  • Not relevant
• Log gist:

Description

Steps, how I noticed this:

• Create an organization and an organization repository
• Create team, with read access on code, issues, pull requests and releases and add a user to it
• The user now has read access on repository, as defined
• Now create a second team with only write access on wiki and add the same user as in the previous created team
• Now the member has write rights on the whole repository

My intention was to create a team which has read access on code, issues, pull requests and releases and write access on wiki, but I noticed I can't do this in one team, so I thought teams are more like access roles and I can define multiple, with different rights and add the users to all of this teams (am I wrong on this?). So I do the steps as described above and found this weird behavior.
Even if I understand the rights management completely wrong, it shouldn't be possible to compromise the rights of one team, by creating another one with the same member, especially not when team one gives access to different parts of the repository as team two.

[lafriks]

Yes it's current limitation for our right system. Permissions and units are not directly related. Permissions are for repository not for units selected below. Units allow to disable/enable parts of repository.

[lunny]

@lafriks but we in fact could do that. Maybe need a PR.

[lafriks]

@lunny yes we can :)

[terrywh]

are there any news on this ? is this related to #5308 / #5307 ?

[lunny]

should be fixed by #5314

[lunny]

Please feel free to reopen.