fix units permission problems

models/repo.go

@@ -191,8 +191,9 @@ type Repository struct {
  IsMirror bool `xorm:"INDEX"`
  *Mirror `xorm:"-"`
 
- ExternalMetas map[string]string `xorm:"-"`
- Units []*RepoUnit `xorm:"-"`
+ ExternalMetas map[string]string `xorm:"-"`
+ Units []*RepoUnit `xorm:"-"`
+ UnitsMode map[UnitType]AccessMode `xorm:"-"`
 
  IsFork bool `xorm:"INDEX NOT NULL DEFAULT false"`
  ForkID int64 `xorm:"INDEX"`
@@ -369,11 +370,16 @@ func (repo *Repository) getUnitsByUserID(e Engine, userID int64, isAdmin bool) (
  return err
  }
 
+ repo.UnitsMode = make(map[UnitType]AccessMode)
  // unique
  var newRepoUnits = make([]*RepoUnit, 0, len(repo.Units))
  for _, u := range repo.Units {
  for _, team := range teams {
  if team.unitEnabled(e, u.Type) {
+ m := repo.UnitsMode[u.Type]
+ if m < team.Authorize {
+ repo.UnitsMode[u.Type] = m
+ }
  newRepoUnits = append(newRepoUnits, u)
  break
  }

modules/context/permission.go

@@ -0,0 +1,59 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package context
+
+import "code.gitea.io/gitea/models"
+
+// Permission contains all the permissions related variables to a repository
+type Permission struct {
+ AccessMode models.AccessMode
+ Units []*models.RepoUnit
+ UnitsMode map[models.UnitType]models.AccessMode
+}
+
+// IsOwner returns true if current user is the owner of repository.
+func (p *Permission) IsOwner() bool {
+ return p.AccessMode >= models.AccessModeOwner
+}
+
+// IsAdmin returns true if current user has admin or higher access of repository.
+func (p *Permission) IsAdmin() bool {
+ return p.AccessMode >= models.AccessModeAdmin
+}
+
+// HasAccess returns true if the current user has at least read access to any unit of this repository
+func (p *Permission) HasAccess() bool {
+ if p.UnitsMode == nil {
+ return p.AccessMode >= models.AccessModeRead
+ }
+ return len(p.UnitsMode) > 0
+}
+
+// UnitAccessMode returns current user accessmode to the specify unit of the repository
+func (p *Permission) UnitAccessMode(unitType models.UnitType) models.AccessMode {
+ if p.UnitsMode == nil {
+ return p.AccessMode
+ }
+ return p.UnitsMode[unitType]
+}
+
+// CanAccess returns true if user has read access to the unit of the repository
+func (p *Permission) CanAccess(unitType models.UnitType) bool {
+ return p.UnitAccessMode(unitType) >= models.AccessModeRead
+}
+
+// CanWrite returns true if user could write to this unit
+func (p *Permission) CanWrite(unitType models.UnitType) bool {
+ return p.UnitAccessMode(unitType) >= models.AccessModeWrite
+}
+
+// CanWriteIssuesOrPulls returns true if isPull is true and user could write to pull requests and
+// returns true if isPull is false and user could write to issues
+func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {
+ if isPull {
+ return p.CanWrite(models.UnitTypePullRequests)
+ }
+ return p.CanWrite(models.UnitTypeIssues)
+}

modules/context/repo.go

@@ -32,7 +32,7 @@ type PullRequest struct {
 
 // Repository contains information to operate a repository
 type Repository struct {
- AccessMode models.AccessMode
+ Permission
  IsWatching bool
  IsViewBranch bool
  IsViewTag bool
@@ -54,34 +54,14 @@ type Repository struct {
  PullRequest *PullRequest
 }
 
-// IsOwner returns true if current user is the owner of repository.
-func (r *Repository) IsOwner() bool {
- return r.AccessMode >= models.AccessModeOwner
-}
-
-// IsAdmin returns true if current user has admin or higher access of repository.
-func (r *Repository) IsAdmin() bool {
- return r.AccessMode >= models.AccessModeAdmin
-}
-
-// IsWriter returns true if current user has write or higher access of repository.
-func (r *Repository) IsWriter() bool {
- return r.AccessMode >= models.AccessModeWrite
-}
-
-// HasAccess returns true if the current user has at least read access for this repository
-func (r *Repository) HasAccess() bool {
- return r.AccessMode >= models.AccessModeRead
-}
-
 // CanEnableEditor returns true if repository is editable and user has proper access level.
 func (r *Repository) CanEnableEditor() bool {
- return r.Repository.CanEnableEditor() && r.IsViewBranch && r.IsWriter()
+ return r.Permission.CanWrite(models.UnitTypeCode) && r.Repository.CanEnableEditor() && r.IsViewBranch
 }
 
 // CanCreateBranch returns true if repository is editable and user has proper access level.
 func (r *Repository) CanCreateBranch() bool {
- return r.Repository.CanCreateBranch() && r.IsWriter()
+ return r.Permission.CanWrite(models.UnitTypeCode) && r.Repository.CanCreateBranch()
 }
 
 // CanCommitToBranch returns true if repository is editable and user has proper access level
@@ -101,12 +81,12 @@ func (r *Repository) CanUseTimetracker(issue *models.Issue, user *models.User) b
  // 2. Is the user a contributor, admin, poster or assignee and do the repository policies require this?
  isAssigned, _ := models.IsUserAssignedToIssue(issue, user)
  return r.Repository.IsTimetrackerEnabled() && (!r.Repository.AllowOnlyContributorsToTrackTime() ||
- r.IsWriter() || issue.IsPoster(user.ID) || isAssigned)
+ r.Permission.CanWrite(models.UnitTypeIssues) || issue.IsPoster(user.ID) || isAssigned)
 }
 
 // CanCreateIssueDependencies returns whether or not a user can create dependencies.
 func (r *Repository) CanCreateIssueDependencies(user *models.User) bool {
- return r.Repository.IsDependenciesEnabled() && r.IsWriter()
+ return r.Permission.CanWrite(models.UnitTypeIssues) && r.Repository.IsDependenciesEnabled()
 }
 
 // GetCommitsCount returns cached commit count for current view
@@ -223,7 +203,7 @@ func RedirectToRepo(ctx *Context, redirectRepoID int64) {
 func repoAssignment(ctx *Context, repo *models.Repository) {
  // Admin has super access.
  if ctx.IsSigned && ctx.User.IsAdmin {
- ctx.Repo.AccessMode = models.AccessModeOwner
+ ctx.Repo.Permission.AccessMode = models.AccessModeOwner
  } else {
  var userID int64
  if ctx.User != nil {
@@ -234,11 +214,11 @@ func repoAssignment(ctx *Context, repo *models.Repository) {
  ctx.ServerError("AccessLevel", err)
  return
  }
- ctx.Repo.AccessMode = mode
+ ctx.Repo.Permission.AccessMode = mode
  }
 
  // Check access.
- if ctx.Repo.AccessMode == models.AccessModeNone {
+ if ctx.Repo.Permission.AccessMode == models.AccessModeNone {
  if ctx.Query("go-get") == "1" {
  EarlyResponseForGoGetMeta(ctx)
  return
@@ -379,9 +359,10 @@ func RepoAssignment() macaron.Handler {
  ctx.Data["Title"] = owner.Name + "/" + repo.Name
  ctx.Data["Repository"] = repo
  ctx.Data["Owner"] = ctx.Repo.Repository.Owner
- ctx.Data["IsRepositoryOwner"] = ctx.Repo.IsOwner()
- ctx.Data["IsRepositoryAdmin"] = ctx.Repo.IsAdmin()
- ctx.Data["IsRepositoryWriter"] = ctx.Repo.IsWriter()
+ ctx.Data["IsRepositoryOwner"] = ctx.Repo.Permission.IsOwner()
+ ctx.Data["IsRepositoryAdmin"] = ctx.Repo.Permission.IsAdmin()
+ // FIXME: IsRepositoryWriter will only be used on codes related operations.
+ ctx.Data["IsRepositoryWriter"] = ctx.Repo.Permission.CanWrite(models.UnitTypeCode)
 
  if ctx.Data["CanSignedUserFork"], err = ctx.Repo.Repository.CanUserFork(ctx.User); err != nil {
  ctx.ServerError("CanUserFork", err)
@@ -435,7 +416,7 @@ func RepoAssignment() macaron.Handler {
  }
 
  // People who have push access or have forked repository can propose a new pull request.
- if ctx.Repo.IsWriter() || (ctx.IsSigned && ctx.User.HasForkedRepo(ctx.Repo.Repository.ID)) {
+ if ctx.Repo.CanWrite(models.UnitTypeCode) || (ctx.IsSigned && ctx.User.HasForkedRepo(ctx.Repo.Repository.ID)) {
  // Pull request is allowed if this is a fork repository
  // and base repository accepts pull requests.
  if repo.BaseRepo != nil && repo.BaseRepo.AllowsPulls() {
@@ -671,10 +652,10 @@ func RequireRepoAdmin() macaron.Handler {
  }
 }
 
-// RequireRepoWriter returns a macaron middleware for requiring repository write permission
-func RequireRepoWriter() macaron.Handler {
+// RequireRepoWriter returns a macaron middleware for requiring repository write to code permission
+func RequireRepoWriter(unitType models.UnitType) macaron.Handler {
  return func(ctx *Context) {
- if !ctx.IsSigned || (!ctx.Repo.IsWriter() && !ctx.User.IsAdmin) {
+ if !ctx.IsSigned || (!ctx.Repo.CanWrite(unitType) && !ctx.User.IsAdmin) {
  ctx.NotFound(ctx.Req.RequestURI, nil)
  return
  }
@@ -698,6 +679,8 @@ func LoadRepoUnits() macaron.Handler {
  ctx.ServerError("LoadUnitsByUserID", err)
  return
  }
+ ctx.Repo.Permission.Units = ctx.Repo.Repository.Units
+ ctx.Repo.Permission.UnitsMode = ctx.Repo.Repository.UnitsMode
  }
 }
 

routers/api/v1/api.go

@@ -152,6 +152,7 @@ func repoAssignment() macaron.Handler {
  return
  }
  repo.Owner = owner
+ ctx.Repo.Repository = repo
 
  if ctx.IsSigned && ctx.User.IsAdmin {
  ctx.Repo.AccessMode = models.AccessModeOwner
@@ -168,8 +169,6 @@ func repoAssignment() macaron.Handler {
  ctx.Status(404)
  return
  }
-
- ctx.Repo.Repository = repo
  }
 }
 
@@ -205,12 +204,15 @@ func reqAdmin() macaron.Handler {
  }
 }
 
-func reqRepoWriter() macaron.Handler {
+func reqRepoWriter(unitTypes ...models.UnitType) macaron.Handler {
  return func(ctx *context.Context) {
- if !ctx.Repo.IsWriter() {
- ctx.Error(403)
- return
+ for _, unitType := range unitTypes {
+ if ctx.Repo.CanWrite(unitType) {
+ return
+ }
  }
+
+ ctx.Error(403)
  }
 }
 
@@ -453,7 +455,7 @@ func RegisterRoutes(m *macaron.Macaron) {
  Delete(repo.DeleteHook)
  m.Post("/tests", context.RepoRef(), repo.TestHook)
  })
- }, reqToken(), reqRepoWriter())
+ }, reqToken(), reqRepoWriter(models.UnitTypeCode))
  m.Group("/collaborators", func() {
  m.Get("", repo.ListCollaborators)
  m.Combo("/:collaborator").Get(repo.IsCollaborator).
@@ -473,7 +475,7 @@ func RegisterRoutes(m *macaron.Macaron) {
  Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
  m.Combo("/:id").Get(repo.GetDeployKey).
  Delete(repo.DeleteDeploykey)
- }, reqToken(), reqRepoWriter())
+ }, reqToken(), reqRepoWriter(models.UnitTypeCode))
  m.Group("/times", func() {
  m.Combo("").Get(repo.ListTrackedTimesByRepository)
  m.Combo("/:timetrackingusername").Get(repo.ListTrackedTimesByUser)
@@ -524,10 +526,10 @@ func RegisterRoutes(m *macaron.Macaron) {
  })
  m.Group("/milestones", func() {
  m.Combo("").Get(repo.ListMilestones).
- Post(reqToken(), reqRepoWriter(), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)
+ Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)
  m.Combo("/:id").Get(repo.GetMilestone).
- Patch(reqToken(), reqRepoWriter(), bind(api.EditMilestoneOption{}), repo.EditMilestone).
- Delete(reqToken(), reqRepoWriter(), repo.DeleteMilestone)
+ Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).
+ Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteMilestone)
  })
  m.Get("/stargazers", repo.ListStargazers)
  m.Get("/subscribers", repo.ListSubscribers)

routers/api/v1/repo/collaborators.go

@@ -34,7 +34,7 @@ func ListCollaborators(ctx *context.APIContext) {
  // responses:
  // "200":
  // "$ref": "#/responses/UserList"
- if !ctx.Repo.IsWriter() {
+ if !ctx.Repo.CanWrite(models.UnitTypeCode) {
  ctx.Error(403, "", "User does not have push access")
  return
  }
@@ -78,7 +78,7 @@ func IsCollaborator(ctx *context.APIContext) {
  // "$ref": "#/responses/empty"
  // "404":
  // "$ref": "#/responses/empty"
- if !ctx.Repo.IsWriter() {
+ if !ctx.Repo.CanWrite(models.UnitTypeCode) {
  ctx.Error(403, "", "User does not have push access")
  return
  }
@@ -133,7 +133,7 @@ func AddCollaborator(ctx *context.APIContext, form api.AddCollaboratorOption) {
  // responses:
  // "204":
  // "$ref": "#/responses/empty"
- if !ctx.Repo.IsWriter() {
+ if !ctx.Repo.CanWrite(models.UnitTypeCode) {
  ctx.Error(403, "", "User does not have push access")
  return
  }
@@ -193,7 +193,7 @@ func DeleteCollaborator(ctx *context.APIContext) {
  // responses:
  // "204":
  // "$ref": "#/responses/empty"
- if !ctx.Repo.IsWriter() {
+ if !ctx.Repo.CanWrite(models.UnitTypeCode) {
  ctx.Error(403, "", "User does not have push access")
  return
  }

routers/api/v1/repo/file.go

@@ -38,7 +38,7 @@ func GetRawFile(ctx *context.APIContext) {
  // responses:
  // 200:
  // description: success
- if !ctx.Repo.HasAccess() {
+ if !ctx.Repo.CanAccess(models.UnitTypeCode) {
  ctx.Status(404)
  return
  }

routers/api/v1/repo/issue.go

@@ -169,7 +169,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
  // "$ref": "#/responses/Issue"
 
  var deadlineUnix util.TimeStamp
- if form.Deadline != nil && ctx.Repo.IsWriter() {
+ if form.Deadline != nil && ctx.Repo.CanWrite(models.UnitTypeIssues) {
  deadlineUnix = util.TimeStamp(form.Deadline.Unix())
  }
 
@@ -184,7 +184,7 @@ func CreateIssue(ctx *context.APIContext, form api.CreateIssueOption) {
 
  var assigneeIDs = make([]int64, 0)
  var err error
- if ctx.Repo.IsWriter() {
+ if ctx.Repo.CanWrite(models.UnitTypeIssues) {
  issue.MilestoneID = form.Milestone
  assigneeIDs, err = models.MakeIDsFromAPIAssigneesToAdd(form.Assignee, form.Assignees)
  if err != nil {
@@ -274,7 +274,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
  return
  }
 
- if !issue.IsPoster(ctx.User.ID) && !ctx.Repo.IsWriter() {
+ if !issue.IsPoster(ctx.User.ID) && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
  ctx.Status(403)
  return
  }
@@ -288,7 +288,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
 
  // Update the deadline
  var deadlineUnix util.TimeStamp
- if form.Deadline != nil && !form.Deadline.IsZero() && ctx.Repo.IsWriter() {
+ if form.Deadline != nil && !form.Deadline.IsZero() && ctx.Repo.CanWrite(models.UnitTypeIssues) {
  deadlineUnix = util.TimeStamp(form.Deadline.Unix())
  }
 
@@ -305,8 +305,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
  // Pass one or more user logins to replace the set of assignees on this Issue.
  // Send an empty array ([]) to clear all assignees from the Issue.
 
- if ctx.Repo.IsWriter() && (form.Assignees != nil || form.Assignee != nil) {
-
+ if ctx.Repo.CanWrite(models.UnitTypeIssues) && (form.Assignees != nil || form.Assignee != nil) {
  oneAssignee := ""
  if form.Assignee != nil {
  oneAssignee = *form.Assignee
@@ -319,7 +318,7 @@ func EditIssue(ctx *context.APIContext, form api.EditIssueOption) {
  }
  }
 
- if ctx.Repo.IsWriter() && form.Milestone != nil &&
+ if ctx.Repo.CanWrite(models.UnitTypeIssues) && form.Milestone != nil &&
  issue.MilestoneID != *form.Milestone {
  oldMilestoneID := issue.MilestoneID
  issue.MilestoneID = *form.Milestone
@@ -403,7 +402,7 @@ func UpdateIssueDeadline(ctx *context.APIContext, form api.EditDeadlineOption) {
  return
  }
 
- if !ctx.Repo.IsWriter() {
+ if !ctx.Repo.CanWrite(models.UnitTypeIssues) {
  ctx.Status(403)
  return
  }