-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict permission check on repositories and fix some problems #5314
Changes from 1 commit
0bf41c2
15f80b9
40d552c
d80fea2
fb4a2cb
a21bfde
422ba40
dae595b
6bed0d4
d5ba3a0
426980d
50d1287
95d9a58
5df61b6
4ee6e1f
de04377
66fd8f3
11bde94
ba60cc8
a978acc
d161315
e5e165c
9253015
2f65f7a
962be78
9742d63
2db05db
3620109
861b3b2
b677d04
79365d8
d54bc51
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
// Copyright 2018 The Gitea Authors. All rights reserved. | ||
// Use of this source code is governed by a MIT-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package models | ||
|
||
// Permission contains all the permissions related variables to a repository for a user | ||
type Permission struct { | ||
AccessMode AccessMode | ||
Units []*RepoUnit | ||
UnitsMode map[UnitType]AccessMode | ||
} | ||
|
||
// IsOwner returns true if current user is the owner of repository. | ||
func (p *Permission) IsOwner() bool { | ||
return p.AccessMode >= AccessModeOwner | ||
} | ||
|
||
// IsAdmin returns true if current user has admin or higher access of repository. | ||
func (p *Permission) IsAdmin() bool { | ||
return p.AccessMode >= AccessModeAdmin | ||
} | ||
|
||
// HasAccess returns true if the current user has at least read access to any unit of this repository | ||
func (p *Permission) HasAccess() bool { | ||
if p.UnitsMode == nil { | ||
return p.AccessMode >= AccessModeRead | ||
} | ||
return len(p.UnitsMode) > 0 | ||
} | ||
|
||
// UnitAccessMode returns current user accessmode to the specify unit of the repository | ||
func (p *Permission) UnitAccessMode(unitType UnitType) AccessMode { | ||
if p.UnitsMode == nil { | ||
return p.AccessMode | ||
} | ||
return p.UnitsMode[unitType] | ||
} | ||
|
||
// CanAccess returns true if user has read access to the unit of the repository | ||
func (p *Permission) CanAccess(unitType UnitType) bool { | ||
return p.UnitAccessMode(unitType) >= AccessModeRead | ||
} | ||
|
||
// CanWrite returns true if user could write to this unit | ||
func (p *Permission) CanWrite(unitType UnitType) bool { | ||
return p.UnitAccessMode(unitType) >= AccessModeWrite | ||
} | ||
|
||
// CanWriteIssuesOrPulls returns true if isPull is true and user could write to pull requests and | ||
// returns true if isPull is false and user could write to issues | ||
func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool { | ||
if isPull { | ||
return p.CanWrite(UnitTypePullRequests) | ||
} | ||
return p.CanWrite(UnitTypeIssues) | ||
} | ||
|
||
// GetUserRepoPermission returns the user permissions to the repository | ||
func GetUserRepoPermission(repo *Repository, user *User) (Permission, error) { | ||
return getUserRepoPermission(x, repo, user) | ||
} | ||
|
||
func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permission, err error) { | ||
// anonymous user visit private repo. TODO: anonymous user visit public unit of private repo??? | ||
if user == nil && repo.IsPrivate { | ||
perm.AccessMode = AccessModeNone | ||
return | ||
} | ||
|
||
if err = repo.getUnits(e); err != nil { | ||
return | ||
} | ||
|
||
perm.Units = repo.Units | ||
|
||
// anonymous visit public repo | ||
if user == nil { | ||
perm.AccessMode = AccessModeRead | ||
return | ||
} | ||
|
||
// Admin has super access or user is the owner of the repository | ||
if user.IsAdmin || user.ID == repo.OwnerID { | ||
perm.AccessMode = AccessModeOwner | ||
return | ||
} | ||
|
||
// plain user | ||
perm.AccessMode, err = accessLevel(e, user.ID, repo) | ||
if err != nil { | ||
return | ||
} | ||
|
||
if err = repo.getOwner(e); err != nil { | ||
return | ||
} | ||
if !repo.Owner.IsOrganization() { | ||
return | ||
} | ||
|
||
teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID) | ||
if err != nil { | ||
return | ||
} | ||
|
||
perm.UnitsMode = make(map[UnitType]AccessMode) | ||
for _, u := range repo.Units { | ||
var found bool | ||
for _, team := range teams { | ||
if team.unitEnabled(e, u.Type) { | ||
m := perm.UnitsMode[u.Type] | ||
if m < team.Authorize { | ||
perm.UnitsMode[u.Type] = team.Authorize | ||
} | ||
found = true | ||
} | ||
} | ||
|
||
if !found && !repo.IsPrivate { | ||
perm.UnitsMode[u.Type] = AccessModeRead | ||
} | ||
} | ||
|
||
perm.Units = make([]*RepoUnit, 0, len(repo.Units)) | ||
for t, _ := range perm.UnitsMode { | ||
for _, u := range repo.Units { | ||
if u.Type == t { | ||
perm.Units = append(perm.Units, u) | ||
} | ||
} | ||
} | ||
|
||
return | ||
} |
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
// Copyright 2015 The Gogs Authors. All rights reserved. | ||
// Copyright 2018 The Gitea Authors. All rights reserved. | ||
// Copyright 2016 The Gitea Authors. All rights reserved. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 2018 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think maybe 2016 because the file might have been modified then. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @techknowlogick @zeripath yes. If I explicitly know the file is modified on some year I will change to that year, but will change it to 2018. |
||
// Use of this source code is governed by a MIT-style | ||
// license that can be found in the LICENSE file. | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lint doesn't like the second argument
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.