fix AccessLevel

integrations/api_repo_test.go

@@ -164,7 +164,7 @@ func TestAPISearchRepo(t *testing.T) {
  assert.Len(t, body.Data, expected.count)
  for _, repo := range body.Data {
  r := getRepo(t, repo.ID)
- hasAccess, err := models.HasAccess(userID, r, models.AccessModeRead)
+ hasAccess, err := models.HasAccess(userID, r)
  assert.NoError(t, err)
  assert.True(t, hasAccess)
 

models/access.go

@@ -80,30 +80,6 @@ func accessLevel(e Engine, userID int64, repo *Repository) (AccessMode, error) {
  return a.Mode, nil
 }
 
-// AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the
-// user does not have access.
-func AccessLevel(user *User, repo *Repository) (AccessMode, error) {
- return accessLevelUnit(user, repo, UnitTypeCode)
-}
-
-func accessLevelUnit(user *User, repo *Repository, unitType UnitType) (AccessMode, error) {
- perm, err := GetUserRepoPermission(repo, user)
- if err != nil {
- return AccessModeNone, err
- }
- return perm.UnitAccessMode(UnitTypeCode), nil
-}
-
-func hasAccess(e Engine, userID int64, repo *Repository, testMode AccessMode) (bool, error) {
- mode, err := accessLevel(e, userID, repo)
- return testMode <= mode, err
-}
-
-// HasAccess returns true if user has access to repo
-func HasAccess(userID int64, repo *Repository, testMode AccessMode) (bool, error) {
- return hasAccess(x, userID, repo, testMode)
-}
-
 type repoAccess struct {
  Access `xorm:"extends"`
  Repository `xorm:"extends"`

models/access_test.go

@@ -58,23 +58,18 @@ func TestHasAccess(t *testing.T) {
  repo2 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
  assert.True(t, repo2.IsPrivate)
 
- for _, accessMode := range accessModes {
- has, err := HasAccess(user1.ID, repo1, accessMode)
- assert.NoError(t, err)
- assert.True(t, has)
-
- has, err = HasAccess(user1.ID, repo2, accessMode)
- assert.NoError(t, err)
- assert.Equal(t, accessMode <= AccessModeWrite, has)
-
- has, err = HasAccess(user2.ID, repo1, accessMode)
- assert.NoError(t, err)
- assert.Equal(t, accessMode <= AccessModeRead, has)
-
- has, err = HasAccess(user2.ID, repo2, accessMode)
- assert.NoError(t, err)
- assert.Equal(t, accessMode <= AccessModeNone, has)
- }
+ has, err := HasAccess(user1.ID, repo1)
+ assert.NoError(t, err)
+ assert.True(t, has)
+
+ has, err = HasAccess(user1.ID, repo2)
+ assert.NoError(t, err)
+
+ has, err = HasAccess(user2.ID, repo1)
+ assert.NoError(t, err)
+
+ has, err = HasAccess(user2.ID, repo2)
+ assert.NoError(t, err)
 }
 
 func TestUser_GetRepositoryAccesses(t *testing.T) {

models/issue.go

@@ -950,7 +950,11 @@ func newIssue(e *xorm.Session, doer *User, opts NewIssueOptions) (err error) {
  // Check for and validate assignees
  if len(opts.AssigneeIDs) > 0 {
  for _, assigneeID := range opts.AssigneeIDs {
- valid, err := hasAccess(e, assigneeID, opts.Repo, AccessModeWrite)
+ user, err := getUserByID(e, assigneeID)
+ if err != nil {
+ return fmt.Errorf("getUserByID [user_id: %d, repo_id: %d]: %v", assigneeID, opts.Repo.ID, err)
+ }
+ valid, err := canBeAssigned(e, user, opts.Repo)
  if err != nil {
  return fmt.Errorf("hasAccess [user_id: %d, repo_id: %d]: %v", assigneeID, opts.Repo.ID, err)
  }

models/issue_assignees.go

@@ -159,13 +159,14 @@ func (issue *Issue) changeAssignee(sess *xorm.Session, doer *User, assigneeID in
  return fmt.Errorf("createAssigneeComment: %v", err)
  }
 
- // if issue/pull is in the middle of creation - don't call webhook
+ // if pull request is in the middle of creation - don't call webhook
  if isCreate {
  return nil
  }
 
- mode, _ := accessLevel(sess, doer.ID, issue.Repo)
  if issue.IsPull {
+ mode, _ := accessLevelUnit(sess, doer, issue.Repo, UnitTypePullRequests)
+
  if err = issue.loadPullRequest(sess); err != nil {
  return fmt.Errorf("loadPullRequest: %v", err)
  }
@@ -186,6 +187,8 @@ func (issue *Issue) changeAssignee(sess *xorm.Session, doer *User, assigneeID in
  return nil
  }
  } else {
+ mode, _ := accessLevelUnit(sess, doer, issue.Repo, UnitTypeIssues)
+
  apiIssue := &api.IssuePayload{
  Index: issue.Index,
  Issue: issue.APIFormat(),

models/org_team.go

@@ -177,7 +177,7 @@ func (t *Team) removeRepository(e Engine, repo *Repository, recalculate bool) (e
  return fmt.Errorf("getTeamUsersByTeamID: %v", err)
  }
  for _, teamUser := range teamUsers {
- has, err := hasAccess(e, teamUser.UID, repo, AccessModeRead)
+ has, err := hasAccess(e, teamUser.UID, repo)
  if err != nil {
  return err
  } else if has {
@@ -434,7 +434,7 @@ func DeleteTeam(t *Team) error {
 
  // Remove watches from all users and now unaccessible repos
  for _, user := range t.Members {
- has, err := hasAccess(sess, user.ID, repo, AccessModeRead)
+ has, err := hasAccess(sess, user.ID, repo)
  if err != nil {
  return err
  } else if has {
@@ -652,7 +652,7 @@ func removeTeamMember(e *xorm.Session, team *Team, userID int64) error {
  }
 
  // Remove watches from now unaccessible
- has, err := hasAccess(e, userID, repo, AccessModeRead)
+ has, err := hasAccess(e, userID, repo)
  if err != nil {
  return err
  } else if has {

models/release.go

@@ -419,13 +419,6 @@ func DeleteReleaseByID(id int64, u *User, delTag bool) error {
  return fmt.Errorf("GetRepositoryByID: %v", err)
  }
 
- has, err := HasAccess(u.ID, repo, AccessModeWrite)
- if err != nil {
- return fmt.Errorf("HasAccess: %v", err)
- } else if !has {
- return fmt.Errorf("DeleteReleaseByID: permission denied")
- }
-
  if delTag {
  _, stderr, err := process.GetManager().ExecDir(-1, repo.RepoPath(),
  fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),

models/repo_permission.go

@@ -191,5 +191,66 @@ func isUserRepoAdmin(e Engine, repo *Repository, user *User) (bool, error) {
  if err != nil {
  return false, err
  }
- return mode >= AccessModeAdmin, nil
+ if mode >= AccessModeAdmin {
+ return true, nil
+ }
+
+ teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)
+ if err != nil {
+ return false, err
+ }
+
+ for _, team := range teams {
+ if team.Authorize >= AccessModeAdmin {
+ return true, nil
+ }
+ }
+ return false, nil
+}
+
+// AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the
+// user does not have access.
+func AccessLevel(user *User, repo *Repository) (AccessMode, error) {
+ return accessLevelUnit(x, user, repo, UnitTypeCode)
+}
+
+func accessLevelUnit(e Engine, user *User, repo *Repository, unitType UnitType) (AccessMode, error) {
+ perm, err := getUserRepoPermission(e, repo, user)
+ if err != nil {
+ return AccessModeNone, err
+ }
+ return perm.UnitAccessMode(UnitTypeCode), nil
+}
+
+func hasAccessUnit(e Engine, user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {
+ mode, err := accessLevelUnit(e, user, repo, unitType)
+ return testMode <= mode, err
+}
+
+// HasAccessUnit returns ture if user has testMode to the unit of the repository
+func HasAccessUnit(user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {
+ return hasAccessUnit(x, user, repo, unitType, testMode)
+}
+
+// canBeAssigned return true if user could be assigned to a repo
+// FIXME: user could send PullRequest also could be assigned???
+func canBeAssigned(e Engine, user *User, repo *Repository) (bool, error) {
+ return hasAccessUnit(e, user, repo, UnitTypeCode, AccessModeWrite)
+}
+
+func hasAccess(e Engine, userID int64, repo *Repository) (bool, error) {
+ user, err := getUserByID(e, userID)
+ if err != nil {
+ return false, err
+ }
+ perm, err := getUserRepoPermission(e, repo, user)
+ if err != nil {
+ return false, err
+ }
+ return perm.HasAccess(), nil
+}
+
+// HasAccess returns true if user has access to repo
+func HasAccess(userID int64, repo *Repository) (bool, error) {
+ return hasAccess(x, userID, repo)
 }