You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

171 lines
5.1 KiB

Restricted users (#6274) * Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Restricted users (#6274) * Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Restricted users (#6274) * Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Restricted users (#6274) * Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Restricted users (#6274) * Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
Restricted users (#6274) * Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
4 years ago
  1. // Copyright 2017 The Gitea Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "testing"
  7. "github.com/stretchr/testify/assert"
  8. )
  9. func TestAccessLevel(t *testing.T) {
  10. assert.NoError(t, PrepareTestDatabase())
  11. user2 := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
  12. user5 := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
  13. user29 := AssertExistsAndLoadBean(t, &User{ID: 29}).(*User)
  14. // A public repository owned by User 2
  15. repo1 := AssertExistsAndLoadBean(t, &Repository{ID: 1}).(*Repository)
  16. assert.False(t, repo1.IsPrivate)
  17. // A private repository owned by Org 3
  18. repo3 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
  19. assert.True(t, repo3.IsPrivate)
  20. // Another public repository
  21. repo4 := AssertExistsAndLoadBean(t, &Repository{ID: 4}).(*Repository)
  22. assert.False(t, repo4.IsPrivate)
  23. // org. owned private repo
  24. repo24 := AssertExistsAndLoadBean(t, &Repository{ID: 24}).(*Repository)
  25. level, err := AccessLevel(user2, repo1)
  26. assert.NoError(t, err)
  27. assert.Equal(t, AccessModeOwner, level)
  28. level, err = AccessLevel(user2, repo3)
  29. assert.NoError(t, err)
  30. assert.Equal(t, AccessModeOwner, level)
  31. level, err = AccessLevel(user5, repo1)
  32. assert.NoError(t, err)
  33. assert.Equal(t, AccessModeRead, level)
  34. level, err = AccessLevel(user5, repo3)
  35. assert.NoError(t, err)
  36. assert.Equal(t, AccessModeNone, level)
  37. // restricted user has no access to a public repo
  38. level, err = AccessLevel(user29, repo1)
  39. assert.NoError(t, err)
  40. assert.Equal(t, AccessModeNone, level)
  41. // ... unless he's a collaborator
  42. level, err = AccessLevel(user29, repo4)
  43. assert.NoError(t, err)
  44. assert.Equal(t, AccessModeWrite, level)
  45. // ... or a team member
  46. level, err = AccessLevel(user29, repo24)
  47. assert.NoError(t, err)
  48. assert.Equal(t, AccessModeRead, level)
  49. }
  50. func TestHasAccess(t *testing.T) {
  51. assert.NoError(t, PrepareTestDatabase())
  52. user1 := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
  53. user2 := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
  54. // A public repository owned by User 2
  55. repo1 := AssertExistsAndLoadBean(t, &Repository{ID: 1}).(*Repository)
  56. assert.False(t, repo1.IsPrivate)
  57. // A private repository owned by Org 3
  58. repo2 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
  59. assert.True(t, repo2.IsPrivate)
  60. has, err := HasAccess(user1.ID, repo1)
  61. assert.NoError(t, err)
  62. assert.True(t, has)
  63. _, err = HasAccess(user1.ID, repo2)
  64. assert.NoError(t, err)
  65. _, err = HasAccess(user2.ID, repo1)
  66. assert.NoError(t, err)
  67. _, err = HasAccess(user2.ID, repo2)
  68. assert.NoError(t, err)
  69. }
  70. func TestUser_GetRepositoryAccesses(t *testing.T) {
  71. assert.NoError(t, PrepareTestDatabase())
  72. user1 := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
  73. accesses, err := user1.GetRepositoryAccesses()
  74. assert.NoError(t, err)
  75. assert.Len(t, accesses, 0)
  76. user29 := AssertExistsAndLoadBean(t, &User{ID: 29}).(*User)
  77. accesses, err = user29.GetRepositoryAccesses()
  78. assert.NoError(t, err)
  79. assert.Len(t, accesses, 2)
  80. }
  81. func TestUser_GetAccessibleRepositories(t *testing.T) {
  82. assert.NoError(t, PrepareTestDatabase())
  83. user1 := AssertExistsAndLoadBean(t, &User{ID: 1}).(*User)
  84. repos, err := user1.GetAccessibleRepositories(0)
  85. assert.NoError(t, err)
  86. assert.Len(t, repos, 0)
  87. user2 := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
  88. repos, err = user2.GetAccessibleRepositories(0)
  89. assert.NoError(t, err)
  90. assert.Len(t, repos, 4)
  91. user29 := AssertExistsAndLoadBean(t, &User{ID: 29}).(*User)
  92. repos, err = user29.GetAccessibleRepositories(0)
  93. assert.NoError(t, err)
  94. assert.Len(t, repos, 2)
  95. }
  96. func TestRepository_RecalculateAccesses(t *testing.T) {
  97. // test with organization repo
  98. assert.NoError(t, PrepareTestDatabase())
  99. repo1 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
  100. assert.NoError(t, repo1.GetOwner())
  101. _, err := x.Delete(&Collaboration{UserID: 2, RepoID: 3})
  102. assert.NoError(t, err)
  103. assert.NoError(t, repo1.RecalculateAccesses())
  104. access := &Access{UserID: 2, RepoID: 3}
  105. has, err := x.Get(access)
  106. assert.NoError(t, err)
  107. assert.True(t, has)
  108. assert.Equal(t, AccessModeOwner, access.Mode)
  109. }
  110. func TestRepository_RecalculateAccesses2(t *testing.T) {
  111. // test with non-organization repo
  112. assert.NoError(t, PrepareTestDatabase())
  113. repo1 := AssertExistsAndLoadBean(t, &Repository{ID: 4}).(*Repository)
  114. assert.NoError(t, repo1.GetOwner())
  115. _, err := x.Delete(&Collaboration{UserID: 4, RepoID: 4})
  116. assert.NoError(t, err)
  117. assert.NoError(t, repo1.RecalculateAccesses())
  118. has, err := x.Get(&Access{UserID: 4, RepoID: 4})
  119. assert.NoError(t, err)
  120. assert.False(t, has)
  121. }
  122. func TestRepository_RecalculateAccesses3(t *testing.T) {
  123. assert.NoError(t, PrepareTestDatabase())
  124. team5 := AssertExistsAndLoadBean(t, &Team{ID: 5}).(*Team)
  125. user29 := AssertExistsAndLoadBean(t, &User{ID: 29}).(*User)
  126. has, err := x.Get(&Access{UserID: 29, RepoID: 23})
  127. assert.NoError(t, err)
  128. assert.False(t, has)
  129. // adding user29 to team5 should add an explicit access row for repo 23
  130. // even though repo 23 is public
  131. assert.NoError(t, AddTeamMember(team5, user29.ID))
  132. has, err = x.Get(&Access{UserID: 29, RepoID: 23})
  133. assert.NoError(t, err)
  134. assert.True(t, has)
  135. }