closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7371 Commits
2 Branches
178 MiB
Tree: 1bce1894f5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1bce1894f5'
${ noResults }
gitea/models/repo_permission.go

279 lines
7.5 KiB
Raw Normal View History

Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check
6 years ago
fix bug when update owner team then visit team's repo return 404 (#6119)
5 years ago
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check
6 years ago
Fixed unitTypeCode not being used (#6419)
5 years ago
Restrict permission check on repositories and fix some problems (#5314) * fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check
6 years ago
 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models
  6. 

  7. // Permission contains all the permissions related variables to a repository for a user

  8. type Permission struct {
  9. 	AccessMode AccessMode
  10. 	Units      []*RepoUnit
  11. 	UnitsMode  map[UnitType]AccessMode
  12. }
  13. 

  14. // IsOwner returns true if current user is the owner of repository.

  15. func (p *Permission) IsOwner() bool {
  16. 	return p.AccessMode >= AccessModeOwner
  17. }
  18. 

  19. // IsAdmin returns true if current user has admin or higher access of repository.

  20. func (p *Permission) IsAdmin() bool {
  21. 	return p.AccessMode >= AccessModeAdmin
  22. }
  23. 

  24. // HasAccess returns true if the current user has at least read access to any unit of this repository

  25. func (p *Permission) HasAccess() bool {
  26. 	if p.UnitsMode == nil {
  27. 		return p.AccessMode >= AccessModeRead
  28. 	}
  29. 	return len(p.UnitsMode) > 0
  30. }
  31. 

  32. // UnitAccessMode returns current user accessmode to the specify unit of the repository

  33. func (p *Permission) UnitAccessMode(unitType UnitType) AccessMode {
  34. 	if p.UnitsMode == nil {
  35. 		for _, u := range p.Units {
  36. 			if u.Type == unitType {
  37. 				return p.AccessMode
  38. 			}
  39. 		}
  40. 		return AccessModeNone
  41. 	}
  42. 	return p.UnitsMode[unitType]
  43. }
  44. 

  45. // CanAccess returns true if user has mode access to the unit of the repository

  46. func (p *Permission) CanAccess(mode AccessMode, unitType UnitType) bool {
  47. 	return p.UnitAccessMode(unitType) >= mode
  48. }
  49. 

  50. // CanAccessAny returns true if user has mode access to any of the units of the repository

  51. func (p *Permission) CanAccessAny(mode AccessMode, unitTypes ...UnitType) bool {
  52. 	for _, u := range unitTypes {
  53. 		if p.CanAccess(mode, u) {
  54. 			return true
  55. 		}
  56. 	}
  57. 	return false
  58. }
  59. 

  60. // CanRead returns true if user could read to this unit

  61. func (p *Permission) CanRead(unitType UnitType) bool {
  62. 	return p.CanAccess(AccessModeRead, unitType)
  63. }
  64. 

  65. // CanReadAny returns true if user has read access to any of the units of the repository

  66. func (p *Permission) CanReadAny(unitTypes ...UnitType) bool {
  67. 	return p.CanAccessAny(AccessModeRead, unitTypes...)
  68. }
  69. 

  70. // CanReadIssuesOrPulls returns true if isPull is true and user could read pull requests and

  71. // returns true if isPull is false and user could read to issues

  72. func (p *Permission) CanReadIssuesOrPulls(isPull bool) bool {
  73. 	if isPull {
  74. 		return p.CanRead(UnitTypePullRequests)
  75. 	}
  76. 	return p.CanRead(UnitTypeIssues)
  77. }
  78. 

  79. // CanWrite returns true if user could write to this unit

  80. func (p *Permission) CanWrite(unitType UnitType) bool {
  81. 	return p.CanAccess(AccessModeWrite, unitType)
  82. }
  83. 

  84. // CanWriteIssuesOrPulls returns true if isPull is true and user could write to pull requests and

  85. // returns true if isPull is false and user could write to issues

  86. func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {
  87. 	if isPull {
  88. 		return p.CanWrite(UnitTypePullRequests)
  89. 	}
  90. 	return p.CanWrite(UnitTypeIssues)
  91. }
  92. 

  93. // GetUserRepoPermission returns the user permissions to the repository

  94. func GetUserRepoPermission(repo *Repository, user *User) (Permission, error) {
  95. 	return getUserRepoPermission(x, repo, user)
  96. }
  97. 

  98. func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permission, err error) {
  99. 	// anonymous user visit private repo.

  100. 	// TODO: anonymous user visit public unit of private repo???

  101. 	if user == nil && repo.IsPrivate {
  102. 		perm.AccessMode = AccessModeNone
  103. 		return
  104. 	}
  105. 

  106. 	if err = repo.getUnits(e); err != nil {
  107. 		return
  108. 	}
  109. 

  110. 	perm.Units = repo.Units
  111. 

  112. 	// anonymous visit public repo

  113. 	if user == nil {
  114. 		perm.AccessMode = AccessModeRead
  115. 		return
  116. 	}
  117. 

  118. 	// Admin or the owner has super access to the repository

  119. 	if user.IsAdmin || user.ID == repo.OwnerID {
  120. 		perm.AccessMode = AccessModeOwner
  121. 		return
  122. 	}
  123. 

  124. 	// plain user

  125. 	perm.AccessMode, err = accessLevel(e, user.ID, repo)
  126. 	if err != nil {
  127. 		return
  128. 	}
  129. 

  130. 	if err = repo.getOwner(e); err != nil {
  131. 		return
  132. 	}
  133. 	if !repo.Owner.IsOrganization() {
  134. 		return
  135. 	}
  136. 

  137. 	perm.UnitsMode = make(map[UnitType]AccessMode)
  138. 

  139. 	// Collaborators on organization

  140. 	if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil {
  141. 		return perm, err
  142. 	} else if isCollaborator {
  143. 		for _, u := range repo.Units {
  144. 			perm.UnitsMode[u.Type] = perm.AccessMode
  145. 		}
  146. 	}
  147. 

  148. 	// get units mode from teams

  149. 	teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)
  150. 	if err != nil {
  151. 		return
  152. 	}
  153. 

  154. 	// if user in an owner team

  155. 	for _, team := range teams {
  156. 		if team.Authorize >= AccessModeOwner {
  157. 			perm.AccessMode = AccessModeOwner
  158. 			perm.UnitsMode = nil
  159. 			return
  160. 		}
  161. 	}
  162. 

  163. 	for _, u := range repo.Units {
  164. 		var found bool
  165. 		for _, team := range teams {
  166. 			if team.unitEnabled(e, u.Type) {
  167. 				m := perm.UnitsMode[u.Type]
  168. 				if m < team.Authorize {
  169. 					perm.UnitsMode[u.Type] = team.Authorize
  170. 				}
  171. 				found = true
  172. 			}
  173. 		}
  174. 

  175. 		// for a public repo on an organization, user have read permission on non-team defined units.

  176. 		if !found && !repo.IsPrivate {
  177. 			if _, ok := perm.UnitsMode[u.Type]; !ok {
  178. 				perm.UnitsMode[u.Type] = AccessModeRead
  179. 			}
  180. 		}
  181. 	}
  182. 

  183. 	// remove no permission units

  184. 	perm.Units = make([]*RepoUnit, 0, len(repo.Units))
  185. 	for t := range perm.UnitsMode {
  186. 		for _, u := range repo.Units {
  187. 			if u.Type == t {
  188. 				perm.Units = append(perm.Units, u)
  189. 			}
  190. 		}
  191. 	}
  192. 

  193. 	return
  194. }
  195. 

  196. // IsUserRepoAdmin return ture if user has admin right of a repo

  197. func IsUserRepoAdmin(repo *Repository, user *User) (bool, error) {
  198. 	return isUserRepoAdmin(x, repo, user)
  199. }
  200. 

  201. func isUserRepoAdmin(e Engine, repo *Repository, user *User) (bool, error) {
  202. 	if user == nil || repo == nil {
  203. 		return false, nil
  204. 	}
  205. 	if user.IsAdmin {
  206. 		return true, nil
  207. 	}
  208. 

  209. 	mode, err := accessLevel(e, user.ID, repo)
  210. 	if err != nil {
  211. 		return false, err
  212. 	}
  213. 	if mode >= AccessModeAdmin {
  214. 		return true, nil
  215. 	}
  216. 

  217. 	teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)
  218. 	if err != nil {
  219. 		return false, err
  220. 	}
  221. 

  222. 	for _, team := range teams {
  223. 		if team.Authorize >= AccessModeAdmin {
  224. 			return true, nil
  225. 		}
  226. 	}
  227. 	return false, nil
  228. }
  229. 

  230. // AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the

  231. // user does not have access.

  232. func AccessLevel(user *User, repo *Repository) (AccessMode, error) {
  233. 	return accessLevelUnit(x, user, repo, UnitTypeCode)
  234. }
  235. 

  236. func accessLevelUnit(e Engine, user *User, repo *Repository, unitType UnitType) (AccessMode, error) {
  237. 	perm, err := getUserRepoPermission(e, repo, user)
  238. 	if err != nil {
  239. 		return AccessModeNone, err
  240. 	}
  241. 	return perm.UnitAccessMode(unitType), nil
  242. }
  243. 

  244. func hasAccessUnit(e Engine, user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {
  245. 	mode, err := accessLevelUnit(e, user, repo, unitType)
  246. 	return testMode <= mode, err
  247. }
  248. 

  249. // HasAccessUnit returns ture if user has testMode to the unit of the repository

  250. func HasAccessUnit(user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {
  251. 	return hasAccessUnit(x, user, repo, unitType, testMode)
  252. }
  253. 

  254. // canBeAssigned return true if user could be assigned to a repo

  255. // FIXME: user could send PullRequest also could be assigned???

  256. func canBeAssigned(e Engine, user *User, repo *Repository) (bool, error) {
  257. 	return hasAccessUnit(e, user, repo, UnitTypeCode, AccessModeWrite)
  258. }
  259. 

  260. func hasAccess(e Engine, userID int64, repo *Repository) (bool, error) {
  261. 	var user *User
  262. 	var err error
  263. 	if userID > 0 {
  264. 		user, err = getUserByID(e, userID)
  265. 		if err != nil {
  266. 			return false, err
  267. 		}
  268. 	}
  269. 	perm, err := getUserRepoPermission(e, repo, user)
  270. 	if err != nil {
  271. 		return false, err
  272. 	}
  273. 	return perm.HasAccess(), nil
  274. }
  275. 

  276. // HasAccess returns true if user has access to repo

  277. func HasAccess(userID int64, repo *Repository) (bool, error) {
  278. 	return hasAccess(x, userID, repo)
  279. }