You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

349 lines
9.0 KiB

  1. // Copyright 2018 The Gitea Authors. All rights reserved.
  2. // Use of this source code is governed by a MIT-style
  3. // license that can be found in the LICENSE file.
  4. package models
  5. import (
  6. "fmt"
  7. "code.gitea.io/gitea/modules/log"
  8. )
  9. // Permission contains all the permissions related variables to a repository for a user
  10. type Permission struct {
  11. AccessMode AccessMode
  12. Units []*RepoUnit
  13. UnitsMode map[UnitType]AccessMode
  14. }
  15. // IsOwner returns true if current user is the owner of repository.
  16. func (p *Permission) IsOwner() bool {
  17. return p.AccessMode >= AccessModeOwner
  18. }
  19. // IsAdmin returns true if current user has admin or higher access of repository.
  20. func (p *Permission) IsAdmin() bool {
  21. return p.AccessMode >= AccessModeAdmin
  22. }
  23. // HasAccess returns true if the current user has at least read access to any unit of this repository
  24. func (p *Permission) HasAccess() bool {
  25. if p.UnitsMode == nil {
  26. return p.AccessMode >= AccessModeRead
  27. }
  28. return len(p.UnitsMode) > 0
  29. }
  30. // UnitAccessMode returns current user accessmode to the specify unit of the repository
  31. func (p *Permission) UnitAccessMode(unitType UnitType) AccessMode {
  32. if p.UnitsMode == nil {
  33. for _, u := range p.Units {
  34. if u.Type == unitType {
  35. return p.AccessMode
  36. }
  37. }
  38. return AccessModeNone
  39. }
  40. return p.UnitsMode[unitType]
  41. }
  42. // CanAccess returns true if user has mode access to the unit of the repository
  43. func (p *Permission) CanAccess(mode AccessMode, unitType UnitType) bool {
  44. return p.UnitAccessMode(unitType) >= mode
  45. }
  46. // CanAccessAny returns true if user has mode access to any of the units of the repository
  47. func (p *Permission) CanAccessAny(mode AccessMode, unitTypes ...UnitType) bool {
  48. for _, u := range unitTypes {
  49. if p.CanAccess(mode, u) {
  50. return true
  51. }
  52. }
  53. return false
  54. }
  55. // CanRead returns true if user could read to this unit
  56. func (p *Permission) CanRead(unitType UnitType) bool {
  57. return p.CanAccess(AccessModeRead, unitType)
  58. }
  59. // CanReadAny returns true if user has read access to any of the units of the repository
  60. func (p *Permission) CanReadAny(unitTypes ...UnitType) bool {
  61. return p.CanAccessAny(AccessModeRead, unitTypes...)
  62. }
  63. // CanReadIssuesOrPulls returns true if isPull is true and user could read pull requests and
  64. // returns true if isPull is false and user could read to issues
  65. func (p *Permission) CanReadIssuesOrPulls(isPull bool) bool {
  66. if isPull {
  67. return p.CanRead(UnitTypePullRequests)
  68. }
  69. return p.CanRead(UnitTypeIssues)
  70. }
  71. // CanWrite returns true if user could write to this unit
  72. func (p *Permission) CanWrite(unitType UnitType) bool {
  73. return p.CanAccess(AccessModeWrite, unitType)
  74. }
  75. // CanWriteIssuesOrPulls returns true if isPull is true and user could write to pull requests and
  76. // returns true if isPull is false and user could write to issues
  77. func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {
  78. if isPull {
  79. return p.CanWrite(UnitTypePullRequests)
  80. }
  81. return p.CanWrite(UnitTypeIssues)
  82. }
  83. // ColorFormat writes a colored string for these Permissions
  84. func (p *Permission) ColorFormat(s fmt.State) {
  85. noColor := log.ColorBytes(log.Reset)
  86. format := "AccessMode: %-v, %d Units, %d UnitsMode(s): [ "
  87. args := []interface{}{
  88. p.AccessMode,
  89. log.NewColoredValueBytes(len(p.Units), &noColor),
  90. log.NewColoredValueBytes(len(p.UnitsMode), &noColor),
  91. }
  92. if s.Flag('+') {
  93. for i, unit := range p.Units {
  94. config := ""
  95. if unit.Config != nil {
  96. configBytes, err := unit.Config.ToDB()
  97. config = string(configBytes)
  98. if err != nil {
  99. config = string(err.Error())
  100. }
  101. }
  102. format += "\nUnits[%d]: ID: %d RepoID: %d Type: %-v Config: %s"
  103. args = append(args,
  104. log.NewColoredValueBytes(i, &noColor),
  105. log.NewColoredIDValue(unit.ID),
  106. log.NewColoredIDValue(unit.RepoID),
  107. unit.Type,
  108. config)
  109. }
  110. for key, value := range p.UnitsMode {
  111. format += "\nUnitMode[%-v]: %-v"
  112. args = append(args,
  113. key,
  114. value)
  115. }
  116. } else {
  117. format += "..."
  118. }
  119. format += " ]"
  120. log.ColorFprintf(s, format, args...)
  121. }
  122. // GetUserRepoPermission returns the user permissions to the repository
  123. func GetUserRepoPermission(repo *Repository, user *User) (Permission, error) {
  124. return getUserRepoPermission(x, repo, user)
  125. }
  126. func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permission, err error) {
  127. if log.IsTrace() {
  128. defer func() {
  129. if user == nil {
  130. log.Trace("Permission Loaded for anonymous user in %-v:\nPermissions: %-+v",
  131. repo,
  132. perm)
  133. return
  134. }
  135. log.Trace("Permission Loaded for %-v in %-v:\nPermissions: %-+v",
  136. user,
  137. repo,
  138. perm)
  139. }()
  140. }
  141. // anonymous user visit private repo.
  142. // TODO: anonymous user visit public unit of private repo???
  143. if user == nil && repo.IsPrivate {
  144. perm.AccessMode = AccessModeNone
  145. return
  146. }
  147. if repo.Owner == nil {
  148. repo.mustOwner(e)
  149. }
  150. if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) {
  151. perm.AccessMode = AccessModeNone
  152. return
  153. }
  154. if err = repo.getUnits(e); err != nil {
  155. return
  156. }
  157. perm.Units = repo.Units
  158. // anonymous visit public repo
  159. if user == nil {
  160. perm.AccessMode = AccessModeRead
  161. return
  162. }
  163. // Admin or the owner has super access to the repository
  164. if user.IsAdmin || user.ID == repo.OwnerID {
  165. perm.AccessMode = AccessModeOwner
  166. return
  167. }
  168. // plain user
  169. perm.AccessMode, err = accessLevel(e, user.ID, repo)
  170. if err != nil {
  171. return
  172. }
  173. if err = repo.getOwner(e); err != nil {
  174. return
  175. }
  176. if !repo.Owner.IsOrganization() {
  177. return
  178. }
  179. perm.UnitsMode = make(map[UnitType]AccessMode)
  180. // Collaborators on organization
  181. if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil {
  182. return perm, err
  183. } else if isCollaborator {
  184. for _, u := range repo.Units {
  185. perm.UnitsMode[u.Type] = perm.AccessMode
  186. }
  187. }
  188. // get units mode from teams
  189. teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)
  190. if err != nil {
  191. return
  192. }
  193. // if user in an owner team
  194. for _, team := range teams {
  195. if team.Authorize >= AccessModeOwner {
  196. perm.AccessMode = AccessModeOwner
  197. perm.UnitsMode = nil
  198. return
  199. }
  200. }
  201. for _, u := range repo.Units {
  202. var found bool
  203. for _, team := range teams {
  204. if team.unitEnabled(e, u.Type) {
  205. m := perm.UnitsMode[u.Type]
  206. if m < team.Authorize {
  207. perm.UnitsMode[u.Type] = team.Authorize
  208. }
  209. found = true
  210. }
  211. }
  212. // for a public repo on an organization, user have read permission on non-team defined units.
  213. if !found && !repo.IsPrivate {
  214. if _, ok := perm.UnitsMode[u.Type]; !ok {
  215. perm.UnitsMode[u.Type] = AccessModeRead
  216. }
  217. }
  218. }
  219. // remove no permission units
  220. perm.Units = make([]*RepoUnit, 0, len(repo.Units))
  221. for t := range perm.UnitsMode {
  222. for _, u := range repo.Units {
  223. if u.Type == t {
  224. perm.Units = append(perm.Units, u)
  225. }
  226. }
  227. }
  228. return
  229. }
  230. // IsUserRepoAdmin return ture if user has admin right of a repo
  231. func IsUserRepoAdmin(repo *Repository, user *User) (bool, error) {
  232. return isUserRepoAdmin(x, repo, user)
  233. }
  234. func isUserRepoAdmin(e Engine, repo *Repository, user *User) (bool, error) {
  235. if user == nil || repo == nil {
  236. return false, nil
  237. }
  238. if user.IsAdmin {
  239. return true, nil
  240. }
  241. mode, err := accessLevel(e, user.ID, repo)
  242. if err != nil {
  243. return false, err
  244. }
  245. if mode >= AccessModeAdmin {
  246. return true, nil
  247. }
  248. teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)
  249. if err != nil {
  250. return false, err
  251. }
  252. for _, team := range teams {
  253. if team.Authorize >= AccessModeAdmin {
  254. return true, nil
  255. }
  256. }
  257. return false, nil
  258. }
  259. // AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the
  260. // user does not have access.
  261. func AccessLevel(user *User, repo *Repository) (AccessMode, error) {
  262. return accessLevelUnit(x, user, repo, UnitTypeCode)
  263. }
  264. func accessLevelUnit(e Engine, user *User, repo *Repository, unitType UnitType) (AccessMode, error) {
  265. perm, err := getUserRepoPermission(e, repo, user)
  266. if err != nil {
  267. return AccessModeNone, err
  268. }
  269. return perm.UnitAccessMode(unitType), nil
  270. }
  271. func hasAccessUnit(e Engine, user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {
  272. mode, err := accessLevelUnit(e, user, repo, unitType)
  273. return testMode <= mode, err
  274. }
  275. // HasAccessUnit returns ture if user has testMode to the unit of the repository
  276. func HasAccessUnit(user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {
  277. return hasAccessUnit(x, user, repo, unitType, testMode)
  278. }
  279. // canBeAssigned return true if user could be assigned to a repo
  280. // FIXME: user could send PullRequest also could be assigned???
  281. func canBeAssigned(e Engine, user *User, repo *Repository) (bool, error) {
  282. return hasAccessUnit(e, user, repo, UnitTypeCode, AccessModeWrite)
  283. }
  284. func hasAccess(e Engine, userID int64, repo *Repository) (bool, error) {
  285. var user *User
  286. var err error
  287. if userID > 0 {
  288. user, err = getUserByID(e, userID)
  289. if err != nil {
  290. return false, err
  291. }
  292. }
  293. perm, err := getUserRepoPermission(e, repo, user)
  294. if err != nil {
  295. return false, err
  296. }
  297. return perm.HasAccess(), nil
  298. }
  299. // HasAccess returns true if user has access to repo
  300. func HasAccess(userID int64, repo *Repository) (bool, error) {
  301. return hasAccess(x, userID, repo)
  302. }