From 34650ad1b23e287e447ac0deaf3d93fa8f31357e Mon Sep 17 00:00:00 2001
From: wxiaoguang <wxiaoguang@gmail.com>
Date: Mon, 15 Apr 2024 22:01:00 +0800
Subject: [PATCH] fix permission check

---
 models/perm/access/repo_permission.go      | 17 ++++++++++-------
 models/perm/access/repo_permission_test.go | 12 ++++++++++--
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go
index 22b26e8f4398..f9d76729725f 100644
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 )
 
 // Permission contains all the permissions related variables to a repository for a user
@@ -40,15 +41,17 @@ func (p *Permission) HasAccess() bool {
 
 // UnitAccessMode returns current user access mode to the specify unit of the repository
 func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {
-	if len(p.UnitsMode) == 0 {
-		for _, u := range p.Units {
-			if u.Type == unitType {
-				return p.AccessMode
-			}
+	// if the units map contains the access mode, use it, but admin/owner mode could override it
+	if m, ok := p.UnitsMode[unitType]; ok {
+		return util.Iif(p.AccessMode >= perm_model.AccessModeAdmin, p.AccessMode, m)
+	}
+	// if the units map does not contain the access mode, return the default access mode if the unit exists
+	for _, u := range p.Units {
+		if u.Type == unitType {
+			return p.AccessMode
 		}
-		return perm_model.AccessModeNone
 	}
-	return p.UnitsMode[unitType]
+	return perm_model.AccessModeNone
 }
 
 // CanAccess returns true if user has mode access to the unit of the repository
diff --git a/models/perm/access/repo_permission_test.go b/models/perm/access/repo_permission_test.go
index 2effd58e6449..f55bf77aa4a1 100644
--- a/models/perm/access/repo_permission_test.go
+++ b/models/perm/access/repo_permission_test.go
@@ -49,7 +49,15 @@ func TestUnitAccessMode(t *testing.T) {
 	assert.Equal(t, perm_model.AccessModeOwner, perm.UnitAccessMode(unit.TypeWiki), "only unit no map, use AccessMode")
 
 	perm = Permission{
-		AccessMode: perm_model.AccessModeOwner,
+		AccessMode: perm_model.AccessModeAdmin,
+		UnitsMode: map[unit.Type]perm_model.AccessMode{
+			unit.TypeWiki: perm_model.AccessModeRead,
+		},
+	}
+	assert.Equal(t, perm_model.AccessModeAdmin, perm.UnitAccessMode(unit.TypeWiki), "no unit only map, admin overrides map")
+
+	perm = Permission{
+		AccessMode: perm_model.AccessModeNone,
 		UnitsMode: map[unit.Type]perm_model.AccessMode{
 			unit.TypeWiki: perm_model.AccessModeRead,
 		},
@@ -57,7 +65,7 @@ func TestUnitAccessMode(t *testing.T) {
 	assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeWiki), "no unit only map, use map")
 
 	perm = Permission{
-		AccessMode: perm_model.AccessModeOwner,
+		AccessMode: perm_model.AccessModeNone,
 		Units: []*repo_model.RepoUnit{
 			{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeWrite},
 		},