Restrict permission check on repositories and fix some problems #5314
Conversation
lunny
added
type/bug
type/refactoring
bkcsoft
added
the
lgtm/need 2
models/repo_permission.go
Outdated
| } | ||
|
|
||
| perm.Units = make([]*RepoUnit, 0, len(repo.Units)) | ||
| for t, _ := range perm.UnitsMode { |
There was a problem hiding this comment.
Lint doesn't like the second argument
|
|
||
| // Collaborators on organization repos will not be limited by teams units | ||
| if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil { | ||
| return perm, err |
There was a problem hiding this comment.
All of the other returns rely on the default named return values.
There was a problem hiding this comment.
Because this err is a local variable not that err return variable.
models/repo_permission.go
Outdated
| if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil { | ||
| return perm, err | ||
| } else if isCollaborator { | ||
| return perm, nil |
| @@ -1,4 +1,5 @@ | |||
| // Copyright 2015 The Gogs Authors. All rights reserved. | |||
| // Copyright 2016 The Gitea Authors. All rights reserved. | |||
There was a problem hiding this comment.
I think maybe 2016 because the file might have been modified then.
There was a problem hiding this comment.
@techknowlogick @zeripath yes. If I explicitly know the file is modified on some year I will change to that year, but will change it to 2018.
Codecov Report
@@ Coverage Diff @@
## master #5314 +/- ##
==========================================
+ Coverage 37.56% 37.59% +0.02%
==========================================
Files 313 315 +2
Lines 46611 46714 +103
==========================================
+ Hits 17510 17560 +50
- Misses 26607 26657 +50
- Partials 2494 2497 +3
Continue to review full report at Codecov.
|
lunny
changed the title
lunny
changed the title
lunny
added
the
pr/breaking
lunny
force-pushed
the
lunny/fix_units_permissions
branch
from
e518b8f
to
2070b5c
Compare
|
Does this PR also fix #4329? |
|
Just place a FIXME and another PR could change that function. This PR will only refactor or fix permissions check. |
lunny
changed the title
|
I think this is ready for review |
lunny
force-pushed
the
lunny/fix_units_permissions
branch
from
ec36aee
to
f90dc26
Compare
|
rebased |
bkcsoft
added
lgtm/need 1
|
@zeripath need your approval. |
bkcsoft
added
lgtm/done
|
@lunny please resolve conflicts |
lunny
force-pushed
the
lunny/fix_units_permissions
branch
from
f90dc26
to
79365d8
Compare
|
@lafriks done. |
|
Sorry @lunny I've been a little busy so haven't been able to keep up with your changes. |
This PR will refactor permission check of repositories, especially units permission check. It will restrict permission check on organization repositories and fix some bugs. It creates a new struct
Permissionand a function to retrieve permission fromUserandRepository.You can know all the permission information from
Permissionand it has been saved oncontext.Contextwhen middlewarerepoAssignmentwas called. After this PR, we removed some functions likeIsRepositoryWriterbecause we don't know that if the repo is on an organization and there are some teams give permission to the user. Instead it providesCanAccess(unit)andCanWrite(unit)to determine if theUsercould read or write tocode,issues,releasesor other units.This also give a break change about a private repository on an organization. When a user on a team has write permission to a repository but he also is a collaborator with read right to that repository. Before this PR, the team settings will be ignored, but in this PR, the higher permission will be given to the user. Don't know it's a bug or a break change. I added the breaking label.