Implement API endpoint to link a package to a repo #23851
Conversation
silverwind
added
type/feature
GiteaBot
added
lgtm/need 2
pull-request-size
bot
added
the
size/L
|
@sclu1034 Cloud you update your branch and resolve merge conflicts? |
To satisfy the API's restrictions on write access when linking packages, the test needs to be run with a different user.
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
sclu1034
force-pushed
the
feat/link-package-api
branch
from
8b3be5e
to
6e2661b
Compare
|
Rebased on current |
services/packages/packages.go
Outdated
| if !canWrite { | ||
| perms, err := access_model.GetUserRepoPermission(ctx, repo, doer) | ||
| if err != nil { | ||
| return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err) | ||
| } | ||
|
|
||
| canWrite = perms.CanWrite(unit.TypePackages) | ||
| } | ||
|
|
||
| if !canWrite { | ||
| return fmt.Errorf("No permissions to link this package and repository") | ||
| } |
There was a problem hiding this comment.
| if !canWrite { | |
| perms, err := access_model.GetUserRepoPermission(ctx, repo, doer) | |
| if err != nil { | |
| return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err) | |
| } | |
| canWrite = perms.CanWrite(unit.TypePackages) | |
| } | |
| if !canWrite { | |
| return fmt.Errorf("No permissions to link this package and repository") | |
| } | |
| perms, err := access_model.GetUserRepoPermission(ctx, repo, doer) | |
| if err != nil { | |
| return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err) | |
| } | |
| if !perms.CanWrite(unit.TypePackages) { | |
| return fmt.Errorf("No permissions to link this package and repository") | |
| } |
It is also possible that packages are disabled for this repo, so I think we should check for all users, not just if user isn't the owner.
|
Goooooooooooooooooooooooooooooooooooooooooood !!! |
Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
|
|
||
| func LinkPackageToRepository(ctx context.Context, doer *user_model.User, p *packages_model.Package, repoID int64) error { | ||
| if repoID != 0 { | ||
| repo, err := repo_model.GetRepositoryByID(ctx, repoID) |
There was a problem hiding this comment.
This MUST check if the repo belongs to the package owner. And there should be a test for linking a repo of another user.
There was a problem hiding this comment.
To avoid further back and forth on permissions, and me doing best-effort guesses, can you give me a detailed run down on who should be allowed to do what?
routers/api/v1/packages/package.go
Outdated
| // - name: repo | ||
| // in: query | ||
| // description: ID of the repository to link | ||
| // type: integer | ||
| // required: true |
There was a problem hiding this comment.
Would be nice if you can't just pass the repository id (which you don't have usually) but the repo name.
Could have two parameters repo_id=... and repo_name=.... The endpoint should choose the matching repo then. Could prefer the id over the name.
There was a problem hiding this comment.
Not particularly proud of how my code parsing those two parameters turned out, but I didn't find any useful utilities.
Any ideas to improve 221dcdc?
GiteaBot
added
lgtm/blocked
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Closes #21062.