New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement API endpoint to link a package to a repo #23851
base: main
Are you sure you want to change the base?
Conversation
@sclu1034 Cloud you update your branch and resolve merge conflicts? |
To satisfy the API's restrictions on write access when linking packages, the test needs to be run with a different user.
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
8b3be5e
to
6e2661b
Compare
Rebased on current |
services/packages/packages.go
Outdated
if !canWrite { | ||
perms, err := access_model.GetUserRepoPermission(ctx, repo, doer) | ||
if err != nil { | ||
return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err) | ||
} | ||
|
||
canWrite = perms.CanWrite(unit.TypePackages) | ||
} | ||
|
||
if !canWrite { | ||
return fmt.Errorf("No permissions to link this package and repository") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if !canWrite { | |
perms, err := access_model.GetUserRepoPermission(ctx, repo, doer) | |
if err != nil { | |
return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err) | |
} | |
canWrite = perms.CanWrite(unit.TypePackages) | |
} | |
if !canWrite { | |
return fmt.Errorf("No permissions to link this package and repository") | |
} | |
perms, err := access_model.GetUserRepoPermission(ctx, repo, doer) | |
if err != nil { | |
return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err) | |
} | |
if !perms.CanWrite(unit.TypePackages) { | |
return fmt.Errorf("No permissions to link this package and repository") | |
} |
It is also possible that packages are disabled for this repo, so I think we should check for all users, not just if user isn't the owner.
Goooooooooooooooooooooooooooooooooooooooooood !!! |
Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
|
||
func LinkPackageToRepository(ctx context.Context, doer *user_model.User, p *packages_model.Package, repoID int64) error { | ||
if repoID != 0 { | ||
repo, err := repo_model.GetRepositoryByID(ctx, repoID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This MUST check if the repo belongs to the package owner. And there should be a test for linking a repo of another user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid further back and forth on permissions, and me doing best-effort guesses, can you give me a detailed run down on who should be allowed to do what?
routers/api/v1/packages/package.go
Outdated
// - name: repo | ||
// in: query | ||
// description: ID of the repository to link | ||
// type: integer | ||
// required: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice if you can't just pass the repository id (which you don't have usually) but the repo name.
Could have two parameters repo_id=...
and repo_name=...
. The endpoint should choose the matching repo then. Could prefer the id over the name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not particularly proud of how my code parsing those two parameters turned out, but I didn't find any useful utilities.
Any ideas to improve 221dcdc
?
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Closes #21062.