Restricted users

[mnsh]

First part of an implementation of restricted users (#4334), as described in this comment.

Implemented so far:

• Access checking when actaully accessing an org, repo or repo sub-unit
• Filtering of results when browsing an org
• Filtering of results when exploring repos and orgs

Remaining bits:

• Filter results when exploring users
• Filter /org/orgname/dashboard content
• Ability for external users to create organizations and repositories (separate option for count limit)

[lafriks]

Would be nice to add this option also to auth source so that all users from this auth source would get restricted option set automatically

[codecov-io]

Codecov Report

Merging #6274 into master will increase coverage by 0.01%.
The diff coverage is 77.77%.

@@            Coverage Diff             @@
##           master    #6274      +/-   ##
==========================================
+ Coverage   42.29%   42.31%   +0.01%     
==========================================
  Files         598      598              
  Lines       78299    78318      +19     
==========================================
+ Hits        33118    33138      +20     
- Misses      41125    41126       +1     
+ Partials     4056     4054       -2

Impacted Files	Coverage Δ
models/issue_comment.go	46.4% <100%> (+0.79%)	⬆️
routers/api/v1/repo/issue_comment.go	56.33% <75%> (+1.17%)	⬆️
services/pull/check.go	53.37% <0%> (-2.03%)	⬇️
models/gpg_key.go	55.59% <0%> (+0.55%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eaed6b3...a54d9d6. Read the comment docs.

[mnsh]

All parts should now behave as described, with one exception: Explore / Users lists all registered users. Since user-owned public repos are properly "handled" (access & visibility), that doesn't feel like a problem.

There are several places where the code picks between using models.GetSomethings(lots of args) and SearchSomethings(opts) based on whether a search string is provided (eg. if len(keyword) == 0). Instead of adding yet another argument to a like 7 argument func, I chose to always use the SearchSomething(opts) method (where the opts struct now contains Actor). Does this make sense?

Any feedback is appreciated.

[mnsh]

@lafriks allowing auth sources to set or force an is_restricted value is indeed a good idea deserving it's own PR; this one feels big enough as it is.

Is this starting to look somewhat mergeable? Any feedback is appreciated.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[kokarn]

Any progress on this? @lafriks ?

[mnsh]

Any chance of merging this soon @lafriks @lunny ?

[lafriks]

Did not still want to approve :)

[lafriks]

Sorry for so many iterations in reviews, good work ;)

[lunny]

For a restricted user, all repositories are private repositories. So we could only change function getUserRepoPermission on models/repo_permission.go and also SearchRepository to make repo as private if user is a restricted one.

[mnsh]

So, what now? =)

[kokarn]

So if this is approved by 2 people, when can it be merged? Seems like there will be a lot of rebasing otherwise

[6543]

@mnsh can you "Update Branch" - CI should work now

[sapk]

@mnsh @6543 I have done it for you.

[mnsh]

thankst @sapk

[sapk]

Thanks @mnsh for the works.

[mnsh]

Yess!

Thanks to everyone involved.