Fix auth when publishing private package as organization

lib/hexpm_web/auth_helpers.ex

@@ -170,32 +170,19 @@ defmodule HexpmWeb.AuthHelpers do
     package_owner(conn.assigns.repository, conn.assigns.package, user_or_organization, opts)
   end
 
-  # def package_owner(%Package{} = package, user_or_organization, opts) do
-  #   package_owner(package.repository, package, user_or_organization, opts)
-  # end
-
-  # def package_owner(repository, nil, %Organization{id: id}, _opts) do
-  #   boolean_to_not_found(repository.organization_id == id)
-  # end
-
   def package_owner(
         %Repository{} = repository,
         %Package{} = package,
-        %Organization{id: id} = organization,
+        %Organization{} = organization,
         opts
       ) do
-    cond do
-      repository.organization_id == id ->
-        :ok
-
-      Packages.owner_with_access?(package, organization.user, opts[:owner_level] || "maintainer") ->
-        :ok
+    owner_level = opts[:owner_level] || "maintainer"
 
-      repository.id == 1 ->
-        {:error, :auth}
-
-      true ->
-        {:error, :not_found}
+    cond do
+      repository.organization_id == organization.id -> :ok
+      Packages.owner_with_access?(package, organization.user, owner_level) -> :ok
+      repository.id == 1 -> {:error, :auth}
+      true -> {:error, :not_found}
     end
   end
 
@@ -215,6 +202,19 @@ defmodule HexpmWeb.AuthHelpers do
     end
   end
 
+  def package_owner(
+        %Repository{} = repository,
+        nil = _package,
+        %Organization{} = organization,
+        _opts
+      ) do
+    cond do
+      repository.id == 1 -> :ok
+      repository.organization_id == organization.id -> :ok
+      true -> {:error, :not_found}
+    end
+  end
+
   def package_owner(%Repository{} = repository, nil = _package, %User{} = user, opts) do
     expected_role = PackageOwner.level_to_organization_role(opts[:owner_level] || "maintainer")
     actual_role = Organizations.get_role(repository.organization, user)

test/hexpm_web/controllers/api/release_controller_test.exs

@@ -827,6 +827,27 @@ defmodule HexpmWeb.API.ReleaseControllerTest do
       assert package.repository_id == repository.id
     end
 
+    test "new package as organization", %{organization: organization, repository: repository} do
+      meta = %{
+        name: Fake.sequence(:package),
+        version: "1.0.0",
+        description: "Domain-specific language."
+      }
+
+      result =
+        build_conn()
+        |> put_req_header("content-type", "application/octet-stream")
+        |> put_req_header("authorization", key_for(organization))
+        |> post("api/repos/#{repository.name}/publish", create_tar(meta))
+        |> json_response(201)
+
+      assert result["url"] =~
+               "api/repos/#{repository.name}/packages/#{meta.name}/releases/1.0.0"
+
+      package = Hexpm.Repo.get_by!(Package, name: meta.name)
+      assert package.repository_id == repository.id
+    end
+
     test "existing package", %{user: user, repository: repository} do
       package =
         insert(
@@ -853,6 +874,25 @@ defmodule HexpmWeb.API.ReleaseControllerTest do
       assert package.repository_id == repository.id
     end
 
+    test "existing package as organization", %{organization: organization, repository: repository} do
+      package = insert(:package, repository_id: repository.id)
+
+      meta = %{name: package.name, version: "1.0.0", description: "Domain-specific language."}
+
+      result =
+        build_conn()
+        |> put_req_header("content-type", "application/octet-stream")
+        |> put_req_header("authorization", key_for(organization))
+        |> post("api/repos/#{repository.name}/publish", create_tar(meta))
+        |> json_response(201)
+
+      assert result["url"] =~
+               "api/repos/#{repository.name}/packages/#{meta.name}/releases/1.0.0"
+
+      package = Hexpm.Repo.get_by!(Package, name: meta.name)
+      assert package.repository_id == repository.id
+    end
+
     test "can update private package after grace period", %{
       user: user,
       repository: repository