Refactoring of the Access Table

This commit does a lot of the work of refactoring the access table in a table with id's instead of strings.

The result does compile, but has not been tested. It may eat your kittens.

diff --git a/cmd/serve.go b/cmd/serve.go
index e957d45de77fec86d15402287b9b5efe5c86f973..62e5d14374ead5262447ce6965db801ebc32726b 100644 (file)
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -8,7 +8,6 @@ import (
        "fmt"
        "os"
        "os/exec"
-       "path"
        "path/filepath"
        "strings"
        "time"
@@ -67,19 +66,19 @@ func parseCmd(cmd string) (string, string) {
 }
 
 var (
-       COMMANDS_READONLY = map[string]models.AccessType{
-               "git-upload-pack":    models.WRITABLE,
-               "git upload-pack":    models.WRITABLE,
-               "git-upload-archive": models.WRITABLE,
+       COMMANDS_READONLY = map[string]models.AccessMode{
+               "git-upload-pack":    models.WriteAccess,
+               "git upload-pack":    models.WriteAccess,
+               "git-upload-archive": models.WriteAccess,
        }
 
-       COMMANDS_WRITE = map[string]models.AccessType{
-               "git-receive-pack": models.READABLE,
-               "git receive-pack": models.READABLE,
+       COMMANDS_WRITE = map[string]models.AccessMode{
+               "git-receive-pack": models.ReadAccess,
+               "git receive-pack": models.ReadAccess,
        }
 )
 
-func In(b string, sl map[string]models.AccessType) bool {
+func In(b string, sl map[string]models.AccessMode) bool {
        _, e := sl[b]
        return e
 }
@@ -144,9 +143,19 @@ func runServ(k *cli.Context) {
        }
 
        // Access check.
+       repo, err := models.GetRepositoryByName(repoUser.Id, repoName)
+       if err != nil {
+               if err == models.ErrRepoNotExist {
+                       println("Gogs: given repository does not exist")
+                       log.GitLogger.Fatal(2, "Repository does not exist: %s/%s", repoUser.Name, repoName)
+               }
+               println("Gogs: internal error:", err.Error())
+               log.GitLogger.Fatal(2, "Fail to get repository: %v", err)
+       }
+
        switch {
        case isWrite:
-               has, err := models.HasAccess(user.Name, path.Join(repoUserName, repoName), models.WRITABLE)
+               has, err := models.HasAccess(user, repo, models.WriteAccess)
                if err != nil {
                        println("Gogs: internal error:", err.Error())
                        log.GitLogger.Fatal(2, "Fail to check write access:", err)
@@ -155,21 +164,11 @@ func runServ(k *cli.Context) {
                        log.GitLogger.Fatal(2, "User %s has no right to write repository %s", user.Name, repoPath)
                }
        case isRead:
-               repo, err := models.GetRepositoryByName(repoUser.Id, repoName)
-               if err != nil {
-                       if err == models.ErrRepoNotExist {
-                               println("Gogs: given repository does not exist")
-                               log.GitLogger.Fatal(2, "Repository does not exist: %s/%s", repoUser.Name, repoName)
-                       }
-                       println("Gogs: internal error:", err.Error())
-                       log.GitLogger.Fatal(2, "Fail to get repository: %v", err)
-               }
-
                if !repo.IsPrivate {
                        break
                }
 
-               has, err := models.HasAccess(user.Name, path.Join(repoUserName, repoName), models.READABLE)
+               has, err := models.HasAccess(user, repo, models.ReadAccess)
                if err != nil {
                        println("Gogs: internal error:", err.Error())
                        log.GitLogger.Fatal(2, "Fail to check read access:", err)

diff --git a/models/access.go b/models/access.go
index 6df1da29bca742f0511b200f6c7999e149b2cf5d..d85f24cd06897eb958a48b52fb5da380c27d6e8a 100644 (file)
--- a/models/access.go
+++ b/models/access.go
@@ -4,95 +4,76 @@
 
 package models
 
-import (
-       "strings"
-       "time"
-)
-
-type AccessType int
+type AccessMode int
 
 const (
-       READABLE AccessType = iota + 1
-       WRITABLE
+       NoAccess AccessMode = iota
+       ReadAccess
+       WriteAccess
+       AdminAccess
+       OwnerAccess
 )
 
-// Access represents the accessibility of user to repository.
-type Access struct {
-       Id       int64
-       UserName string     `xorm:"UNIQUE(s)"`
-       RepoName string     `xorm:"UNIQUE(s)"` // <user name>/<repo name>
-       Mode     AccessType `xorm:"UNIQUE(s)"`
-       Created  time.Time  `xorm:"CREATED"`
+func maxAccessMode(modes ...AccessMode) AccessMode {
+       max := NoAccess
+       for _, mode := range modes {
+               if mode > max {
+                       max = mode
+               }
+       }
+       return max
 }
 
-func addAccess(e Engine, access *Access) error {
-       access.UserName = strings.ToLower(access.UserName)
-       access.RepoName = strings.ToLower(access.RepoName)
-       _, err := e.Insert(access)
-       return err
+// Access represents the highest access level of a user to the repository. The only access type
+// that is not in this table is the real owner of a repository. In case of an organization
+// repository, the members of the owners team are in this table.
+type Access struct {
+       ID     int64 `xorm:"pk autoincr"`
+       UserID int64 `xorm:"UNIQUE(s)"`
+       RepoID int64 `xorm:"UNIQUE(s)"`
+       Mode   AccessMode
 }
 
-// AddAccess adds new access record.
-func AddAccess(access *Access) error {
-       return addAccess(x, access)
+// HasAccess returns true if someone has the request access level. User can be nil!
+func HasAccess(u *User, r *Repository, testMode AccessMode) (bool, error) {
+       mode, err := AccessLevel(u, r)
+       return testMode <= mode, err
 }
 
-func updateAccess(e Engine, access *Access) error {
-       if _, err := e.Id(access.Id).Update(access); err != nil {
-               return err
+// Return the Access a user has to a repository. Will return NoneAccess if the
+// user does not have access. User can be nil!
+func AccessLevel(u *User, r *Repository) (AccessMode, error) {
+       mode := NoAccess
+       if !r.IsPrivate {
+               mode = ReadAccess
        }
-       return nil
-}
-
-// UpdateAccess updates access information.
-func UpdateAccess(access *Access) error {
-       access.UserName = strings.ToLower(access.UserName)
-       access.RepoName = strings.ToLower(access.RepoName)
-       return updateAccess(x, access)
-}
-
-func deleteAccess(e Engine, access *Access) error {
-       _, err := e.Delete(access)
-       return err
-}
 
-// DeleteAccess deletes access record.
-func DeleteAccess(access *Access) error {
-       return deleteAccess(x, access)
-}
+       if u != nil {
+               if u.Id == r.OwnerId {
+                       return OwnerAccess, nil
+               }
 
-// HasAccess returns true if someone can read or write to given repository.
-// The repoName should be in format <username>/<reponame>.
-func HasAccess(uname, repoName string, mode AccessType) (bool, error) {
-       if len(repoName) == 0 {
-               return false, nil
-       }
-       access := &Access{
-               UserName: strings.ToLower(uname),
-               RepoName: strings.ToLower(repoName),
-       }
-       has, err := x.Get(access)
-       if err != nil {
-               return false, err
-       } else if !has {
-               return false, nil
-       } else if mode > access.Mode {
-               return false, nil
+               a := &Access{UserID: u.Id, RepoID: r.Id}
+               if has, err := x.Get(a); !has || err != nil {
+                       return mode, err
+               }
+               return a.Mode, nil
        }
-       return true, nil
+
+       return mode, nil
 }
 
 // GetAccessibleRepositories finds all repositories where a user has access to,
 // besides his own.
-func (u *User) GetAccessibleRepositories() (map[*Repository]AccessType, error) {
+func (u *User) GetAccessibleRepositories() (map[*Repository]AccessMode, error) {
        accesses := make([]*Access, 0, 10)
-       if err := x.Find(&accesses, &Access{UserName: u.LowerName}); err != nil {
+       if err := x.Find(&accesses, &Access{UserID: u.Id}); err != nil {
                return nil, err
        }
 
-       repos := make(map[*Repository]AccessType, len(accesses))
+       repos := make(map[*Repository]AccessMode, len(accesses))
        for _, access := range accesses {
-               repo, err := GetRepositoryByRef(access.RepoName)
+               repo, err := GetRepositoryById(access.RepoID)
                if err != nil {
                        return nil, err
                }
@@ -106,3 +87,65 @@ func (u *User) GetAccessibleRepositories() (map[*Repository]AccessType, error) {
 
        return repos, nil
 }
+
+// Recalculate all accesses for repository
+func (r *Repository) RecalcAccessSess() error {
+       accessMap := make(map[int64]AccessMode, 20)
+
+       // Give all collaborators write access
+       collaborators, err := r.GetCollaborators()
+       if err != nil {
+               return err
+       }
+       for _, c := range collaborators {
+               accessMap[c.Id] = WriteAccess
+       }
+
+       if err := r.GetOwner(); err != nil {
+               return err
+       }
+       if r.Owner.IsOrganization() {
+               if err = r.Owner.GetTeams(); err != nil {
+                       return err
+               }
+
+               for _, team := range r.Owner.Teams {
+                       if !(team.IsOwnerTeam() || team.HasRepository(r)) {
+                               continue
+                       }
+
+                       if err = team.GetMembers(); err != nil {
+                               return err
+                       }
+                       for _, u := range team.Members {
+                               accessMap[u.Id] = maxAccessMode(accessMap[u.Id], team.Authorize)
+                       }
+               }
+       }
+
+       minMode := ReadAccess
+       if !r.IsPrivate {
+               minMode = WriteAccess
+       }
+
+       newAccesses := make([]Access, 0, len(accessMap))
+       for userID, mode := range accessMap {
+               if userID == r.OwnerId || mode <= minMode {
+                       continue
+               }
+               newAccesses = append(newAccesses, Access{UserID: userID, RepoID: r.Id, Mode: mode})
+       }
+
+       // Delete old accesses for repository
+       if _, err = x.Delete(&Access{RepoID: r.Id}); err != nil {
+               return err
+       }
+
+       // And insert the new ones
+       if _, err = x.Insert(newAccesses); err != nil {
+               return err
+       }
+
+       return nil
+
+}

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 814564e9af774b1b2688c670f444d95c34d98215..1510bafdb640bd8f76abbe969fb596bdefc17afd 100644 (file)
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -47,10 +47,11 @@ type Version struct {
 }
 
 // This is a sequence of migrations. Add new migrations to the bottom of the list.
-// If you want to "retire" a migration, remove it from the top of the list and 
-// update _MIN_VER_DB accordingly 
+// If you want to "retire" a migration, remove it from the top of the list and
+// update _MIN_VER_DB accordingly
 var migrations = []Migration{
        NewMigration("generate collaboration from access", accessToCollaboration), // V0 -> V1
+       NewMigration("refactor access table to use id's", accessRefactor),         // V1 -> V2
 }
 
 // Migrate database to current version
@@ -206,3 +207,8 @@ func accessToCollaboration(x *xorm.Engine) error {
 
        return sess.Commit()
 }
+
+func accessRefactor(x *xorm.Engine) error {
+       //TODO
+       return nil
+}

diff --git a/models/org.go b/models/org.go
index 3d37a37d69ea39ed48470e5e31628400bde3881c..775caa86399d8fc1ec43d9ec6edbb11860aee356 100644 (file)
--- a/models/org.go
+++ b/models/org.go
@@ -6,9 +6,7 @@ package models
 
 import (
        "errors"
-       "fmt"
        "os"
-       "path"
        "strings"
 
        "github.com/Unknwon/com"
@@ -136,7 +134,7 @@ func CreateOrganization(org, owner *User) (*User, error) {
                OrgId:      org.Id,
                LowerName:  strings.ToLower(OWNER_TEAM),
                Name:       OWNER_TEAM,
-               Authorize:  ORG_ADMIN,
+               Authorize:  OwnerAccess,
                NumMembers: 1,
        }
        if _, err = sess.Insert(t); err != nil {
@@ -371,10 +369,10 @@ func RemoveOrgUser(orgId, uid int64) error {
                return err
        }
        access := &Access{
-               UserName: u.LowerName,
+               UserID: u.Id,
        }
        for _, repo := range org.Repos {
-               access.RepoName = path.Join(org.LowerName, repo.LowerName)
+               access.RepoID = repo.Id
                if _, err = sess.Delete(access); err != nil {
                        sess.Rollback()
                        return err
@@ -405,21 +403,6 @@ func RemoveOrgUser(orgId, uid int64) error {
 //   |____| \___  >____  /__|_|  /
 //              \/     \/      \/
 
-type AuthorizeType int
-
-const (
-       ORG_READABLE AuthorizeType = iota + 1
-       ORG_WRITABLE
-       ORG_ADMIN
-)
-
-func AuthorizeToAccessType(auth AuthorizeType) AccessType {
-       if auth == ORG_READABLE {
-               return READABLE
-       }
-       return WRITABLE
-}
-
 const OWNER_TEAM = "Owners"
 
 // Team represents a organization team.
@@ -429,7 +412,7 @@ type Team struct {
        LowerName   string
        Name        string
        Description string
-       Authorize   AuthorizeType
+       Authorize   AccessMode
        RepoIds     string        `xorm:"TEXT"`
        Repos       []*Repository `xorm:"-"`
        Members     []*User       `xorm:"-"`
@@ -484,25 +467,6 @@ func (t *Team) RemoveMember(uid int64) error {
        return RemoveTeamMember(t.OrgId, t.Id, uid)
 }
 
-// addAccessWithAuthorize inserts or updates access with given mode.
-func addAccessWithAuthorize(e Engine, access *Access, mode AccessType) error {
-       has, err := e.Get(access)
-       if err != nil {
-               return fmt.Errorf("fail to get access: %v", err)
-       }
-       access.Mode = mode
-       if has {
-               if _, err = e.Id(access.Id).Update(access); err != nil {
-                       return fmt.Errorf("fail to update access: %v", err)
-               }
-       } else {
-               if _, err = e.Insert(access); err != nil {
-                       return fmt.Errorf("fail to insert access: %v", err)
-               }
-       }
-       return nil
-}
-
 // AddRepository adds new repository to team of organization.
 func (t *Team) AddRepository(repo *Repository) (err error) {
        idStr := "$" + com.ToStr(repo.Id) + "|"
@@ -531,27 +495,13 @@ func (t *Team) AddRepository(repo *Repository) (err error) {
                return err
        }
 
-       // Give access to team members.
-       mode := AuthorizeToAccessType(t.Authorize)
+       if err = repo.RecalcAccessSess(); err != nil {
+               sess.Rollback()
+               return err
+       }
 
        for _, u := range t.Members {
-               auth, err := getHighestAuthorize(sess, t.OrgId, u.Id, repo.Id, t.Id)
-               if err != nil {
-                       sess.Rollback()
-                       return err
-               }
-
-               access := &Access{
-                       UserName: u.LowerName,
-                       RepoName: path.Join(repo.Owner.LowerName, repo.LowerName),
-               }
-               if auth < t.Authorize {
-                       if err = addAccessWithAuthorize(sess, access, mode); err != nil {
-                               sess.Rollback()
-                               return err
-                       }
-               }
-               if err = watchRepo(sess, u.Id, repo.Id, true); err != nil {
+               if err = WatchRepo(u.Id, repo.Id, true); err != nil {
                        sess.Rollback()
                        return err
                }
@@ -559,6 +509,11 @@ func (t *Team) AddRepository(repo *Repository) (err error) {
        return sess.Commit()
 }
 
+func (t *Team) HasRepository(r *Repository) bool {
+       idStr := "$" + com.ToStr(r.Id) + "|"
+       return strings.Contains(t.RepoIds, idStr)
+}
+
 // RemoveRepository removes repository from team of organization.
 func (t *Team) RemoveRepository(repoId int64) error {
        idStr := "$" + com.ToStr(repoId) + "|"
@@ -590,32 +545,16 @@ func (t *Team) RemoveRepository(repoId int64) error {
                return err
        }
 
-       // Remove access to team members.
+       if err = repo.RecalcAccessSess(); err != nil {
+               sess.Rollback()
+               return err
+       }
+
        for _, u := range t.Members {
-               auth, err := getHighestAuthorize(sess, t.OrgId, u.Id, repo.Id, t.Id)
-               if err != nil {
+               if err = WatchRepo(u.Id, repo.Id, false); err != nil {
                        sess.Rollback()
                        return err
                }
-
-               access := &Access{
-                       UserName: u.LowerName,
-                       RepoName: path.Join(repo.Owner.LowerName, repo.LowerName),
-               }
-               if auth == 0 {
-                       if _, err = sess.Delete(access); err != nil {
-                               sess.Rollback()
-                               return fmt.Errorf("fail to delete access: %v", err)
-                       } else if err = watchRepo(sess, u.Id, repo.Id, false); err != nil {
-                               sess.Rollback()
-                               return err
-                       }
-               } else if auth < t.Authorize {
-                       if err = addAccessWithAuthorize(sess, access, AuthorizeToAccessType(auth)); err != nil {
-                               sess.Rollback()
-                               return err
-                       }
-               }
        }
 
        return sess.Commit()
@@ -693,34 +632,6 @@ func GetTeamById(teamId int64) (*Team, error) {
        return getTeamById(x, teamId)
 }
 
-func getHighestAuthorize(e Engine, orgId, uid, repoId, teamId int64) (AuthorizeType, error) {
-       ts, err := getUserTeams(e, orgId, uid)
-       if err != nil {
-               return 0, err
-       }
-
-       var auth AuthorizeType = 0
-       for _, t := range ts {
-               // Not current team and has given repository.
-               if t.Id != teamId && strings.Contains(t.RepoIds, "$"+com.ToStr(repoId)+"|") {
-                       // Fast return.
-                       if t.Authorize == ORG_WRITABLE {
-                               return ORG_WRITABLE, nil
-                       }
-                       if t.Authorize > auth {
-                               auth = t.Authorize
-                       }
-               }
-       }
-
-       return auth, nil
-}
-
-// GetHighestAuthorize returns highest repository authorize level for given user and team.
-func GetHighestAuthorize(orgId, uid, repoId, teamId int64) (AuthorizeType, error) {
-       return getHighestAuthorize(x, orgId, uid, repoId, teamId)
-}
-
 // UpdateTeam updates information of team.
 func UpdateTeam(t *Team, authChanged bool) (err error) {
        if !IsLegalName(t.Name) {
@@ -738,45 +649,14 @@ func UpdateTeam(t *Team, authChanged bool) (err error) {
        }
 
        // Update access for team members if needed.
-       if authChanged && !t.IsOwnerTeam() {
+       if authChanged {
                if err = t.GetRepositories(); err != nil {
                        return err
-               } else if err = t.GetMembers(); err != nil {
-                       return err
                }
 
-               // Get organization.
-               org, err := GetUserById(t.OrgId)
-               if err != nil {
-                       return err
-               }
-
-               // Update access.
-               mode := AuthorizeToAccessType(t.Authorize)
-
                for _, repo := range t.Repos {
-                       for _, u := range t.Members {
-                               // ORG_WRITABLE is the highest authorize level for now.
-                               // Skip checking others if current team has this level.
-                               if t.Authorize < ORG_WRITABLE {
-                                       auth, err := GetHighestAuthorize(t.OrgId, u.Id, repo.Id, t.Id)
-                                       if err != nil {
-                                               sess.Rollback()
-                                               return err
-                                       }
-                                       if auth >= t.Authorize {
-                                               continue // Other team has higher or same authorize level.
-                                       }
-                               }
-
-                               access := &Access{
-                                       UserName: u.LowerName,
-                                       RepoName: path.Join(org.LowerName, repo.LowerName),
-                               }
-                               if err = addAccessWithAuthorize(sess, access, mode); err != nil {
-                                       sess.Rollback()
-                                       return err
-                               }
+                       if err = repo.RecalcAccessSess(); err != nil {
+                               return err
                        }
                }
        }
@@ -812,29 +692,8 @@ func DeleteTeam(t *Team) error {
 
        // Delete all accesses.
        for _, repo := range t.Repos {
-               for _, u := range t.Members {
-                       auth, err := GetHighestAuthorize(t.OrgId, u.Id, repo.Id, t.Id)
-                       if err != nil {
-                               sess.Rollback()
-                               return err
-                       }
-
-                       access := &Access{
-                               UserName: u.LowerName,
-                               RepoName: path.Join(org.LowerName, repo.LowerName),
-                       }
-                       if auth == 0 {
-                               if _, err = sess.Delete(access); err != nil {
-                                       sess.Rollback()
-                                       return fmt.Errorf("fail to delete access: %v", err)
-                               }
-                       } else if auth < t.Authorize {
-                               // Downgrade authorize level.
-                               if err = addAccessWithAuthorize(sess, access, AuthorizeToAccessType(auth)); err != nil {
-                                       sess.Rollback()
-                                       return err
-                               }
-                       }
+               if err = repo.RecalcAccessSess(); err != nil {
+                       return err
                }
        }
 
@@ -936,18 +795,6 @@ func AddTeamMember(orgId, teamId, uid int64) error {
                return err
        }
 
-       // Get organization.
-       org, err := GetUserById(orgId)
-       if err != nil {
-               return err
-       }
-
-       // Get user.
-       u, err := GetUserById(uid)
-       if err != nil {
-               return err
-       }
-
        sess := x.NewSession()
        defer sess.Close()
        if err = sess.Begin(); err != nil {
@@ -969,24 +816,11 @@ func AddTeamMember(orgId, teamId, uid int64) error {
        }
 
        // Give access to team repositories.
-       mode := AuthorizeToAccessType(t.Authorize)
        for _, repo := range t.Repos {
-               auth, err := getHighestAuthorize(sess, t.OrgId, u.Id, repo.Id, teamId)
-               if err != nil {
+               if err = repo.RecalcAccessSess(); err != nil {
                        sess.Rollback()
                        return err
                }
-
-               access := &Access{
-                       UserName: u.LowerName,
-                       RepoName: path.Join(org.LowerName, repo.LowerName),
-               }
-               if auth < t.Authorize {
-                       if err = addAccessWithAuthorize(sess, access, mode); err != nil {
-                               sess.Rollback()
-                               return err
-                       }
-               }
        }
 
        // We make sure it exists before.
@@ -1036,12 +870,6 @@ func removeTeamMember(e Engine, orgId, teamId, uid int64) error {
                return err
        }
 
-       // Get user.
-       u, err := GetUserById(uid)
-       if err != nil {
-               return err
-       }
-
        tu := &TeamUser{
                Uid:    uid,
                OrgId:  orgId,
@@ -1056,28 +884,9 @@ func removeTeamMember(e Engine, orgId, teamId, uid int64) error {
 
        // Delete access to team repositories.
        for _, repo := range t.Repos {
-               auth, err := getHighestAuthorize(e, t.OrgId, u.Id, repo.Id, teamId)
-               if err != nil {
+               if err = repo.RecalcAccessSess(); err != nil {
                        return err
                }
-
-               access := &Access{
-                       UserName: u.LowerName,
-                       RepoName: path.Join(org.LowerName, repo.LowerName),
-               }
-               // Delete access if this is the last team user belongs to.
-               if auth == 0 {
-                       if _, err = e.Delete(access); err != nil {
-                               return fmt.Errorf("fail to delete access: %v", err)
-                       } else if err = watchRepo(e, u.Id, repo.Id, false); err != nil {
-                               return err
-                       }
-               } else if auth < t.Authorize {
-                       // Downgrade authorize level.
-                       if err = addAccessWithAuthorize(e, access, AuthorizeToAccessType(auth)); err != nil {
-                               return err
-                       }
-               }
        }
 
        // This must exist.

diff --git a/models/repo.go b/models/repo.go
index 35ee871fd47fadf26b40903cd235a0774b79f5e2..5a669d9dd8e66f748df32140759408105f10ec68 100644 (file)
--- a/models/repo.go
+++ b/models/repo.go
@@ -206,14 +206,6 @@ func (repo *Repository) IsOwnedBy(u *User) bool {
        return repo.OwnerId == u.Id
 }
 
-func (repo *Repository) HasAccess(uname string) bool {
-       if err := repo.GetOwner(); err != nil {
-               return false
-       }
-       has, _ := HasAccess(uname, path.Join(repo.Owner.Name, repo.Name), READABLE)
-       return has
-}
-
 // DescriptionHtml does special handles to description and return HTML string.
 func (repo *Repository) DescriptionHtml() template.HTML {
        sanitize := func(s string) string {
@@ -548,36 +540,11 @@ func CreateRepository(u *User, name, desc, lang, license string, private, mirror
 
        var t *Team // Owner team.
 
-       mode := WRITABLE
-       if mirror {
-               mode = READABLE
-       }
-       access := &Access{
-               UserName: u.LowerName,
-               RepoName: path.Join(u.LowerName, repo.LowerName),
-               Mode:     mode,
-       }
+       // TODO fix code for mirrors?
+
        // Give access to all members in owner team.
        if u.IsOrganization() {
-               t, err = u.GetOwnerTeam()
-               if err != nil {
-                       sess.Rollback()
-                       return nil, err
-               }
-               if err = t.GetMembers(); err != nil {
-                       sess.Rollback()
-                       return nil, err
-               }
-               for _, u := range t.Members {
-                       access.Id = 0
-                       access.UserName = u.LowerName
-                       if _, err = sess.Insert(access); err != nil {
-                               sess.Rollback()
-                               return nil, err
-                       }
-               }
-       } else {
-               if _, err = sess.Insert(access); err != nil {
+               if err = repo.RecalcAccessSess(); err != nil {
                        sess.Rollback()
                        return nil, err
                }
@@ -707,37 +674,10 @@ func TransferOwnership(u *User, newOwner string, repo *Repository) error {
        }
 
        owner := repo.Owner
-       oldRepoLink := path.Join(owner.LowerName, repo.LowerName)
-       // Delete all access first if current owner is an organization.
-       if owner.IsOrganization() {
-               if _, err = sess.Where("repo_name=?", oldRepoLink).Delete(new(Access)); err != nil {
-                       sess.Rollback()
-                       return fmt.Errorf("fail to delete current accesses: %v", err)
-               }
-       } else {
-               // Delete current owner access.
-               if _, err = sess.Where("repo_name=?", oldRepoLink).And("user_name=?", owner.LowerName).
-                       Delete(new(Access)); err != nil {
-                       sess.Rollback()
-                       return fmt.Errorf("fail to delete access(owner): %v", err)
-               }
-               // In case new owner has access.
-               if _, err = sess.Where("repo_name=?", oldRepoLink).And("user_name=?", newUser.LowerName).
-                       Delete(new(Access)); err != nil {
-                       sess.Rollback()
-                       return fmt.Errorf("fail to delete access(new user): %v", err)
-               }
-       }
-
-       // Change accesses to new repository path.
-       if _, err = sess.Where("repo_name=?", oldRepoLink).
-               Update(&Access{RepoName: path.Join(newUser.LowerName, repo.LowerName)}); err != nil {
-               sess.Rollback()
-               return fmt.Errorf("fail to update access(change reponame): %v", err)
-       }
 
        // Update repository.
        repo.OwnerId = newUser.Id
+       repo.Owner = newUser
        if _, err := sess.Id(repo.Id).Update(repo); err != nil {
                sess.Rollback()
                return err
@@ -754,53 +694,8 @@ func TransferOwnership(u *User, newOwner string, repo *Repository) error {
                return err
        }
 
-       mode := WRITABLE
-       if repo.IsMirror {
-               mode = READABLE
-       }
-       // New owner is organization.
-       if newUser.IsOrganization() {
-               access := &Access{
-                       RepoName: path.Join(newUser.LowerName, repo.LowerName),
-                       Mode:     mode,
-               }
-
-               // Give access to all members in owner team.
-               t, err := newUser.GetOwnerTeam()
-               if err != nil {
-                       sess.Rollback()
-                       return err
-               }
-               if err = t.GetMembers(); err != nil {
-                       sess.Rollback()
-                       return err
-               }
-               for _, u := range t.Members {
-                       access.Id = 0
-                       access.UserName = u.LowerName
-                       if _, err = sess.Insert(access); err != nil {
-                               sess.Rollback()
-                               return err
-                       }
-               }
-
-               // Update owner team info and count.
-               t.RepoIds += "$" + com.ToStr(repo.Id) + "|"
-               t.NumRepos++
-               if _, err = sess.Id(t.Id).AllCols().Update(t); err != nil {
-                       sess.Rollback()
-                       return err
-               }
-       } else {
-               access := &Access{
-                       RepoName: path.Join(newUser.LowerName, repo.LowerName),
-                       UserName: newUser.LowerName,
-                       Mode:     mode,
-               }
-               if _, err = sess.Insert(access); err != nil {
-                       sess.Rollback()
-                       return fmt.Errorf("fail to insert access: %v", err)
-               }
+       if err = repo.RecalcAccessSess(); err != nil {
+               return err
        }
 
        // Change repository directory name.
@@ -833,33 +728,8 @@ func ChangeRepositoryName(userName, oldRepoName, newRepoName string) (err error)
                return ErrRepoNameIllegal
        }
 
-       // Update accesses.
-       accesses := make([]Access, 0, 10)
-       if err = x.Find(&accesses, &Access{RepoName: userName + "/" + oldRepoName}); err != nil {
-               return err
-       }
-
-       sess := x.NewSession()
-       defer sess.Close()
-       if err = sess.Begin(); err != nil {
-               return err
-       }
-
-       for i := range accesses {
-               accesses[i].RepoName = userName + "/" + newRepoName
-               if err = updateAccess(sess, &accesses[i]); err != nil {
-                       sess.Rollback()
-                       return err
-               }
-       }
-
        // Change repository directory name.
-       if err = os.Rename(RepoPath(userName, oldRepoName), RepoPath(userName, newRepoName)); err != nil {
-               sess.Rollback()
-               return err
-       }
-
-       return sess.Commit()
+       return os.Rename(RepoPath(userName, oldRepoName), RepoPath(userName, newRepoName))
 }
 
 func UpdateRepository(repo *Repository) error {
@@ -908,7 +778,7 @@ func DeleteRepository(uid, repoId int64, userName string) error {
        }
 
        // Delete all access.
-       if _, err := sess.Delete(&Access{RepoName: strings.ToLower(path.Join(userName, repo.Name))}); err != nil {
+       if _, err := sess.Delete(&Access{RepoID: repo.Id}); err != nil {
                sess.Rollback()
                return err
        }
@@ -1228,41 +1098,30 @@ type Collaboration struct {
 // Add collaborator and accompanying access
 func (r *Repository) AddCollaborator(u *User) error {
        collaboration := &Collaboration{RepoID: r.Id, UserID: u.Id}
+
        has, err := x.Get(collaboration)
        if err != nil {
                return err
-       } else if has {
-               return nil
        }
-
-       if err = r.GetOwner(); err != nil {
-               return err
+       if has {
+               return nil
        }
 
-       sess := x.NewSession()
-       defer sess.Close()
-       if err = sess.Begin(); err != nil {
+       if _, err = x.InsertOne(collaboration); err != nil {
                return err
        }
 
-       if _, err = sess.InsertOne(collaboration); err != nil {
-               sess.Rollback()
-               return err
-       } else if err = addAccess(sess, &Access{
-               UserName: u.LowerName,
-               RepoName: path.Join(r.Owner.LowerName, r.LowerName),
-               Mode:     WRITABLE}); err != nil {
-               sess.Rollback()
+       if err = r.GetOwner(); err != nil {
                return err
        }
 
-       return sess.Commit()
+       return r.RecalcAccessSess()
 }
 
 // GetCollaborators returns the collaborators for a repository
 func (r *Repository) GetCollaborators() ([]*User, error) {
-       collaborations := make([]*Collaboration, 0, 5)
-       if err := x.Where("repo_id=?", r.Id).Find(&collaborations); err != nil {
+       collaborations := make([]*Collaboration, 0)
+       if err := x.Find(&collaborations, &Collaboration{RepoID: r.Id}); err != nil {
                return nil, err
        }
 
@@ -1278,50 +1137,14 @@ func (r *Repository) GetCollaborators() ([]*User, error) {
 }
 
 // Delete collaborator and accompanying access
-func (r *Repository) DeleteCollaborator(u *User) (err error) {
+func (r *Repository) DeleteCollaborator(u *User) error {
        collaboration := &Collaboration{RepoID: r.Id, UserID: u.Id}
-       has, err := x.Get(collaboration)
-       if err != nil {
-               return err
-       } else if !has {
-               return nil
-       }
 
-       if err = r.GetOwner(); err != nil {
-               return err
-       }
-
-       sess := x.NewSession()
-       defer sess.Close()
-       if err = sess.Begin(); err != nil {
+       if has, err := x.Delete(collaboration); err != nil || has == 0 {
                return err
        }
 
-       needDelete := true
-       if r.Owner.IsOrganization() {
-               auth, err := getHighestAuthorize(sess, r.Owner.Id, u.Id, r.Id, 0)
-               if err != nil {
-                       sess.Rollback()
-                       return err
-               }
-               if auth > 0 {
-                       needDelete = false
-               }
-       }
-       if needDelete {
-               if err = deleteAccess(sess, &Access{
-                       UserName: u.LowerName,
-                       RepoName: path.Join(r.Owner.LowerName, r.LowerName),
-                       Mode:     WRITABLE}); err != nil {
-                       sess.Rollback()
-                       return err
-               } else if _, err = sess.Delete(collaboration); err != nil {
-                       sess.Rollback()
-                       return err
-               }
-       }
-
-       return sess.Commit()
+       return r.RecalcAccessSess()
 }
 
 //  __      __         __         .__
@@ -1495,40 +1318,10 @@ func ForkRepository(u *User, oldRepo *Repository, name, desc string) (*Repositor
                return nil, err
        }
 
-       var t *Team // Owner team.
-
-       mode := WRITABLE
-
-       access := &Access{
-               UserName: u.LowerName,
-               RepoName: path.Join(u.LowerName, repo.LowerName),
-               Mode:     mode,
-       }
-       // Give access to all members in owner team.
-       if u.IsOrganization() {
-               t, err = u.GetOwnerTeam()
-               if err != nil {
-                       sess.Rollback()
-                       return nil, err
-               }
-               if err = t.GetMembers(); err != nil {
-                       sess.Rollback()
-                       return nil, err
-               }
-               for _, u := range t.Members {
-                       access.Id = 0
-                       access.UserName = u.LowerName
-                       if _, err = sess.Insert(access); err != nil {
-                               sess.Rollback()
-                               return nil, err
-                       }
-               }
-       } else {
-               if _, err = sess.Insert(access); err != nil {
-                       sess.Rollback()
-                       return nil, err
-               }
+       if err = repo.RecalcAccessSess(); err != nil {
+               return nil, err
        }
+       var t *Team // Owner team.
 
        if _, err = sess.Exec(
                "UPDATE `user` SET num_repos = num_repos + 1 WHERE id = ?", u.Id); err != nil {

diff --git a/models/user.go b/models/user.go
index 5606cea3799be02ffce9c9224ec08ff9da40ff53..9a6f93a4742efea3fef97170b04a8f23d4ad6752 100644 (file)
--- a/models/user.go
+++ b/models/user.go
@@ -395,62 +395,7 @@ func ChangeUserName(u *User, newUserName string) (err error) {
        if !IsLegalName(newUserName) {
                return ErrUserNameIllegal
        }
-
-       newUserName = strings.ToLower(newUserName)
-
-       // Update accesses of user.
-       accesses := make([]Access, 0, 10)
-       if err = x.Find(&accesses, &Access{UserName: u.LowerName}); err != nil {
-               return err
-       }
-
-       sess := x.NewSession()
-       defer sess.Close()
-       if err = sess.Begin(); err != nil {
-               return err
-       }
-
-       for i := range accesses {
-               accesses[i].UserName = newUserName
-               if strings.HasPrefix(accesses[i].RepoName, u.LowerName+"/") {
-                       accesses[i].RepoName = strings.Replace(accesses[i].RepoName, u.LowerName, newUserName, 1)
-               }
-               if err = updateAccess(sess, &accesses[i]); err != nil {
-                       sess.Rollback()
-                       return err
-               }
-       }
-
-       repos, err := GetRepositories(u.Id, true)
-       if err != nil {
-               return err
-       }
-       for i := range repos {
-               accesses = make([]Access, 0, 10)
-               // Update accesses of user repository.
-               if err = x.Find(&accesses, &Access{RepoName: u.LowerName + "/" + repos[i].LowerName}); err != nil {
-                       return err
-               }
-
-               for j := range accesses {
-                       // if the access is not the user's access (already updated above)
-                       if accesses[j].UserName != u.LowerName {
-                               accesses[j].RepoName = newUserName + "/" + repos[i].LowerName
-                               if err = updateAccess(sess, &accesses[j]); err != nil {
-                                       sess.Rollback()
-                                       return err
-                               }
-                       }
-               }
-       }
-
-       // Change user directory name.
-       if err = os.Rename(UserPath(u.LowerName), UserPath(newUserName)); err != nil {
-               sess.Rollback()
-               return err
-       }
-
-       return sess.Commit()
+       return os.Rename(UserPath(u.LowerName), UserPath(newUserName))
 }
 
 // UpdateUser updates user's information.
@@ -523,7 +468,7 @@ func DeleteUser(u *User) error {
                return err
        }
        // Delete all accesses.
-       if _, err = x.Delete(&Access{UserName: u.LowerName}); err != nil {
+       if _, err = x.Delete(&Access{UserID: u.Id}); err != nil {
                return err
        }
        // Delete all alternative email addresses

diff --git a/modules/middleware/org.go b/modules/middleware/org.go
index e687258617ff9a96afbdf0e14214b99ba986a192..cbce54860d5794b291274ab745618053e39fa262 100644 (file)
--- a/modules/middleware/org.go
+++ b/modules/middleware/org.go
@@ -87,7 +87,7 @@ func OrgAssignment(redirect bool, args ...bool) macaron.Handler {
                                return
                        }
                        ctx.Data["Team"] = ctx.Org.Team
-                       ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize == models.ORG_ADMIN
+                       ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.AdminAccess
                }
                ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam
                if requireAdminTeam && !ctx.Org.IsAdminTeam {

diff --git a/modules/middleware/repo.go b/modules/middleware/repo.go
index 1ab158dd6d8721a6be515f4ac53abca89bf3b4a8..8cc62904602ccdef97b1386081932e2f7b5be5c6 100644 (file)
--- a/modules/middleware/repo.go
+++ b/modules/middleware/repo.go
@@ -5,7 +5,6 @@
 package middleware
 
 import (
-       "errors"
        "fmt"
        "net/url"
        "strings"
@@ -29,17 +28,10 @@ func ApiRepoAssignment() macaron.Handler {
                        err error
                )
 
-               // Collaborators who have write access can be seen as owners.
-               if ctx.IsSigned {
-                       ctx.Repo.IsOwner, err = models.HasAccess(ctx.User.Name, userName+"/"+repoName, models.WRITABLE)
-                       if err != nil {
-                               ctx.JSON(500, &base.ApiJsonErr{"HasAccess: " + err.Error(), base.DOC_URL})
-                               return
-                       }
-                       ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
-               }
-
-               if !ctx.Repo.IsTrueOwner {
+               // Check if the user is the same as the repository owner
+               if ctx.IsSigned && u.LowerName == strings.ToLower(userName) {
+                       u = ctx.User
+               } else {
                        u, err = models.GetUserByName(userName)
                        if err != nil {
                                if err == models.ErrUserNotExist {
@@ -49,64 +41,38 @@ func ApiRepoAssignment() macaron.Handler {
                                }
                                return
                        }
-               } else {
-                       u = ctx.User
                }
                ctx.Repo.Owner = u
 
-               // Organization owner team members are true owners as well.
-               if ctx.IsSigned && ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOwnedBy(ctx.User.Id) {
-                       ctx.Repo.IsTrueOwner = true
-               }
-
                // Get repository.
                repo, err := models.GetRepositoryByName(u.Id, repoName)
                if err != nil {
                        if err == models.ErrRepoNotExist {
                                ctx.Error(404)
-                               return
+                       } else {
+                               ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL})
                        }
-                       ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL})
                        return
                } else if err = repo.GetOwner(); err != nil {
                        ctx.JSON(500, &base.ApiJsonErr{"GetOwner: " + err.Error(), base.DOC_URL})
                        return
                }
 
-               // Check if the mirror repository owner(mirror repository doesn't have access).
-               if ctx.IsSigned && !ctx.Repo.IsOwner {
-                       if repo.OwnerId == ctx.User.Id {
-                               ctx.Repo.IsOwner = true
-                       }
-                       // Check if current user has admin permission to repository.
-                       if u.IsOrganization() {
-                               auth, err := models.GetHighestAuthorize(u.Id, ctx.User.Id, repo.Id, 0)
-                               if err != nil {
-                                       ctx.JSON(500, &base.ApiJsonErr{"GetHighestAuthorize: " + err.Error(), base.DOC_URL})
-                                       return
-                               }
-                               if auth == models.ORG_ADMIN {
-                                       ctx.Repo.IsOwner = true
-                                       ctx.Repo.IsAdmin = true
-                               }
+               if ctx.IsSigned {
+                       mode, err := models.AccessLevel(ctx.User, repo)
+                       if err != nil {
+                               ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL})
+                               return
                        }
+                       ctx.Repo.IsOwner = mode >= models.WriteAccess
+                       ctx.Repo.IsAdmin = mode >= models.ReadAccess
+                       ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess
                }
 
                // Check access.
                if repo.IsPrivate && !ctx.Repo.IsOwner {
-                       if ctx.User == nil {
-                               ctx.Error(404)
-                               return
-                       }
-
-                       hasAccess, err := models.HasAccess(ctx.User.Name, ctx.Repo.Owner.Name+"/"+repo.Name, models.READABLE)
-                       if err != nil {
-                               ctx.JSON(500, &base.ApiJsonErr{"HasAccess: " + err.Error(), base.DOC_URL})
-                               return
-                       } else if !hasAccess {
-                               ctx.Error(404)
-                               return
-                       }
+                       ctx.Error(404)
+                       return
                }
                ctx.Repo.HasAccess = true
 
@@ -242,101 +208,54 @@ func RepoAssignment(redirect bool, args ...bool) macaron.Handler {
                        refName = ctx.Params(":path")
                }
 
-               // Collaborators who have write access can be seen as owners.
-               if ctx.IsSigned {
-                       ctx.Repo.IsOwner, err = models.HasAccess(ctx.User.Name, userName+"/"+repoName, models.WRITABLE)
-                       if err != nil {
-                               ctx.Handle(500, "HasAccess", err)
-                               return
-                       }
-                       ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
-               }
-
-               if !ctx.Repo.IsTrueOwner {
+               // Check if the user is the same as the repository owner
+               if ctx.IsSigned && u.LowerName == strings.ToLower(userName) {
+                       u = ctx.User
+               } else {
                        u, err = models.GetUserByName(userName)
                        if err != nil {
                                if err == models.ErrUserNotExist {
-                                       ctx.Handle(404, "GetUserByName", err)
-                               } else if redirect {
-                                       log.Error(4, "GetUserByName", err)
-                                       ctx.Redirect(setting.AppSubUrl + "/")
+                                       ctx.Error(404)
                                } else {
-                                       ctx.Handle(500, "GetUserByName", err)
+                                       ctx.JSON(500, &base.ApiJsonErr{"GetUserByName: " + err.Error(), base.DOC_URL})
                                }
                                return
                        }
-               } else {
-                       u = ctx.User
-               }
-
-               if u == nil {
-                       if redirect {
-                               ctx.Redirect(setting.AppSubUrl + "/")
-                               return
-                       }
-                       ctx.Handle(404, "RepoAssignment", errors.New("invliad user account for single repository"))
-                       return
                }
                ctx.Repo.Owner = u
 
-               // Organization owner team members are true owners as well.
-               if ctx.IsSigned && ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOwnedBy(ctx.User.Id) {
-                       ctx.Repo.IsTrueOwner = true
-               }
-
                // Get repository.
                repo, err := models.GetRepositoryByName(u.Id, repoName)
                if err != nil {
                        if err == models.ErrRepoNotExist {
-                               ctx.Handle(404, "GetRepositoryByName", err)
-                               return
-                       } else if redirect {
-                               ctx.Redirect(setting.AppSubUrl + "/")
-                               return
+                               ctx.Error(404)
+                       } else {
+                               ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL})
                        }
-                       ctx.Handle(500, "GetRepositoryByName", err)
                        return
                } else if err = repo.GetOwner(); err != nil {
-                       ctx.Handle(500, "GetOwner", err)
+                       ctx.JSON(500, &base.ApiJsonErr{"GetOwner: " + err.Error(), base.DOC_URL})
                        return
                }
 
-               // Check if the mirror repository owner(mirror repository doesn't have access).
-               if ctx.IsSigned && !ctx.Repo.IsOwner {
-                       if repo.OwnerId == ctx.User.Id {
-                               ctx.Repo.IsOwner = true
-                       }
-                       // Check if current user has admin permission to repository.
-                       if u.IsOrganization() {
-                               auth, err := models.GetHighestAuthorize(u.Id, ctx.User.Id, repo.Id, 0)
-                               if err != nil {
-                                       ctx.Handle(500, "GetHighestAuthorize", err)
-                                       return
-                               }
-                               if auth == models.ORG_ADMIN {
-                                       ctx.Repo.IsOwner = true
-                                       ctx.Repo.IsAdmin = true
-                               }
+               if ctx.IsSigned {
+                       mode, err := models.AccessLevel(ctx.User, repo)
+                       if err != nil {
+                               ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL})
+                               return
                        }
+                       ctx.Repo.IsOwner = mode >= models.WriteAccess
+                       ctx.Repo.IsAdmin = mode >= models.ReadAccess
+                       ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess
                }
 
                // Check access.
                if repo.IsPrivate && !ctx.Repo.IsOwner {
-                       if ctx.User == nil {
-                               ctx.Handle(404, "HasAccess", nil)
-                               return
-                       }
-
-                       hasAccess, err := models.HasAccess(ctx.User.Name, ctx.Repo.Owner.Name+"/"+repo.Name, models.READABLE)
-                       if err != nil {
-                               ctx.Handle(500, "HasAccess", err)
-                               return
-                       } else if !hasAccess {
-                               ctx.Handle(404, "HasAccess", nil)
-                               return
-                       }
+                       ctx.Error(404)
+                       return
                }
                ctx.Repo.HasAccess = true
+
                ctx.Data["HasAccess"] = true
 
                if repo.IsMirror {

diff --git a/routers/api/v1/repo.go b/routers/api/v1/repo.go
index 469e4808fea2be0a7f5d158596ce5569dd1d9c68..78c9f9a6a3f6106fc826ca15f5c3f676d9e47d6e 100644 (file)
--- a/routers/api/v1/repo.go
+++ b/routers/api/v1/repo.go
@@ -255,7 +255,7 @@ func ListMyRepos(ctx *middleware.Context) {
                        return
                }
 
-               repos[i] = ToApiRepository(repo.Owner, repo, api.Permission{false, access >= models.WRITABLE, true})
+               repos[i] = ToApiRepository(repo.Owner, repo, api.Permission{false, access >= models.WriteAccess, true})
 
                // FIXME: cache result to reduce DB query?
                if repo.Owner.IsOrganization() && repo.Owner.IsOwnedBy(ctx.User.Id) {

diff --git a/routers/org/teams.go b/routers/org/teams.go
index 9dd9b8e22959c1923a46d80c6070cd802bdfd208..f5f94be0f407c6b52c2ecf7a272af7ff14811cc7 100644 (file)
--- a/routers/org/teams.go
+++ b/routers/org/teams.go
@@ -165,14 +165,14 @@ func NewTeamPost(ctx *middleware.Context, form auth.CreateTeamForm) {
        }
 
        // Validate permission level.
-       var auth models.AuthorizeType
+       var auth models.AccessMode
        switch form.Permission {
        case "read":
-               auth = models.ORG_READABLE
+               auth = models.ReadAccess
        case "write":
-               auth = models.ORG_WRITABLE
+               auth = models.WriteAccess
        case "admin":
-               auth = models.ORG_ADMIN
+               auth = models.AdminAccess
        default:
                ctx.Error(401)
                return
@@ -246,14 +246,14 @@ func EditTeamPost(ctx *middleware.Context, form auth.CreateTeamForm) {
        isAuthChanged := false
        if !t.IsOwnerTeam() {
                // Validate permission level.
-               var auth models.AuthorizeType
+               var auth models.AccessMode
                switch form.Permission {
                case "read":
-                       auth = models.ORG_READABLE
+                       auth = models.ReadAccess
                case "write":
-                       auth = models.ORG_WRITABLE
+                       auth = models.WriteAccess
                case "admin":
-                       auth = models.ORG_ADMIN
+                       auth = models.AdminAccess
                default:
                        ctx.Error(401)
                        return

diff --git a/routers/repo/http.go b/routers/repo/http.go
index f5dc0c9d6aef61265037052bedafc61bb552ea08..c6742af3ecef0c61553202788bf17a9d589f3e52 100644 (file)
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -137,18 +137,18 @@ func Http(ctx *middleware.Context) {
                }
 
                if !isPublicPull {
-                       var tp = models.WRITABLE
+                       var tp = models.WriteAccess
                        if isPull {
-                               tp = models.READABLE
+                               tp = models.ReadAccess
                        }
 
-                       has, err := models.HasAccess(authUsername, username+"/"+reponame, tp)
+                       has, err := models.HasAccess(authUser, repo, tp)
                        if err != nil {
                                ctx.Handle(401, "no basic auth and digit auth", nil)
                                return
                        } else if !has {
-                               if tp == models.READABLE {
-                                       has, err = models.HasAccess(authUsername, username+"/"+reponame, models.WRITABLE)
+                               if tp == models.ReadAccess {
+                                       has, err = models.HasAccess(authUser, repo, models.WriteAccess)
                                        if err != nil || !has {
                                                ctx.Handle(401, "no basic auth and digit auth", nil)
                                                return

diff --git a/routers/user/home.go b/routers/user/home.go
index 5b02154c10622a7c371ddc79447bd9de92bdc297..82325cb747ab8fbf95ea852aabd024378b3ef32a 100644 (file)
--- a/routers/user/home.go
+++ b/routers/user/home.go
@@ -103,8 +103,7 @@ func Dashboard(ctx *middleware.Context) {
        feeds := make([]*models.Action, 0, len(actions))
        for _, act := range actions {
                if act.IsPrivate {
-                       if has, _ := models.HasAccess(ctx.User.Name, act.RepoUserName+"/"+act.RepoName,
-                               models.READABLE); !has {
+                       if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true}, models.ReadAccess); !has {
                                continue
                        }
                }
@@ -211,8 +210,8 @@ func Profile(ctx *middleware.Context) {
                                if !ctx.IsSigned {
                                        continue
                                }
-                               if has, _ := models.HasAccess(ctx.User.Name, act.RepoUserName+"/"+act.RepoName,
-                                       models.READABLE); !has {
+                               if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true},
+                                       models.ReadAccess); !has {
                                        continue
                                }
                        }