// Remove watches from all users and now unaccessible repos
for _, user := range t.Members {
- has, err := access_model.HasAccess(ctx, user.ID, repo)
+ has, err := access_model.HasAnyUnitAccess(ctx, user.ID, repo)
if err != nil {
return err
} else if has {
}
func ReconsiderWatches(ctx context.Context, repo *repo_model.Repository, user *user_model.User) error {
- if has, err := access_model.HasAccess(ctx, user.ID, repo); err != nil || has {
+ if has, err := access_model.HasAnyUnitAccess(ctx, user.ID, repo); err != nil || has {
return err
}
if err := repo_model.WatchRepo(ctx, user, repo, false); err != nil {
repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
assert.True(t, repo2.IsPrivate)
- has, err := access_model.HasAccess(db.DefaultContext, user1.ID, repo1)
+ has, err := access_model.HasAnyUnitAccess(db.DefaultContext, user1.ID, repo1)
assert.NoError(t, err)
assert.True(t, has)
- _, err = access_model.HasAccess(db.DefaultContext, user1.ID, repo2)
+ _, err = access_model.HasAnyUnitAccess(db.DefaultContext, user1.ID, repo2)
assert.NoError(t, err)
- _, err = access_model.HasAccess(db.DefaultContext, user2.ID, repo1)
+ _, err = access_model.HasAnyUnitAccess(db.DefaultContext, user2.ID, repo1)
assert.NoError(t, err)
- _, err = access_model.HasAccess(db.DefaultContext, user2.ID, repo2)
+ _, err = access_model.HasAnyUnitAccess(db.DefaultContext, user2.ID, repo2)
assert.NoError(t, err)
}
units []*repo_model.RepoUnit
unitsMode map[unit.Type]perm_model.AccessMode
+
+ everyoneAccessMode map[unit.Type]perm_model.AccessMode
}
// IsOwner returns true if current user is the owner of repository.
return p.AccessMode >= perm_model.AccessModeAdmin
}
-// HasAccess returns true if the current user might have at least read access to any unit of this repository
-func (p *Permission) HasAccess() bool {
- return len(p.unitsMode) > 0 || p.AccessMode >= perm_model.AccessModeRead
+// HasAnyUnitAccess returns true if the user might have at least one access mode to any unit of this repository.
+// It doesn't count the "everyone access mode".
+func (p *Permission) HasAnyUnitAccess() bool {
+ for _, v := range p.unitsMode {
+ if v >= perm_model.AccessModeRead {
+ return true
+ }
+ }
+ return p.AccessMode >= perm_model.AccessModeRead
+}
+
+func (p *Permission) HasAnyUnitAccessOrEveryoneAccess() bool {
+ for _, v := range p.everyoneAccessMode {
+ if v >= perm_model.AccessModeRead {
+ return true
+ }
+ }
+ return p.HasAnyUnitAccess()
}
// HasUnits returns true if the permission contains attached units
}
// UnitAccessMode returns current user access mode to the specify unit of the repository
+// It also considers "everyone access mode"
func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {
- if p.unitsMode != nil {
- // if the units map contains the access mode, use it, but admin/owner mode could override it
- if m, ok := p.unitsMode[unitType]; ok {
- return util.Iif(p.AccessMode >= perm_model.AccessModeAdmin, p.AccessMode, m)
- }
+ // if the units map contains the access mode, use it, but admin/owner mode could override it
+ if m, ok := p.unitsMode[unitType]; ok {
+ return util.Iif(p.AccessMode >= perm_model.AccessModeAdmin, p.AccessMode, m)
}
// if the units map does not contain the access mode, return the default access mode if the unit exists
+ unitDefaultAccessMode := max(p.AccessMode, p.everyoneAccessMode[unitType])
hasUnit := slices.ContainsFunc(p.units, func(u *repo_model.RepoUnit) bool { return u.Type == unitType })
- return util.Iif(hasUnit, p.AccessMode, perm_model.AccessModeNone)
+ return util.Iif(hasUnit, unitDefaultAccessMode, perm_model.AccessModeNone)
}
func (p *Permission) SetUnitsWithDefaultAccessMode(units []*repo_model.RepoUnit, mode perm_model.AccessMode) {
}
func applyEveryoneRepoPermission(user *user_model.User, perm *Permission) {
- if user != nil && user.ID > 0 {
- for _, u := range perm.units {
- if perm.unitsMode == nil {
- perm.unitsMode = make(map[unit.Type]perm_model.AccessMode)
- }
- if u.EveryoneAccessMode >= perm_model.AccessModeRead && u.EveryoneAccessMode > perm.unitsMode[u.Type] {
- perm.unitsMode[u.Type] = u.EveryoneAccessMode
+ if user == nil || user.ID <= 0 {
+ return
+ }
+ for _, u := range perm.units {
+ if u.EveryoneAccessMode >= perm_model.AccessModeRead && u.EveryoneAccessMode > perm.everyoneAccessMode[u.Type] {
+ if perm.everyoneAccessMode == nil {
+ perm.everyoneAccessMode = make(map[unit.Type]perm_model.AccessMode)
}
+ perm.everyoneAccessMode[u.Type] = u.EveryoneAccessMode
}
}
}
perm.CanAccessAny(perm_model.AccessModeRead, unit.TypePullRequests), nil
}
-// HasAccess returns true if user has access to repo
-func HasAccess(ctx context.Context, userID int64, repo *repo_model.Repository) (bool, error) {
+// HasAnyUnitAccess see the comment of "perm.HasAnyUnitAccess"
+func HasAnyUnitAccess(ctx context.Context, userID int64, repo *repo_model.Repository) (bool, error) {
var user *user_model.User
var err error
if userID > 0 {
if err != nil {
return false, err
}
- return perm.HasAccess(), nil
+ return perm.HasAnyUnitAccess(), nil
}
// getUsersWithAccessMode returns users that have at least given access mode to the repository.
"github.com/stretchr/testify/assert"
)
+func TestHasAnyUnitAccess(t *testing.T) {
+ perm := Permission{}
+ assert.False(t, perm.HasAnyUnitAccess())
+
+ perm = Permission{
+ units: []*repo_model.RepoUnit{{Type: unit.TypeWiki}},
+ }
+ assert.False(t, perm.HasAnyUnitAccess())
+ assert.False(t, perm.HasAnyUnitAccessOrEveryoneAccess())
+
+ perm = Permission{
+ units: []*repo_model.RepoUnit{{Type: unit.TypeWiki}},
+ everyoneAccessMode: map[unit.Type]perm_model.AccessMode{unit.TypeIssues: perm_model.AccessModeRead},
+ }
+ assert.False(t, perm.HasAnyUnitAccess())
+ assert.True(t, perm.HasAnyUnitAccessOrEveryoneAccess())
+
+ perm = Permission{
+ AccessMode: perm_model.AccessModeRead,
+ units: []*repo_model.RepoUnit{{Type: unit.TypeWiki}},
+ }
+ assert.True(t, perm.HasAnyUnitAccess())
+
+ perm = Permission{
+ unitsMode: map[unit.Type]perm_model.AccessMode{unit.TypeWiki: perm_model.AccessModeRead},
+ }
+ assert.True(t, perm.HasAnyUnitAccess())
+}
+
func TestApplyEveryoneRepoPermission(t *testing.T) {
perm := Permission{
AccessMode: perm_model.AccessModeNone,
units: []*repo_model.RepoUnit{
- {Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeNone},
+ {Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},
},
}
applyEveryoneRepoPermission(nil, &perm)
assert.False(t, perm.CanRead(unit.TypeWiki))
+ perm = Permission{
+ AccessMode: perm_model.AccessModeNone,
+ units: []*repo_model.RepoUnit{
+ {Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},
+ },
+ }
+ applyEveryoneRepoPermission(&user_model.User{ID: 0}, &perm)
+ assert.False(t, perm.CanRead(unit.TypeWiki))
+
perm = Permission{
AccessMode: perm_model.AccessModeNone,
units: []*repo_model.RepoUnit{
},
}
applyEveryoneRepoPermission(&user_model.User{ID: 1}, &perm)
- assert.True(t, perm.CanRead(unit.TypeWiki))
- assert.False(t, perm.CanWrite(unit.TypeWiki)) // because there is no unit mode, so the everyone-mode is used as the unit's access mode
+ // it should work the same as "EveryoneAccessMode: none" because the default AccessMode should be applied to units
+ assert.True(t, perm.CanWrite(unit.TypeWiki))
perm = Permission{
units: []*repo_model.RepoUnit{
}
}
- if !ctx.Repo.HasAccess() {
+ if !ctx.Repo.Permission.HasAnyUnitAccess() {
ctx.NotFound()
return
}
// reqAnyRepoReader user should have any permission to read repository or permissions of site admin
func reqAnyRepoReader() func(ctx *context.APIContext) {
return func(ctx *context.APIContext) {
- if !ctx.Repo.HasAccess() && !ctx.IsUserSiteAdmin() {
+ if !ctx.Repo.Permission.HasAnyUnitAccess() && !ctx.IsUserSiteAdmin() {
ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")
return
}
if err != nil {
ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
return
- } else if !permission.HasAccess() {
+ } else if !permission.HasAnyUnitAccess() {
ctx.NotFound()
return
}
ctx.ServerError("GetUserRepoPermission", err)
return
}
- repositoryAccessMap[pd.Repository.ID] = permission.HasAccess()
+ repositoryAccessMap[pd.Repository.ID] = permission.HasAnyUnitAccess()
}
hasPackages, err := packages_model.HasOwnerPackages(ctx, ctx.ContextUser.ID)
ctx.ServerError("GetUserRepoPermission", err)
return
}
- hasRepositoryAccess = permission.HasAccess()
+ hasRepositoryAccess = permission.HasAnyUnitAccess()
}
ctx.Data["HasRepositoryAccess"] = hasRepositoryAccess
return
}
- // Check access.
- if !ctx.Repo.Permission.HasAccess() {
+ if !ctx.Repo.Permission.HasAnyUnitAccessOrEveryoneAccess() {
if ctx.FormString("go-get") == "1" {
EarlyResponseForGoGetMeta(ctx)
return
return nil, err
}
- if permission.HasAccess() {
+ if permission.HasAnyUnitAccess() {
repo = ToRepo(ctx, pd.Repository, permission)
}
}
return fmt.Errorf("GetTeamMembers: %w", err)
}
for _, member := range teamMembers {
- has, err := access_model.HasAccess(ctx, member.ID, repo)
+ has, err := access_model.HasAnyUnitAccess(ctx, member.ID, repo)
if err != nil {
return err
} else if has {
}
// In case the new owner would not have sufficient access to the repo, give access rights for read
- hasAccess, err := access_model.HasAccess(ctx, newOwner.ID, repo)
+ hasAccess, err := access_model.HasAnyUnitAccess(ctx, newOwner.ID, repo)
if err != nil {
return err
}
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
repo.Owner = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
- hasAccess, err := access_model.HasAccess(db.DefaultContext, recipient.ID, repo)
+ hasAccess, err := access_model.HasAnyUnitAccess(db.DefaultContext, recipient.ID, repo)
assert.NoError(t, err)
assert.False(t, hasAccess)
assert.NoError(t, StartRepositoryTransfer(db.DefaultContext, doer, recipient, repo, nil))
- hasAccess, err = access_model.HasAccess(db.DefaultContext, recipient.ID, repo)
+ hasAccess, err = access_model.HasAnyUnitAccess(db.DefaultContext, recipient.ID, repo)
assert.NoError(t, err)
assert.True(t, hasAccess)
assert.Len(t, repoNames, expected.count)
for _, repo := range body.Data {
r := getRepo(t, repo.ID)
- hasAccess, err := access_model.HasAccess(db.DefaultContext, userID, r)
+ hasAccess, err := access_model.HasAnyUnitAccess(db.DefaultContext, userID, r)
assert.NoError(t, err, "Error when checking if User: %d has access to %s: %v", userID, repo.FullName, err)
assert.True(t, hasAccess, "User: %d does not have access to %s", userID, repo.FullName)