Ignore permission definitions for admins, it just confuses things

4 files changed, 49 insertions, 30 deletions

diff --git a/src/com/gitblit/ConfigUserService.java b/src/com/gitblit/ConfigUserService.java
index 015cef76..9ad805b6 100644
--- a/src/com/gitblit/ConfigUserService.java
+++ b/src/com/gitblit/ConfigUserService.java
@@ -841,7 +841,7 @@ public class ConfigUserService implements IUserService {
 			config.setStringList(USER, model.username, ROLE, roles);

 

 			// discrete repository permissions

-			if (model.permissions != null) {

+			if (model.permissions != null && !model.canAdmin) {

 				List<String> permissions = new ArrayList<String>();

 				for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {

 					if (entry.getValue().exceeds(AccessPermission.NONE)) {

@@ -872,23 +872,26 @@ public class ConfigUserService implements IUserService {
 			}

 			config.setStringList(TEAM, model.name, ROLE, roles);

 			

-			if (model.permissions == null) {

-				// null check on "final" repositories because JSON-sourced TeamModel

-				// can have a null repositories object

-				if (!ArrayUtils.isEmpty(model.repositories)) {

-					config.setStringList(TEAM, model.name, REPOSITORY, new ArrayList<String>(

-							model.repositories));

-				}

-			} else {

-				// discrete repository permissions

-				List<String> permissions = new ArrayList<String>();

-				for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {

-					if (entry.getValue().exceeds(AccessPermission.NONE)) {

-						// code:repository (e.g. RW+:~james/myrepo.git

-						permissions.add(entry.getValue().asRole(entry.getKey()));

+			if (!model.canAdmin) {

+				// write team permission for non-admin teams

+				if (model.permissions == null) {

+					// null check on "final" repositories because JSON-sourced TeamModel

+					// can have a null repositories object

+					if (!ArrayUtils.isEmpty(model.repositories)) {

+						config.setStringList(TEAM, model.name, REPOSITORY, new ArrayList<String>(

+								model.repositories));

 					}

+				} else {

+					// discrete repository permissions

+					List<String> permissions = new ArrayList<String>();

+					for (Map.Entry<String, AccessPermission> entry : model.permissions.entrySet()) {

+						if (entry.getValue().exceeds(AccessPermission.NONE)) {

+							// code:repository (e.g. RW+:~james/myrepo.git

+							permissions.add(entry.getValue().asRole(entry.getKey()));

+						}

+					}

+					config.setStringList(TEAM, model.name, REPOSITORY, permissions);

 				}

-				config.setStringList(TEAM, model.name, REPOSITORY, permissions);

 			}

 

 			// null check on "final" users because JSON-sourced TeamModel

@@ -975,10 +978,13 @@ public class ConfigUserService implements IUserService {
 					user.excludeFromFederation = roles.contains(Constants.NOT_FEDERATED_ROLE);

 

 					// repository memberships

-					Set<String> repositories = new HashSet<String>(Arrays.asList(config

-							.getStringList(USER, username, REPOSITORY)));

-					for (String repository : repositories) {

-						user.addRepositoryPermission(repository);

+					if (!user.canAdmin) {

+						// non-admin, read permissions

+						Set<String> repositories = new HashSet<String>(Arrays.asList(config

+								.getStringList(USER, username, REPOSITORY)));

+						for (String repository : repositories) {

+							user.addRepositoryPermission(repository);

+						}

 					}

 

 					// update cache

@@ -998,8 +1004,11 @@ public class ConfigUserService implements IUserService {
 					team.canFork = roles.contains(Constants.FORK_ROLE);

 					team.canCreate = roles.contains(Constants.CREATE_ROLE);

 					

-					team.addRepositoryPermissions(Arrays.asList(config.getStringList(TEAM, teamname,

-							REPOSITORY)));

+					if (!team.canAdmin) {

+						// non-admin team, read permissions

+						team.addRepositoryPermissions(Arrays.asList(config.getStringList(TEAM, teamname,

+								REPOSITORY)));

+					}

 					team.addUsers(Arrays.asList(config.getStringList(TEAM, teamname, USER)));

 					team.addMailingLists(Arrays.asList(config.getStringList(TEAM, teamname,

 							MAILINGLIST)));

diff --git a/src/com/gitblit/FileUserService.java b/src/com/gitblit/FileUserService.java
index 39c9a5dc..056df820 100644
--- a/src/com/gitblit/FileUserService.java
+++ b/src/com/gitblit/FileUserService.java
@@ -796,7 +796,10 @@ public class FileUserService extends FileSettings implements IUserService {
 							repositories.add(role);

 						}

 					}

-					team.addRepositoryPermissions(repositories);

+					if (!team.canAdmin) {

+						// only read permissions for non-admin teams

+						team.addRepositoryPermissions(repositories);

+					}

 					team.addUsers(users);

 					team.addMailingLists(mailingLists);

 					team.preReceiveScripts.addAll(preReceive);

diff --git a/src/com/gitblit/models/TeamModel.java b/src/com/gitblit/models/TeamModel.java
index 2560e5ce..9587ca7a 100644
--- a/src/com/gitblit/models/TeamModel.java
+++ b/src/com/gitblit/models/TeamModel.java
@@ -98,6 +98,10 @@ public class TeamModel implements Serializable, Comparable<TeamModel> {
 	 */

 	public List<RegistrantAccessPermission> getRepositoryPermissions() {

 		List<RegistrantAccessPermission> list = new ArrayList<RegistrantAccessPermission>();

+		if (canAdmin) {

+			// team has REWIND access to all repositories

+			return list;

+		}

 		for (Map.Entry<String, AccessPermission> entry : permissions.entrySet()) {

 			String registrant = entry.getKey();

 			String source = null;

diff --git a/src/com/gitblit/models/UserModel.java b/src/com/gitblit/models/UserModel.java
index 0c9b9cc1..23322c26 100644
--- a/src/com/gitblit/models/UserModel.java
+++ b/src/com/gitblit/models/UserModel.java
@@ -138,23 +138,26 @@ public class UserModel implements Principal, Serializable, Comparable<UserModel>
 	 */

 	public List<RegistrantAccessPermission> getRepositoryPermissions() {

 		List<RegistrantAccessPermission> list = new ArrayList<RegistrantAccessPermission>();

+		if (canAdmin()) {

+			// user has REWIND access to all repositories

+			return list;

+		}

 		for (Map.Entry<String, AccessPermission> entry : permissions.entrySet()) {

 			String registrant = entry.getKey();

+			AccessPermission ap = entry.getValue();

 			String source = null;

-			boolean editable = true;

+			boolean mutable = true;

 			PermissionType pType = PermissionType.EXPLICIT;

-			if (canAdmin()) {

-				pType = PermissionType.ADMINISTRATOR;

-				editable = false;

-			} else if (isMyPersonalRepository(registrant)) {

+			if (isMyPersonalRepository(registrant)) {

 				pType = PermissionType.OWNER;

-				editable = false;

+				ap = AccessPermission.REWIND;

+				mutable = false;

 			} else if (StringUtils.findInvalidCharacter(registrant) != null) {

 				// a regex will have at least 1 invalid character

 				pType = PermissionType.REGEX;

 				source = registrant;

 			}

-			list.add(new RegistrantAccessPermission(registrant, entry.getValue(), pType, RegistrantType.REPOSITORY, source, editable));

+			list.add(new RegistrantAccessPermission(registrant, ap, pType, RegistrantType.REPOSITORY, source, mutable));

 		}

 		Collections.sort(list);

 		return list;