diff options
| author | Manush Dodunekov <manush@stendahls.se> | 2020-01-13 19:33:46 +0200 |
|---|---|---|
| committer | Antoine GIRARD <sapk@users.noreply.github.com> | 2020-01-13 18:33:46 +0100 |
| commit | 1751d5fcf200b7d78ec5543fa620174c69d2746a (patch) | |
| tree | dfc9584c2c60ede1fcef436de02dc66d28fd9647 /models/user.go | |
| parent | 0b3aaa61964faa85b8008b04487388cc362ab436 (diff) | |
| download | gitea-1751d5fcf200b7d78ec5543fa620174c69d2746a.tar.gz gitea-1751d5fcf200b7d78ec5543fa620174c69d2746a.zip | |
Restricted users (#6274)
* Restricted users (#4334): initial implementation
* Add User.IsRestricted & UI to edit it
* Pass user object instead of user id to places where IsRestricted flag matters
* Restricted users: maintain access rows for all referenced repos (incl public)
* Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses
* Add basic repo access tests for restricted users
Signed-off-by: Manush Dodunekov <manush@stendahls.se>
* Mention restricted users in the faq
Signed-off-by: Manush Dodunekov <manush@stendahls.se>
* Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg`
Signed-off-by: Manush Dodunekov <manush@stendahls.se>
* Remove unnecessary `org.IsOrganization()` call
Signed-off-by: Manush Dodunekov <manush@stendahls.se>
* Revert to an `int64` keyed `accessMap`
* Add type `userAccess`
* Add convenience func updateUserAccess()
* Turn accessMap into a `map[int64]userAccess`
Signed-off-by: Manush Dodunekov <manush@stendahls.se>
* or even better: `map[int64]*userAccess`
* updateUserAccess(): use tighter syntax as suggested by lafriks
* even tighter
* Avoid extra loop
* Don't disclose limited orgs to unauthenticated users
* Don't assume block only applies to orgs
* Use an array of `VisibleType` for filtering
* fix yet another thinko
* Ok - no need for u
* Revert "Ok - no need for u"
This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200.
Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'models/user.go')
| -rw-r--r-- | models/user.go | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/models/user.go b/models/user.go index dc8ae7e0f8..ea1d110807 100644 --- a/models/user.go +++ b/models/user.go @@ -132,6 +132,7 @@ type User struct { // Permissions IsActive bool `xorm:"INDEX"` // Activate primary email IsAdmin bool + IsRestricted bool `xorm:"NOT NULL DEFAULT false"` AllowGitHook bool AllowImportLocal bool // Allow migrate repository by local path AllowCreateOrganization bool `xorm:"DEFAULT true"` @@ -641,7 +642,7 @@ func (u *User) GetOrgRepositoryIDs(units ...UnitType) ([]int64, error) { if err := x.Table("repository"). Cols("repository.id"). Join("INNER", "team_user", "repository.owner_id = team_user.org_id"). - Join("INNER", "team_repo", "repository.is_private != ? OR (team_user.team_id = team_repo.team_id AND repository.id = team_repo.repo_id)", true). + Join("INNER", "team_repo", "(? != ? and repository.is_private != ?) OR (team_user.team_id = team_repo.team_id AND repository.id = team_repo.repo_id)", true, u.IsRestricted, true). Where("team_user.uid = ?", u.ID). GroupBy("repository.id").Find(&ids); err != nil { return nil, err @@ -1470,7 +1471,7 @@ type SearchUserOptions struct { OrderBy SearchOrderBy Page int Visible []structs.VisibleType - OwnerID int64 // id of user for visibility calculation + Actor *User // The user doing the search PageSize int // Can be smaller than or equal to setting.UI.ExplorePagingNum IsActive util.OptionalBool SearchByEmail bool // Search by email as well as username/full name @@ -1498,7 +1499,7 @@ func (opts *SearchUserOptions) toConds() builder.Cond { cond = cond.And(builder.In("visibility", structs.VisibleTypePublic)) } - if opts.OwnerID > 0 { + if opts.Actor != nil { var exprCond builder.Cond if setting.Database.UseMySQL { exprCond = builder.Expr("org_user.org_id = user.id") @@ -1507,9 +1508,15 @@ func (opts *SearchUserOptions) toConds() builder.Cond { } else { exprCond = builder.Expr("org_user.org_id = \"user\".id") } - accessCond := builder.Or( - builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.OwnerID}, builder.Eq{"visibility": structs.VisibleTypePrivate}))), - builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited)) + var accessCond = builder.NewCond() + if !opts.Actor.IsRestricted { + accessCond = builder.Or( + builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID}, builder.Eq{"visibility": structs.VisibleTypePrivate}))), + builder.In("visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited)) + } else { + // restricted users only see orgs they are a member of + accessCond = builder.In("id", builder.Select("org_id").From("org_user").LeftJoin("`user`", exprCond).Where(builder.And(builder.Eq{"uid": opts.Actor.ID}))) + } cond = cond.And(accessCond) } |