diff options
| author | David Svantesson <davidsvantesson@gmail.com> | 2020-01-05 02:23:29 +0100 |
|---|---|---|
| committer | techknowlogick <techknowlogick@gitea.io> | 2020-01-04 20:23:29 -0500 |
| commit | 03d59bcd1dc775b6b8e52136dff1ba508838db2d (patch) | |
| tree | b56863f88397cf65569bbcf07acb3ec1d7a49986 /models | |
| parent | 8b2407371365fc123fc368bfd46b15f55ba8ae6a (diff) | |
| download | gitea-03d59bcd1dc775b6b8e52136dff1ba508838db2d.tar.gz gitea-03d59bcd1dc775b6b8e52136dff1ba508838db2d.zip | |
Fix access issues on milestone and issue overview pages. (#9603)
* Fix access issues on milestone and issue overview pages.
* Fix filter algorithm
Diffstat (limited to 'models')
| -rw-r--r-- | models/repo_permission.go | 20 | ||||
| -rw-r--r-- | models/user.go | 15 |
2 files changed, 28 insertions, 7 deletions
diff --git a/models/repo_permission.go b/models/repo_permission.go index 782b195629..79d7dd012b 100644 --- a/models/repo_permission.go +++ b/models/repo_permission.go @@ -369,3 +369,23 @@ func hasAccess(e Engine, userID int64, repo *Repository) (bool, error) { func HasAccess(userID int64, repo *Repository) (bool, error) { return hasAccess(x, userID, repo) } + +// FilterOutRepoIdsWithoutUnitAccess filter out repos where user has no access to repositories +func FilterOutRepoIdsWithoutUnitAccess(u *User, repoIDs []int64, units ...UnitType) ([]int64, error) { + i := 0 + for _, rID := range repoIDs { + repo, err := GetRepositoryByID(rID) + if err != nil { + return nil, err + } + perm, err := GetUserRepoPermission(repo, u) + if err != nil { + return nil, err + } + if perm.CanReadAny(units...) { + repoIDs[i] = rID + i++ + } + } + return repoIDs[:i], nil +} diff --git a/models/user.go b/models/user.go index a8f2c6fd22..f2c0a1861e 100644 --- a/models/user.go +++ b/models/user.go @@ -638,19 +638,20 @@ func (u *User) GetRepositoryIDs(units ...UnitType) ([]int64, error) { func (u *User) GetOrgRepositoryIDs(units ...UnitType) ([]int64, error) { var ids []int64 - sess := x.Table("repository"). + if err := x.Table("repository"). Cols("repository.id"). Join("INNER", "team_user", "repository.owner_id = team_user.org_id"). - Join("INNER", "team_repo", "repository.is_private != ? OR (team_user.team_id = team_repo.team_id AND repository.id = team_repo.repo_id)", true) + Join("INNER", "team_repo", "repository.is_private != ? OR (team_user.team_id = team_repo.team_id AND repository.id = team_repo.repo_id)", true). + Where("team_user.uid = ?", u.ID). + GroupBy("repository.id").Find(&ids); err != nil { + return nil, err + } if len(units) > 0 { - sess = sess.Join("INNER", "team_unit", "team_unit.team_id = team_user.team_id") - sess = sess.In("team_unit.type", units) + return FilterOutRepoIdsWithoutUnitAccess(u, ids, units...) } - return ids, sess. - Where("team_user.uid = ?", u.ID). - GroupBy("repository.id").Find(&ids) + return ids, nil } // GetAccessRepoIDs returns all repositories IDs where user's or user is a team member organizations |