diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-01-05 11:37:00 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-05 11:37:00 +0800 |
| commit | 8760af752abd94f050c6014c8cfa3cb6a6c854b7 (patch) | |
| tree | 2b2afeebc46348eec296a6cd9d086f84a94cf664 /models | |
| parent | 12ad6dd0e385fea277f5344d52865c9599232c22 (diff) | |
| download | gitea-8760af752abd94f050c6014c8cfa3cb6a6c854b7.tar.gz gitea-8760af752abd94f050c6014c8cfa3cb6a6c854b7.zip | |
Team permission allow different unit has different permission (#17811)
* Team permission allow different unit has different permission
* Finish the interface and the logic
* Fix lint
* Fix translation
* align center for table cell content
* Fix fixture
* merge
* Fix test
* Add deprecated
* Improve code
* Add tooltip
* Fix swagger
* Fix newline
* Fix tests
* Fix tests
* Fix test
* Fix test
* Max permission of external wiki and issues should be read
* Move team units with limited max level below units table
* Update label and column names
* Some improvements
* Fix lint
* Some improvements
* Fix template variables
* Add permission docs
* improve doc
* Fix fixture
* Fix bug
* Fix some bug
* fix
* gofumpt
* Integration test for migration (#18124)
integrations: basic test for Gitea {dump,restore}-repo
This is a first step for integration testing of DumpRepository and
RestoreRepository. It:
runs a Gitea server,
dumps a repo via DumpRepository to the filesystem,
restores the repo via RestoreRepository from the filesystem,
dumps the restored repository to the filesystem,
compares the first and second dump and expects them to be identical
The verification is trivial and the goal is to add more tests for each
topic of the dump.
Signed-off-by: Loïc Dachary <loic@dachary.org>
* Team permission allow different unit has different permission
* Finish the interface and the logic
* Fix lint
* Fix translation
* align center for table cell content
* Fix fixture
* merge
* Fix test
* Add deprecated
* Improve code
* Add tooltip
* Fix swagger
* Fix newline
* Fix tests
* Fix tests
* Fix test
* Fix test
* Max permission of external wiki and issues should be read
* Move team units with limited max level below units table
* Update label and column names
* Some improvements
* Fix lint
* Some improvements
* Fix template variables
* Add permission docs
* improve doc
* Fix fixture
* Fix bug
* Fix some bug
* Fix bug
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Aravinth Manivannan <realaravinth@batsense.net>
Diffstat (limited to 'models')
| -rw-r--r-- | models/access.go | 8 | ||||
| -rw-r--r-- | models/fixtures/team_unit.yml | 47 | ||||
| -rw-r--r-- | models/issue.go | 6 | ||||
| -rw-r--r-- | models/migrations/migrations.go | 3 | ||||
| -rw-r--r-- | models/migrations/v206.go | 29 | ||||
| -rw-r--r-- | models/org.go | 6 | ||||
| -rw-r--r-- | models/org_team.go | 48 | ||||
| -rw-r--r-- | models/org_team_test.go | 2 | ||||
| -rw-r--r-- | models/perm/access_mode.go | 4 | ||||
| -rw-r--r-- | models/repo_permission.go | 11 | ||||
| -rw-r--r-- | models/review.go | 2 | ||||
| -rw-r--r-- | models/unit/unit.go | 75 |
12 files changed, 195 insertions, 46 deletions
diff --git a/models/access.go b/models/access.go index 6a97bcffcf..48b65c2c0f 100644 --- a/models/access.go +++ b/models/access.go @@ -162,7 +162,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i // Owner team gets owner access, and skip for teams that do not // have relations with repository. if t.IsOwnerTeam() { - t.Authorize = perm.AccessModeOwner + t.AccessMode = perm.AccessModeOwner } else if !t.hasRepository(e, repo.ID) { continue } @@ -171,7 +171,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i return fmt.Errorf("getMembers '%d': %v", t.ID, err) } for _, m := range t.Members { - updateUserAccess(accessMap, m, t.Authorize) + updateUserAccess(accessMap, m, t.AccessMode) } } @@ -210,10 +210,10 @@ func recalculateUserAccess(ctx context.Context, repo *repo_model.Repository, uid for _, t := range teams { if t.IsOwnerTeam() { - t.Authorize = perm.AccessModeOwner + t.AccessMode = perm.AccessModeOwner } - accessMode = maxAccessMode(accessMode, t.Authorize) + accessMode = maxAccessMode(accessMode, t.AccessMode) } } diff --git a/models/fixtures/team_unit.yml b/models/fixtures/team_unit.yml index 943745c000..66f0d22efd 100644 --- a/models/fixtures/team_unit.yml +++ b/models/fixtures/team_unit.yml @@ -2,223 +2,268 @@ id: 1 team_id: 1 type: 1 + access_mode: 4 - id: 2 team_id: 1 type: 2 + access_mode: 4 - id: 3 team_id: 1 type: 3 + access_mode: 4 - id: 4 team_id: 1 type: 4 + access_mode: 4 - id: 5 team_id: 1 type: 5 + access_mode: 4 - id: 6 team_id: 1 type: 6 + access_mode: 4 - id: 7 team_id: 1 type: 7 + access_mode: 4 - id: 8 team_id: 2 type: 1 + access_mode: 2 - id: 9 team_id: 2 type: 2 + access_mode: 2 - id: 10 team_id: 2 type: 3 + access_mode: 2 - id: 11 team_id: 2 type: 4 + access_mode: 2 - id: 12 team_id: 2 type: 5 + access_mode: 2 - id: 13 team_id: 2 type: 6 + access_mode: 2 - id: 14 team_id: 2 type: 7 + access_mode: 2 - id: 15 team_id: 3 type: 1 + access_mode: 4 - id: 16 team_id: 3 type: 2 + access_mode: 4 - id: 17 team_id: 3 type: 3 + access_mode: 4 - id: 18 team_id: 3 type: 4 + access_mode: 4 - id: 19 team_id: 3 type: 5 + access_mode: 4 - id: 20 team_id: 3 type: 6 + access_mode: 4 - id: 21 team_id: 3 type: 7 + access_mode: 4 - id: 22 team_id: 4 type: 1 + access_mode: 4 - id: 23 team_id: 4 type: 2 + access_mode: 4 - id: 24 team_id: 4 type: 3 + access_mode: 4 - id: 25 team_id: 4 type: 4 + access_mode: 4 - id: 26 team_id: 4 type: 5 + access_mode: 4 - id: 27 team_id: 4 type: 6 + access_mode: 4 - id: 28 team_id: 4 type: 7 + access_mode: 4 - id: 29 team_id: 5 type: 1 + access_mode: 4 - id: 30 team_id: 5 type: 2 + access_mode: 4 - id: 31 team_id: 5 type: 3 + access_mode: 4 - id: 32 team_id: 5 type: 4 + access_mode: 4 - id: 33 team_id: 5 type: 5 + access_mode: 4 - id: 34 team_id: 5 type: 6 + access_mode: 4 - id: 35 team_id: 5 type: 7 + access_mode: 4 - id: 36 team_id: 6 type: 1 + access_mode: 4 - id: 37 team_id: 6 type: 2 + access_mode: 4 - id: 38 team_id: 6 type: 3 + access_mode: 4 - id: 39 team_id: 6 type: 4 + access_mode: 4 - id: 40 team_id: 6 type: 5 + access_mode: 4 - id: 41 team_id: 6 type: 6 + access_mode: 4 - id: 42 team_id: 6 type: 7 + access_mode: 4 - id: 43 team_id: 7 type: 2 # issues + access_mode: 2 - id: 44 team_id: 8 type: 2 # issues + access_mode: 2 - id: 45 team_id: 9 - type: 1 # code
\ No newline at end of file + type: 1 # code + access_mode: 1 diff --git a/models/issue.go b/models/issue.go index f0040fbbc1..108d9b217a 100644 --- a/models/issue.go +++ b/models/issue.go @@ -1350,8 +1350,8 @@ func (opts *IssuesOptions) setupSession(sess *xorm.Session) { // issuePullAccessibleRepoCond userID must not be zero, this condition require join repository table func issuePullAccessibleRepoCond(repoIDstr string, userID int64, org *Organization, team *Team, isPull bool) builder.Cond { - var cond = builder.NewCond() - var unitType = unit.TypeIssues + cond := builder.NewCond() + unitType := unit.TypeIssues if isPull { unitType = unit.TypePullRequests } @@ -2147,7 +2147,7 @@ func (issue *Issue) ResolveMentionsByVisibility(ctx context.Context, doer *user_ unittype = unit.TypePullRequests } for _, team := range teams { - if team.Authorize >= perm.AccessModeOwner { + if team.AccessMode >= perm.AccessModeAdmin { checked = append(checked, team.ID) resolved[issue.Repo.Owner.LowerName+"/"+team.LowerName] = true continue diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 4b720c3f02..9423e5c5f6 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -60,7 +60,6 @@ type Version struct { // If you want to "retire" a migration, remove it from the top of the list and // update minDBVersion accordingly var migrations = []Migration{ - // Gitea 1.5.0 ends at v69 // v70 -> v71 @@ -365,6 +364,8 @@ var migrations = []Migration{ NewMigration("Add key is verified to ssh key", addSSHKeyIsVerified), // v205 -> v206 NewMigration("Migrate to higher varchar on user struct", migrateUserPasswordSalt), + // v206 -> v207 + NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit), } // GetCurrentDBVersion returns the current db version diff --git a/models/migrations/v206.go b/models/migrations/v206.go new file mode 100644 index 0000000000..c6a5dc811c --- /dev/null +++ b/models/migrations/v206.go @@ -0,0 +1,29 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "fmt" + + "xorm.io/xorm" +) + +func addAuthorizeColForTeamUnit(x *xorm.Engine) error { + type TeamUnit struct { + ID int64 `xorm:"pk autoincr"` + OrgID int64 `xorm:"INDEX"` + TeamID int64 `xorm:"UNIQUE(s)"` + Type int `xorm:"UNIQUE(s)"` + AccessMode int + } + + if err := x.Sync2(new(TeamUnit)); err != nil { + return fmt.Errorf("sync2: %v", err) + } + + // migrate old permission + _, err := x.Exec("UPDATE team_unit SET access_mode = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)") + return err +} diff --git a/models/org.go b/models/org.go index c135bb9d3c..0ea2ce6886 100644 --- a/models/org.go +++ b/models/org.go @@ -265,7 +265,7 @@ func CreateOrganization(org *Organization, owner *user_model.User) (err error) { OrgID: org.ID, LowerName: strings.ToLower(ownerTeamName), Name: ownerTeamName, - Authorize: perm.AccessModeOwner, + AccessMode: perm.AccessModeOwner, NumMembers: 1, IncludesAllRepositories: true, CanCreateOrgRepo: true, @@ -523,7 +523,7 @@ type FindOrgOptions struct { } func queryUserOrgIDs(userID int64, includePrivate bool) *builder.Builder { - var cond = builder.Eq{"uid": userID} + cond := builder.Eq{"uid": userID} if !includePrivate { cond["is_public"] = true } @@ -531,7 +531,7 @@ func queryUserOrgIDs(userID int64, includePrivate bool) *builder.Builder { } func (opts FindOrgOptions) toConds() builder.Cond { - var cond = builder.NewCond() + cond := builder.NewCond() if opts.UserID > 0 { cond = cond.And(builder.In("`user`.`id`", queryUserOrgIDs(opts.UserID, opts.IncludePrivate))) } diff --git a/models/org_team.go b/models/org_team.go index 7eac0f7bc5..bce4afb061 100644 --- a/models/org_team.go +++ b/models/org_team.go @@ -32,7 +32,7 @@ type Team struct { LowerName string Name string Description string - Authorize perm.AccessMode + AccessMode perm.AccessMode `xorm:"'authorize'"` Repos []*repo_model.Repository `xorm:"-"` Members []*user_model.User `xorm:"-"` NumRepos int @@ -126,7 +126,7 @@ func (t *Team) ColorFormat(s fmt.State) { log.NewColoredIDValue(t.ID), t.Name, log.NewColoredIDValue(t.OrgID), - t.Authorize) + t.AccessMode) } // GetUnits return a list of available units for a team @@ -145,15 +145,29 @@ func (t *Team) getUnits(e db.Engine) (err error) { // GetUnitNames returns the team units names func (t *Team) GetUnitNames() (res []string) { + if t.AccessMode >= perm.AccessModeAdmin { + return unit.AllUnitKeyNames() + } + for _, u := range t.Units { res = append(res, unit.Units[u.Type].NameKey) } return } -// HasWriteAccess returns true if team has at least write level access mode. -func (t *Team) HasWriteAccess() bool { - return t.Authorize >= perm.AccessModeWrite +// GetUnitsMap returns the team units permissions +func (t *Team) GetUnitsMap() map[string]string { + m := make(map[string]string) + if t.AccessMode >= perm.AccessModeAdmin { + for _, u := range unit.Units { + m[u.NameKey] = t.AccessMode.String() + } + } else { + for _, u := range t.Units { + m[u.Unit().NameKey] = u.AccessMode.String() + } + } + return m } // IsOwnerTeam returns true if team is owner team. @@ -455,16 +469,25 @@ func (t *Team) UnitEnabled(tp unit.Type) bool { } func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool { + return t.unitAccessMode(e, tp) > perm.AccessModeNone +} + +// UnitAccessMode returns if the team has the given unit type enabled +func (t *Team) UnitAccessMode(tp unit.Type) perm.AccessMode { + return t.unitAccessMode(db.GetEngine(db.DefaultContext), tp) +} + +func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) perm.AccessMode { if err := t.getUnits(e); err != nil { log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error()) } for _, unit := range t.Units { if unit.Type == tp { - return true + return unit.AccessMode } } - return false + return perm.AccessModeNone } // IsUsableTeamName tests if a name could be as team name @@ -661,7 +684,7 @@ func UpdateTeam(t *Team, authChanged, includeAllChanged bool) (err error) { Delete(new(TeamUnit)); err != nil { return err } - if _, err = sess.Cols("org_id", "team_id", "type").Insert(&t.Units); err != nil { + if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil { return err } } @@ -1033,10 +1056,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea // TeamUnit describes all units of a repository type TeamUnit struct { - ID int64 `xorm:"pk autoincr"` - OrgID int64 `xorm:"INDEX"` - TeamID int64 `xorm:"UNIQUE(s)"` - Type unit.Type `xorm:"UNIQUE(s)"` + ID int64 `xorm:"pk autoincr"` + OrgID int64 `xorm:"INDEX"` + TeamID int64 `xorm:"UNIQUE(s)"` + Type unit.Type `xorm:"UNIQUE(s)"` + AccessMode perm.AccessMode } // Unit returns Unit diff --git a/models/org_team_test.go b/models/org_team_test.go index 59b7b6d5a8..aa62cc58e2 100644 --- a/models/org_team_test.go +++ b/models/org_team_test.go @@ -211,7 +211,7 @@ func TestUpdateTeam(t *testing.T) { team.LowerName = "newname" team.Name = "newName" team.Description = strings.Repeat("A long description!", 100) - team.Authorize = perm.AccessModeAdmin + team.AccessMode = perm.AccessModeAdmin assert.NoError(t, UpdateTeam(team, true, false)) team = unittest.AssertExistsAndLoadBean(t, &Team{Name: "newName"}).(*Team) diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go index f2c0a322a0..dfa7f7b752 100644 --- a/models/perm/access_mode.go +++ b/models/perm/access_mode.go @@ -51,11 +51,13 @@ func (mode AccessMode) ColorFormat(s fmt.State) { // ParseAccessMode returns corresponding access mode to given permission string. func ParseAccessMode(permission string) AccessMode { switch permission { + case "read": + return AccessModeRead case "write": return AccessModeWrite case "admin": return AccessModeAdmin default: - return AccessModeRead + return AccessModeNone } } diff --git a/models/repo_permission.go b/models/repo_permission.go index 40b63aa804..4e5cbfd558 100644 --- a/models/repo_permission.go +++ b/models/repo_permission.go @@ -239,7 +239,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use // if user in an owner team for _, team := range teams { - if team.Authorize >= perm_model.AccessModeOwner { + if team.AccessMode >= perm_model.AccessModeAdmin { perm.AccessMode = perm_model.AccessModeOwner perm.UnitsMode = nil return @@ -249,10 +249,11 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use for _, u := range repo.Units { var found bool for _, team := range teams { - if team.unitEnabled(e, u.Type) { + teamMode := team.unitAccessMode(e, u.Type) + if teamMode > perm_model.AccessModeNone { m := perm.UnitsMode[u.Type] - if m < team.Authorize { - perm.UnitsMode[u.Type] = team.Authorize + if m < teamMode { + perm.UnitsMode[u.Type] = teamMode } found = true } @@ -324,7 +325,7 @@ func isUserRepoAdmin(e db.Engine, repo *repo_model.Repository, user *user_model. } for _, team := range teams { - if team.Authorize >= perm_model.AccessModeAdmin { + if team.AccessMode >= perm_model.AccessModeAdmin { return true, nil } } diff --git a/models/review.go b/models/review.go index eeb33611ce..023f98c3ea 100644 --- a/models/review.go +++ b/models/review.go @@ -280,7 +280,7 @@ func isOfficialReviewerTeam(ctx context.Context, issue *Issue, team *Team) (bool } if !pr.ProtectedBranch.EnableApprovalsWhitelist { - return team.Authorize >= perm.AccessModeWrite, nil + return team.UnitAccessMode(unit.TypeCode) >= perm.AccessModeWrite, nil } return base.Int64sContains(pr.ProtectedBranch.ApprovalsWhitelistTeamIDs, team.ID), nil diff --git a/models/unit/unit.go b/models/unit/unit.go index 0af4640b7a..b05f34b64c 100644 --- a/models/unit/unit.go +++ b/models/unit/unit.go @@ -8,6 +8,7 @@ import ( "fmt" "strings" + "code.gitea.io/gitea/models/perm" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" ) @@ -17,14 +18,15 @@ type Type int // Enumerate all the unit types const ( - TypeCode Type = iota + 1 // 1 code - TypeIssues // 2 issues - TypePullRequests // 3 PRs - TypeReleases // 4 Releases - TypeWiki // 5 Wiki - TypeExternalWiki // 6 ExternalWiki - TypeExternalTracker // 7 ExternalTracker - TypeProjects // 8 Kanban board + TypeInvalid Type = iota // 0 invalid + TypeCode // 1 code + TypeIssues // 2 issues + TypePullRequests // 3 PRs + TypeReleases // 4 Releases + TypeWiki // 5 Wiki + TypeExternalWiki // 6 ExternalWiki + TypeExternalTracker // 7 ExternalTracker + TypeProjects // 8 Kanban board ) // Value returns integer value for unit type @@ -170,11 +172,12 @@ func (u *Type) CanBeDefault() bool { // Unit is a section of one repository type Unit struct { - Type Type - NameKey string - URI string - DescKey string - Idx int + Type Type + NameKey string + URI string + DescKey string + Idx int + MaxAccessMode perm.AccessMode // The max access mode of the unit. i.e. Read means this unit can only be read. } // CanDisable returns if this unit could be disabled. @@ -198,6 +201,7 @@ var ( "/", "repo.code.desc", 0, + perm.AccessModeOwner, } UnitIssues = Unit{ @@ -206,6 +210,7 @@ var ( "/issues", "repo.issues.desc", 1, + perm.AccessModeOwner, } UnitExternalTracker = Unit{ @@ -214,6 +219,7 @@ var ( "/issues", "repo.ext_issues.desc", 1, + perm.AccessModeRead, } UnitPullRequests = Unit{ @@ -222,6 +228,7 @@ var ( "/pulls", "repo.pulls.desc", 2, + perm.AccessModeOwner, } UnitReleases = Unit{ @@ -230,6 +237,7 @@ var ( "/releases", "repo.releases.desc", 3, + perm.AccessModeOwner, } UnitWiki = Unit{ @@ -238,6 +246,7 @@ var ( "/wiki", "repo.wiki.desc", 4, + perm.AccessModeOwner, } UnitExternalWiki = Unit{ @@ -246,6 +255,7 @@ var ( "/wiki", "repo.ext_wiki.desc", 4, + perm.AccessModeRead, } UnitProjects = Unit{ @@ -254,6 +264,7 @@ var ( "/projects", "repo.projects.desc", 5, + perm.AccessModeOwner, } // Units contains all the units @@ -269,15 +280,51 @@ var ( } ) -// FindUnitTypes give the unit key name and return unit +// FindUnitTypes give the unit key names and return unit func FindUnitTypes(nameKeys ...string) (res []Type) { for _, key := range nameKeys { + var found bool for t, u := range Units { if strings.EqualFold(key, u.NameKey) { res = append(res, t) + found = true break } } + if !found { + res = append(res, TypeInvalid) + } } return } + +// TypeFromKey give the unit key name and return unit +func TypeFromKey(nameKey string) Type { + for t, u := range Units { + if strings.EqualFold(nameKey, u.NameKey) { + return t + } + } + return TypeInvalid +} + +// AllUnitKeyNames returns all unit key names +func AllUnitKeyNames() []string { + res := make([]string, 0, len(Units)) + for _, u := range Units { + res = append(res, u.NameKey) + } + return res +} + +// MinUnitAccessMode returns the minial permission of the permission map +func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode { + res := perm.AccessModeNone + for _, mode := range unitsMap { + // get the minial permission great than AccessModeNone except all are AccessModeNone + if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) { + res = mode + } + } + return res +} |