summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorLunny Xiao <xiaolunwen@gmail.com>2023-01-16 16:00:22 +0800
committerGitHub <noreply@github.com>2023-01-16 16:00:22 +0800
commit2782c1439679402a1f8731a94dc66214781282ba (patch)
tree66739f30beb529119694290bdcdba9e02bdcfabd /models
parentcc1f8cbe96c195aab79761c48bc4ec0bff2b3431 (diff)
downloadgitea-2782c1439679402a1f8731a94dc66214781282ba.tar.gz
gitea-2782c1439679402a1f8731a94dc66214781282ba.zip
Supports wildcard protected branch (#20825)
This PR introduce glob match for protected branch name. The separator is `/` and you can use `*` matching non-separator chars and use `**` across separator. It also supports input an exist or non-exist branch name as matching condition and branch name condition has high priority than glob rule. Should fix #2529 and #15705 screenshots <img width="1160" alt="image" src="https://user-images.githubusercontent.com/81045/205651179-ebb5492a-4ade-4bb4-a13c-965e8c927063.png"> Co-authored-by: zeripath <art27@cantab.net>
Diffstat (limited to 'models')
-rw-r--r--models/git/branches.go430
-rw-r--r--models/git/branches_test.go8
-rw-r--r--models/git/protected_branch.go501
-rw-r--r--models/git/protected_branch_list.go86
-rw-r--r--models/git/protected_branch_test.go78
-rw-r--r--models/issues/pull.go22
-rw-r--r--models/issues/review.go17
-rw-r--r--models/org_team.go21
-rw-r--r--models/user.go17
9 files changed, 702 insertions, 478 deletions
diff --git a/models/git/branches.go b/models/git/branches.go
index 5ec9fc1735..b94ea32959 100644
--- a/models/git/branches.go
+++ b/models/git/branches.go
@@ -6,428 +6,15 @@ package git
import (
"context"
"fmt"
- "strings"
"time"
"code.gitea.io/gitea/models/db"
- "code.gitea.io/gitea/models/organization"
- "code.gitea.io/gitea/models/perm"
- access_model "code.gitea.io/gitea/models/perm/access"
repo_model "code.gitea.io/gitea/models/repo"
- "code.gitea.io/gitea/models/unit"
user_model "code.gitea.io/gitea/models/user"
- "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/timeutil"
- "code.gitea.io/gitea/modules/util"
-
- "github.com/gobwas/glob"
)
-// ProtectedBranch struct
-type ProtectedBranch struct {
- ID int64 `xorm:"pk autoincr"`
- RepoID int64 `xorm:"UNIQUE(s)"`
- BranchName string `xorm:"UNIQUE(s)"`
- CanPush bool `xorm:"NOT NULL DEFAULT false"`
- EnableWhitelist bool
- WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- EnableMergeWhitelist bool `xorm:"NOT NULL DEFAULT false"`
- WhitelistDeployKeys bool `xorm:"NOT NULL DEFAULT false"`
- MergeWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- MergeWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- EnableStatusCheck bool `xorm:"NOT NULL DEFAULT false"`
- StatusCheckContexts []string `xorm:"JSON TEXT"`
- EnableApprovalsWhitelist bool `xorm:"NOT NULL DEFAULT false"`
- ApprovalsWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
- ApprovalsWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
- RequiredApprovals int64 `xorm:"NOT NULL DEFAULT 0"`
- BlockOnRejectedReviews bool `xorm:"NOT NULL DEFAULT false"`
- BlockOnOfficialReviewRequests bool `xorm:"NOT NULL DEFAULT false"`
- BlockOnOutdatedBranch bool `xorm:"NOT NULL DEFAULT false"`
- DismissStaleApprovals bool `xorm:"NOT NULL DEFAULT false"`
- RequireSignedCommits bool `xorm:"NOT NULL DEFAULT false"`
- ProtectedFilePatterns string `xorm:"TEXT"`
- UnprotectedFilePatterns string `xorm:"TEXT"`
-
- CreatedUnix timeutil.TimeStamp `xorm:"created"`
- UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
-}
-
-func init() {
- db.RegisterModel(new(ProtectedBranch))
- db.RegisterModel(new(DeletedBranch))
- db.RegisterModel(new(RenamedBranch))
-}
-
-// IsProtected returns if the branch is protected
-func (protectBranch *ProtectedBranch) IsProtected() bool {
- return protectBranch.ID > 0
-}
-
-// CanUserPush returns if some user could push to this protected branch
-func (protectBranch *ProtectedBranch) CanUserPush(ctx context.Context, userID int64) bool {
- if !protectBranch.CanPush {
- return false
- }
-
- if !protectBranch.EnableWhitelist {
- if user, err := user_model.GetUserByID(ctx, userID); err != nil {
- log.Error("GetUserByID: %v", err)
- return false
- } else if repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID); err != nil {
- log.Error("repo_model.GetRepositoryByID: %v", err)
- return false
- } else if writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite); err != nil {
- log.Error("HasAccessUnit: %v", err)
- return false
- } else {
- return writeAccess
- }
- }
-
- if base.Int64sContains(protectBranch.WhitelistUserIDs, userID) {
- return true
- }
-
- if len(protectBranch.WhitelistTeamIDs) == 0 {
- return false
- }
-
- in, err := organization.IsUserInTeams(ctx, userID, protectBranch.WhitelistTeamIDs)
- if err != nil {
- log.Error("IsUserInTeams: %v", err)
- return false
- }
- return in
-}
-
-// IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch
-func IsUserMergeWhitelisted(ctx context.Context, protectBranch *ProtectedBranch, userID int64, permissionInRepo access_model.Permission) bool {
- if !protectBranch.EnableMergeWhitelist {
- // Then we need to fall back on whether the user has write permission
- return permissionInRepo.CanWrite(unit.TypeCode)
- }
-
- if base.Int64sContains(protectBranch.MergeWhitelistUserIDs, userID) {
- return true
- }
-
- if len(protectBranch.MergeWhitelistTeamIDs) == 0 {
- return false
- }
-
- in, err := organization.IsUserInTeams(ctx, userID, protectBranch.MergeWhitelistTeamIDs)
- if err != nil {
- log.Error("IsUserInTeams: %v", err)
- return false
- }
- return in
-}
-
-// IsUserOfficialReviewer check if user is official reviewer for the branch (counts towards required approvals)
-func IsUserOfficialReviewer(ctx context.Context, protectBranch *ProtectedBranch, user *user_model.User) (bool, error) {
- repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)
- if err != nil {
- return false, err
- }
-
- if !protectBranch.EnableApprovalsWhitelist {
- // Anyone with write access is considered official reviewer
- writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite)
- if err != nil {
- return false, err
- }
- return writeAccess, nil
- }
-
- if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, user.ID) {
- return true, nil
- }
-
- inTeam, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.ApprovalsWhitelistTeamIDs)
- if err != nil {
- return false, err
- }
-
- return inTeam, nil
-}
-
-// GetProtectedFilePatterns parses a semicolon separated list of protected file patterns and returns a glob.Glob slice
-func (protectBranch *ProtectedBranch) GetProtectedFilePatterns() []glob.Glob {
- return getFilePatterns(protectBranch.ProtectedFilePatterns)
-}
-
-// GetUnprotectedFilePatterns parses a semicolon separated list of unprotected file patterns and returns a glob.Glob slice
-func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {
- return getFilePatterns(protectBranch.UnprotectedFilePatterns)
-}
-
-func getFilePatterns(filePatterns string) []glob.Glob {
- extarr := make([]glob.Glob, 0, 10)
- for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {
- expr = strings.TrimSpace(expr)
- if expr != "" {
- if g, err := glob.Compile(expr, '.', '/'); err != nil {
- log.Info("Invalid glob expression '%s' (skipped): %v", expr, err)
- } else {
- extarr = append(extarr, g)
- }
- }
- }
- return extarr
-}
-
-// MergeBlockedByProtectedFiles returns true if merge is blocked by protected files change
-func (protectBranch *ProtectedBranch) MergeBlockedByProtectedFiles(changedProtectedFiles []string) bool {
- glob := protectBranch.GetProtectedFilePatterns()
- if len(glob) == 0 {
- return false
- }
-
- return len(changedProtectedFiles) > 0
-}
-
-// IsProtectedFile return if path is protected
-func (protectBranch *ProtectedBranch) IsProtectedFile(patterns []glob.Glob, path string) bool {
- if len(patterns) == 0 {
- patterns = protectBranch.GetProtectedFilePatterns()
- if len(patterns) == 0 {
- return false
- }
- }
-
- lpath := strings.ToLower(strings.TrimSpace(path))
-
- r := false
- for _, pat := range patterns {
- if pat.Match(lpath) {
- r = true
- break
- }
- }
-
- return r
-}
-
-// IsUnprotectedFile return if path is unprotected
-func (protectBranch *ProtectedBranch) IsUnprotectedFile(patterns []glob.Glob, path string) bool {
- if len(patterns) == 0 {
- patterns = protectBranch.GetUnprotectedFilePatterns()
- if len(patterns) == 0 {
- return false
- }
- }
-
- lpath := strings.ToLower(strings.TrimSpace(path))
-
- r := false
- for _, pat := range patterns {
- if pat.Match(lpath) {
- r = true
- break
- }
- }
-
- return r
-}
-
-// GetProtectedBranchBy getting protected branch by ID/Name
-func GetProtectedBranchBy(ctx context.Context, repoID int64, branchName string) (*ProtectedBranch, error) {
- rel := &ProtectedBranch{RepoID: repoID, BranchName: branchName}
- has, err := db.GetByBean(ctx, rel)
- if err != nil {
- return nil, err
- }
- if !has {
- return nil, nil
- }
- return rel, nil
-}
-
-// WhitelistOptions represent all sorts of whitelists used for protected branches
-type WhitelistOptions struct {
- UserIDs []int64
- TeamIDs []int64
-
- MergeUserIDs []int64
- MergeTeamIDs []int64
-
- ApprovalsUserIDs []int64
- ApprovalsTeamIDs []int64
-}
-
-// UpdateProtectBranch saves branch protection options of repository.
-// If ID is 0, it creates a new record. Otherwise, updates existing record.
-// This function also performs check if whitelist user and team's IDs have been changed
-// to avoid unnecessary whitelist delete and regenerate.
-func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
- if err = repo.GetOwner(ctx); err != nil {
- return fmt.Errorf("GetOwner: %w", err)
- }
-
- whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
- if err != nil {
- return err
- }
- protectBranch.WhitelistUserIDs = whitelist
-
- whitelist, err = updateUserWhitelist(ctx, repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
- if err != nil {
- return err
- }
- protectBranch.MergeWhitelistUserIDs = whitelist
-
- whitelist, err = updateApprovalWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
- if err != nil {
- return err
- }
- protectBranch.ApprovalsWhitelistUserIDs = whitelist
-
- // if the repo is in an organization
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
- if err != nil {
- return err
- }
- protectBranch.WhitelistTeamIDs = whitelist
-
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
- if err != nil {
- return err
- }
- protectBranch.MergeWhitelistTeamIDs = whitelist
-
- whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
- if err != nil {
- return err
- }
- protectBranch.ApprovalsWhitelistTeamIDs = whitelist
-
- // Make sure protectBranch.ID is not 0 for whitelists
- if protectBranch.ID == 0 {
- if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {
- return fmt.Errorf("Insert: %w", err)
- }
- return nil
- }
-
- if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
- return fmt.Errorf("Update: %w", err)
- }
-
- return nil
-}
-
-// GetProtectedBranches get all protected branches
-func GetProtectedBranches(ctx context.Context, repoID int64) ([]*ProtectedBranch, error) {
- protectedBranches := make([]*ProtectedBranch, 0)
- return protectedBranches, db.GetEngine(ctx).Find(&protectedBranches, &ProtectedBranch{RepoID: repoID})
-}
-
-// IsProtectedBranch checks if branch is protected
-func IsProtectedBranch(ctx context.Context, repoID int64, branchName string) (bool, error) {
- protectedBranch := &ProtectedBranch{
- RepoID: repoID,
- BranchName: branchName,
- }
-
- has, err := db.GetEngine(ctx).Exist(protectedBranch)
- if err != nil {
- return true, err
- }
- return has, nil
-}
-
-// updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with
-// the users from newWhitelist which have explicit read or write access to the repo.
-func updateApprovalWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasUsersChanged {
- return currentWhitelist, nil
- }
-
- whitelist = make([]int64, 0, len(newWhitelist))
- for _, userID := range newWhitelist {
- if reader, err := access_model.IsRepoReader(ctx, repo, userID); err != nil {
- return nil, err
- } else if !reader {
- continue
- }
- whitelist = append(whitelist, userID)
- }
-
- return whitelist, err
-}
-
-// updateUserWhitelist checks whether the user whitelist changed and returns a whitelist with
-// the users from newWhitelist which have write access to the repo.
-func updateUserWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasUsersChanged {
- return currentWhitelist, nil
- }
-
- whitelist = make([]int64, 0, len(newWhitelist))
- for _, userID := range newWhitelist {
- user, err := user_model.GetUserByID(ctx, userID)
- if err != nil {
- return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %w", userID, repo.ID, err)
- }
- perm, err := access_model.GetUserRepoPermission(ctx, repo, user)
- if err != nil {
- return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %w", userID, repo.ID, err)
- }
-
- if !perm.CanWrite(unit.TypeCode) {
- continue // Drop invalid user ID
- }
-
- whitelist = append(whitelist, userID)
- }
-
- return whitelist, err
-}
-
-// updateTeamWhitelist checks whether the team whitelist changed and returns a whitelist with
-// the teams from newWhitelist which have write access to the repo.
-func updateTeamWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
- hasTeamsChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
- if !hasTeamsChanged {
- return currentWhitelist, nil
- }
-
- teams, err := organization.GetTeamsWithAccessToRepo(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead)
- if err != nil {
- return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %w", repo.OwnerID, repo.ID, err)
- }
-
- whitelist = make([]int64, 0, len(teams))
- for i := range teams {
- if util.SliceContains(newWhitelist, teams[i].ID) {
- whitelist = append(whitelist, teams[i].ID)
- }
- }
-
- return whitelist, err
-}
-
-// DeleteProtectedBranch removes ProtectedBranch relation between the user and repository.
-func DeleteProtectedBranch(ctx context.Context, repoID, id int64) (err error) {
- protectedBranch := &ProtectedBranch{
- RepoID: repoID,
- ID: id,
- }
-
- if affected, err := db.GetEngine(ctx).Delete(protectedBranch); err != nil {
- return err
- } else if affected != 1 {
- return fmt.Errorf("delete protected branch ID(%v) failed", id)
- }
-
- return nil
-}
-
// DeletedBranch struct
type DeletedBranch struct {
ID int64 `xorm:"pk autoincr"`
@@ -439,6 +26,11 @@ type DeletedBranch struct {
DeletedUnix timeutil.TimeStamp `xorm:"INDEX created"`
}
+func init() {
+ db.RegisterModel(new(DeletedBranch))
+ db.RegisterModel(new(RenamedBranch))
+}
+
// AddDeletedBranch adds a deleted branch to the database
func AddDeletedBranch(ctx context.Context, repoID int64, branchName, commit string, deletedByID int64) error {
deletedBranch := &DeletedBranch{
@@ -556,17 +148,25 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, from, to str
}
// 2. Update protected branch if needed
- protectedBranch, err := GetProtectedBranchBy(ctx, repo.ID, from)
+ protectedBranch, err := GetProtectedBranchRuleByName(ctx, repo.ID, from)
if err != nil {
return err
}
if protectedBranch != nil {
- protectedBranch.BranchName = to
+ protectedBranch.RuleName = to
_, err = sess.ID(protectedBranch.ID).Cols("branch_name").Update(protectedBranch)
if err != nil {
return err
}
+ } else {
+ protected, err := IsBranchProtected(ctx, repo.ID, from)
+ if err != nil {
+ return err
+ }
+ if protected {
+ return ErrBranchIsProtected
+ }
}
// 3. Update all not merged pull request base branch name
diff --git a/models/git/branches_test.go b/models/git/branches_test.go
index e26a16de03..b7df7f243e 100644
--- a/models/git/branches_test.go
+++ b/models/git/branches_test.go
@@ -105,8 +105,8 @@ func TestRenameBranch(t *testing.T) {
defer committer.Close()
assert.NoError(t, err)
assert.NoError(t, git_model.UpdateProtectBranch(ctx, repo1, &git_model.ProtectedBranch{
- RepoID: repo1.ID,
- BranchName: "master",
+ RepoID: repo1.ID,
+ RuleName: "master",
}, git_model.WhitelistOptions{}))
assert.NoError(t, committer.Commit())
@@ -131,8 +131,8 @@ func TestRenameBranch(t *testing.T) {
assert.Equal(t, int64(1), renamedBranch.RepoID)
unittest.AssertExistsAndLoadBean(t, &git_model.ProtectedBranch{
- RepoID: repo1.ID,
- BranchName: "main",
+ RepoID: repo1.ID,
+ RuleName: "main",
})
}
diff --git a/models/git/protected_branch.go b/models/git/protected_branch.go
new file mode 100644
index 0000000000..355a7464c1
--- /dev/null
+++ b/models/git/protected_branch.go
@@ -0,0 +1,501 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "strings"
+
+ "code.gitea.io/gitea/models/db"
+ "code.gitea.io/gitea/models/organization"
+ "code.gitea.io/gitea/models/perm"
+ access_model "code.gitea.io/gitea/models/perm/access"
+ repo_model "code.gitea.io/gitea/models/repo"
+ "code.gitea.io/gitea/models/unit"
+ user_model "code.gitea.io/gitea/models/user"
+ "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/util"
+
+ "github.com/gobwas/glob"
+ "github.com/gobwas/glob/syntax"
+)
+
+var ErrBranchIsProtected = errors.New("branch is protected")
+
+// ProtectedBranch struct
+type ProtectedBranch struct {
+ ID int64 `xorm:"pk autoincr"`
+ RepoID int64 `xorm:"UNIQUE(s)"`
+ Repo *repo_model.Repository `xorm:"-"`
+ RuleName string `xorm:"'branch_name' UNIQUE(s)"` // a branch name or a glob match to branch name
+ globRule glob.Glob `xorm:"-"`
+ isPlainName bool `xorm:"-"`
+ CanPush bool `xorm:"NOT NULL DEFAULT false"`
+ EnableWhitelist bool
+ WhitelistUserIDs []int64 `xorm:"JSON TEXT"`
+ WhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
+ EnableMergeWhitelist bool `xorm:"NOT NULL DEFAULT false"`
+ WhitelistDeployKeys bool `xorm:"NOT NULL DEFAULT false"`
+ MergeWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
+ MergeWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
+ EnableStatusCheck bool `xorm:"NOT NULL DEFAULT false"`
+ StatusCheckContexts []string `xorm:"JSON TEXT"`
+ EnableApprovalsWhitelist bool `xorm:"NOT NULL DEFAULT false"`
+ ApprovalsWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
+ ApprovalsWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
+ RequiredApprovals int64 `xorm:"NOT NULL DEFAULT 0"`
+ BlockOnRejectedReviews bool `xorm:"NOT NULL DEFAULT false"`
+ BlockOnOfficialReviewRequests bool `xorm:"NOT NULL DEFAULT false"`
+ BlockOnOutdatedBranch bool `xorm:"NOT NULL DEFAULT false"`
+ DismissStaleApprovals bool `xorm:"NOT NULL DEFAULT false"`
+ RequireSignedCommits bool `xorm:"NOT NULL DEFAULT false"`
+ ProtectedFilePatterns string `xorm:"TEXT"`
+ UnprotectedFilePatterns string `xorm:"TEXT"`
+
+ CreatedUnix timeutil.TimeStamp `xorm:"created"`
+ UpdatedUnix timeutil.TimeStamp `xorm:"updated"`
+}
+
+func init() {
+ db.RegisterModel(new(ProtectedBranch))
+}
+
+// IsRuleNameSpecial return true if it contains special character
+func IsRuleNameSpecial(ruleName string) bool {
+ for i := 0; i < len(ruleName); i++ {
+ if syntax.Special(ruleName[i]) {
+ return true
+ }
+ }
+ return false
+}
+
+func (protectBranch *ProtectedBranch) loadGlob() {
+ if protectBranch.globRule == nil {
+ var err error
+ protectBranch.globRule, err = glob.Compile(protectBranch.RuleName, '/')
+ if err != nil {
+ log.Warn("Invalid glob rule for ProtectedBranch[%d]: %s %v", protectBranch.ID, protectBranch.RuleName, err)
+ protectBranch.globRule = glob.MustCompile(glob.QuoteMeta(protectBranch.RuleName), '/')
+ }
+ protectBranch.isPlainName = !IsRuleNameSpecial(protectBranch.RuleName)
+ }
+}
+
+// Match tests if branchName matches the rule
+func (protectBranch *ProtectedBranch) Match(branchName string) bool {
+ protectBranch.loadGlob()
+ if protectBranch.isPlainName {
+ return strings.EqualFold(protectBranch.RuleName, branchName)
+ }
+
+ return protectBranch.globRule.Match(branchName)
+}
+
+func (protectBranch *ProtectedBranch) LoadRepo(ctx context.Context) (err error) {
+ if protectBranch.Repo != nil {
+ return nil
+ }
+ protectBranch.Repo, err = repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)
+ return err
+}
+
+// CanUserPush returns if some user could push to this protected branch
+func (protectBranch *ProtectedBranch) CanUserPush(ctx context.Context, user *user_model.User) bool {
+ if !protectBranch.CanPush {
+ return false
+ }
+
+ if !protectBranch.EnableWhitelist {
+ if err := protectBranch.LoadRepo(ctx); err != nil {
+ log.Error("LoadRepo: %v", err)
+ return false
+ }
+
+ writeAccess, err := access_model.HasAccessUnit(ctx, user, protectBranch.Repo, unit.TypeCode, perm.AccessModeWrite)
+ if err != nil {
+ log.Error("HasAccessUnit: %v", err)
+ return false
+ }
+ return writeAccess
+ }
+
+ if base.Int64sContains(protectBranch.WhitelistUserIDs, user.ID) {
+ return true
+ }
+
+ if len(protectBranch.WhitelistTeamIDs) == 0 {
+ return false
+ }
+
+ in, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.WhitelistTeamIDs)
+ if err != nil {
+ log.Error("IsUserInTeams: %v", err)
+ return false
+ }
+ return in
+}
+
+// IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch
+func IsUserMergeWhitelisted(ctx context.Context, protectBranch *ProtectedBranch, userID int64, permissionInRepo access_model.Permission) bool {
+ if !protectBranch.EnableMergeWhitelist {
+ // Then we need to fall back on whether the user has write permission
+ return permissionInRepo.CanWrite(unit.TypeCode)
+ }
+
+ if base.Int64sContains(protectBranch.MergeWhitelistUserIDs, userID) {
+ return true
+ }
+
+ if len(protectBranch.MergeWhitelistTeamIDs) == 0 {
+ return false
+ }
+
+ in, err := organization.IsUserInTeams(ctx, userID, protectBranch.MergeWhitelistTeamIDs)
+ if err != nil {
+ log.Error("IsUserInTeams: %v", err)
+ return false
+ }
+ return in
+}
+
+// IsUserOfficialReviewer check if user is official reviewer for the branch (counts towards required approvals)
+func IsUserOfficialReviewer(ctx context.Context, protectBranch *ProtectedBranch, user *user_model.User) (bool, error) {
+ repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)
+ if err != nil {
+ return false, err
+ }
+
+ if !protectBranch.EnableApprovalsWhitelist {
+ // Anyone with write access is considered official reviewer
+ writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite)
+ if err != nil {
+ return false, err
+ }
+ return writeAccess, nil
+ }
+
+ if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, user.ID) {
+ return true, nil
+ }
+
+ inTeam, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.ApprovalsWhitelistTeamIDs)
+ if err != nil {
+ return false, err
+ }
+
+ return inTeam, nil
+}
+
+// GetProtectedFilePatterns parses a semicolon separated list of protected file patterns and returns a glob.Glob slice
+func (protectBranch *ProtectedBranch) GetProtectedFilePatterns() []glob.Glob {
+ return getFilePatterns(protectBranch.ProtectedFilePatterns)
+}
+
+// GetUnprotectedFilePatterns parses a semicolon separated list of unprotected file patterns and returns a glob.Glob slice
+func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {
+ return getFilePatterns(protectBranch.UnprotectedFilePatterns)
+}
+
+func getFilePatterns(filePatterns string) []glob.Glob {
+ extarr := make([]glob.Glob, 0, 10)
+ for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {
+ expr = strings.TrimSpace(expr)
+ if expr != "" {
+ if g, err := glob.Compile(expr, '.', '/'); err != nil {
+ log.Info("Invalid glob expression '%s' (skipped): %v", expr, err)
+ } else {
+ extarr = append(extarr, g)
+ }
+ }
+ }
+ return extarr
+}
+
+// MergeBlockedByProtectedFiles returns true if merge is blocked by protected files change
+func (protectBranch *ProtectedBranch) MergeBlockedByProtectedFiles(changedProtectedFiles []string) bool {
+ glob := protectBranch.GetProtectedFilePatterns()
+ if len(glob) == 0 {
+ return false
+ }
+
+ return len(changedProtectedFiles) > 0
+}
+
+// IsProtectedFile return if path is protected
+func (protectBranch *ProtectedBranch) IsProtectedFile(patterns []glob.Glob, path string) bool {
+ if len(patterns) == 0 {
+ patterns = protectBranch.GetProtectedFilePatterns()
+ if len(patterns) == 0 {
+ return false
+ }
+ }
+
+ lpath := strings.ToLower(strings.TrimSpace(path))
+
+ r := false
+ for _, pat := range patterns {
+ if pat.Match(lpath) {
+ r = true
+ break
+ }
+ }
+
+ return r
+}
+
+// IsUnprotectedFile return if path is unprotected
+func (protectBranch *ProtectedBranch) IsUnprotectedFile(patterns []glob.Glob, path string) bool {
+ if len(patterns) == 0 {
+ patterns = protectBranch.GetUnprotectedFilePatterns()
+ if len(patterns) == 0 {
+ return false
+ }
+ }
+
+ lpath := strings.ToLower(strings.TrimSpace(path))
+
+ r := false
+ for _, pat := range patterns {
+ if pat.Match(lpath) {
+ r = true
+ break
+ }
+ }
+
+ return r
+}
+
+// GetProtectedBranchRuleByName getting protected branch rule by name
+func GetProtectedBranchRuleByName(ctx context.Context, repoID int64, ruleName string) (*ProtectedBranch, error) {
+ rel := &ProtectedBranch{RepoID: repoID, RuleName: ruleName}
+ has, err := db.GetByBean(ctx, rel)
+ if err != nil {
+ return nil, err
+ }
+ if !has {
+ return nil, nil
+ }
+ return rel, nil
+}
+
+// GetProtectedBranchRuleByID getting protected branch rule by rule ID
+func GetProtectedBranchRuleByID(ctx context.Context, repoID, ruleID int64) (*ProtectedBranch, error) {
+ rel := &ProtectedBranch{ID: ruleID, RepoID: repoID}
+ has, err := db.GetByBean(ctx, rel)
+ if err != nil {
+ return nil, err
+ }
+ if !has {
+ return nil, nil
+ }
+ return rel, nil
+}
+
+// WhitelistOptions represent all sorts of whitelists used for protected branches
+type WhitelistOptions struct {
+ UserIDs []int64
+ TeamIDs []int64
+
+ MergeUserIDs []int64
+ MergeTeamIDs []int64
+
+ ApprovalsUserIDs []int64
+ ApprovalsTeamIDs []int64
+}
+
+// UpdateProtectBranch saves branch protection options of repository.
+// If ID is 0, it creates a new record. Otherwise, updates existing record.
+// This function also performs check if whitelist user and team's IDs have been changed
+// to avoid unnecessary whitelist delete and regenerate.
+func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
+ if err = repo.GetOwner(ctx); err != nil {
+ return fmt.Errorf("GetOwner: %v", err)
+ }
+
+ whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
+ if err != nil {
+ return err
+ }
+ protectBranch.WhitelistUserIDs = whitelist
+
+ whitelist, err = updateUserWhitelist(ctx, repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
+ if err != nil {
+ return err
+ }
+ protectBranch.MergeWhitelistUserIDs = whitelist
+
+ whitelist, err = updateApprovalWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
+ if err != nil {
+ return err
+ }
+ protectBranch.ApprovalsWhitelistUserIDs = whitelist
+
+ // if the repo is in an organization
+ whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
+ if err != nil {
+ return err
+ }
+ protectBranch.WhitelistTeamIDs = whitelist
+
+ whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
+ if err != nil {
+ return err
+ }
+ protectBranch.MergeWhitelistTeamIDs = whitelist
+
+ whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
+ if err != nil {
+ return err
+ }
+ protectBranch.ApprovalsWhitelistTeamIDs = whitelist
+
+ // Make sure protectBranch.ID is not 0 for whitelists
+ if protectBranch.ID == 0 {
+ if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {
+ return fmt.Errorf("Insert: %v", err)
+ }
+ return nil
+ }
+
+ if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {
+ return fmt.Errorf("Update: %v", err)
+ }
+
+ return nil
+}
+
+// updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with
+// the users from newWhitelist which have explicit read or write access to the repo.
+func updateApprovalWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
+ hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
+ if !hasUsersChanged {
+ return currentWhitelist, nil
+ }
+
+ whitelist = make([]int64, 0, len(newWhitelist))
+ for _, userID := range newWhitelist {
+ if reader, err := access_model.IsRepoReader(ctx, repo, userID); err != nil {
+ return nil, err
+ } else if !reader {
+ continue
+ }
+ whitelist = append(whitelist, userID)
+ }
+
+ return whitelist, err
+}
+
+// updateUserWhitelist checks whether the user whitelist changed and returns a whitelist with
+// the users from newWhitelist which have write access to the repo.
+func updateUserWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
+ hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
+ if !hasUsersChanged {
+ return currentWhitelist, nil
+ }
+
+ whitelist = make([]int64, 0, len(newWhitelist))
+ for _, userID := range newWhitelist {
+ user, err := user_model.GetUserByID(ctx, userID)
+ if err != nil {
+ return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
+ }
+ perm, err := access_model.GetUserRepoPermission(ctx, repo, user)
+ if err != nil {
+ return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
+ }
+
+ if !perm.CanWrite(unit.TypeCode) {
+ continue // Drop invalid user ID
+ }
+
+ whitelist = append(whitelist, userID)
+ }
+
+ return whitelist, err
+}
+
+// updateTeamWhitelist checks whether the team whitelist changed and returns a whitelist with
+// the teams from newWhitelist which have write access to the repo.
+func updateTeamWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {
+ hasTeamsChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)
+ if !hasTeamsChanged {
+ return currentWhitelist, nil
+ }
+
+ teams, err := organization.GetTeamsWithAccessToRepo(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead)
+ if err != nil {
+ return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)
+ }
+
+ whitelist = make([]int64, 0, len(teams))
+ for i := range teams {
+ if util.SliceContains(newWhitelist, teams[i].ID) {
+ whitelist = append(whitelist, teams[i].ID)
+ }
+ }
+
+ return whitelist, err
+}
+
+// DeleteProtectedBranch removes ProtectedBranch relation between the user and repository.
+func DeleteProtectedBranch(ctx context.Context, repoID, id int64) (err error) {
+ protectedBranch := &ProtectedBranch{
+ RepoID: repoID,
+ ID: id,
+ }
+
+ if affected, err := db.GetEngine(ctx).Delete(protectedBranch); err != nil {
+ return err
+ } else if affected != 1 {
+ return fmt.Errorf("delete protected branch ID(%v) failed", id)
+ }
+
+ return nil
+}
+
+// RemoveUserIDFromProtectedBranch remove all user ids from protected branch options
+func RemoveUserIDFromProtectedBranch(ctx context.Context, p *ProtectedBranch, userID int64) error {
+ lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistUserIDs), len(p.ApprovalsWhitelistUserIDs), len(p.MergeWhitelistUserIDs)
+ p.WhitelistUserIDs = util.SliceRemoveAll(p.WhitelistUserIDs, userID)
+ p.ApprovalsWhitelistUserIDs = util.SliceRemoveAll(p.ApprovalsWhitelistUserIDs, userID)
+ p.MergeWhitelistUserIDs = util.SliceRemoveAll(p.MergeWhitelistUserIDs, userID)
+
+ if lenIDs != len(p.WhitelistUserIDs) || lenApprovalIDs != len(p.ApprovalsWhitelistUserIDs) ||
+ lenMergeIDs != len(p.MergeWhitelistUserIDs) {
+ if _, err := db.GetEngine(ctx).ID(p.ID).Cols(
+ "whitelist_user_i_ds",
+ "merge_whitelist_user_i_ds",
+ "approvals_whitelist_user_i_ds",
+ ).Update(p); err != nil {
+ return fmt.Errorf("updateProtectedBranches: %v", err)
+ }
+ }
+ return nil
+}
+
+// RemoveTeamIDFromProtectedBranch remove all team ids from protected branch options
+func RemoveTeamIDFromProtectedBranch(ctx context.Context, p *ProtectedBranch, teamID int64) error {
+ lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistTeamIDs), len(p.ApprovalsWhitelistTeamIDs), len(p.MergeWhitelistTeamIDs)
+ p.WhitelistTeamIDs = util.SliceRemoveAll(p.WhitelistTeamIDs, teamID)
+ p.ApprovalsWhitelistTeamIDs = util.SliceRemoveAll(p.ApprovalsWhitelistTeamIDs, teamID)
+ p.MergeWhitelistTeamIDs = util.SliceRemoveAll(p.MergeWhitelistTeamIDs, teamID)
+
+ if lenIDs != len(p.WhitelistTeamIDs) ||
+ lenApprovalIDs != len(p.ApprovalsWhitelistTeamIDs) ||
+ lenMergeIDs != len(p.MergeWhitelistTeamIDs) {
+ if _, err := db.GetEngine(ctx).ID(p.ID).Cols(
+ "whitelist_team_i_ds",
+ "merge_whitelist_team_i_ds",
+ "approvals_whitelist_team_i_ds",
+ ).Update(p); err != nil {
+ return fmt.Errorf("updateProtectedBranches: %v", err)
+ }
+ }
+ return nil
+}
diff --git a/models/git/protected_branch_list.go b/models/git/protected_branch_list.go
new file mode 100644
index 0000000000..99c433aa00
--- /dev/null
+++ b/models/git/protected_branch_list.go
@@ -0,0 +1,86 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+ "context"
+ "sort"
+
+ "code.gitea.io/gitea/models/db"
+ "code.gitea.io/gitea/modules/git"
+
+ "github.com/gobwas/glob"
+)
+
+type ProtectedBranchRules []*ProtectedBranch
+
+func (rules ProtectedBranchRules) GetFirstMatched(branchName string) *ProtectedBranch {
+ for _, rule := range rules {
+ if rule.Match(branchName) {
+ return rule
+ }
+ }
+ return nil
+}
+
+func (rules ProtectedBranchRules) sort() {
+ sort.Slice(rules, func(i, j int) bool {
+ rules[i].loadGlob()
+ rules[j].loadGlob()
+ if rules[i].isPlainName {
+ if !rules[j].isPlainName {
+ return true
+ }
+ } else if rules[j].isPlainName {
+ return true
+ }
+ return rules[i].CreatedUnix < rules[j].CreatedUnix
+ })
+}
+
+// FindRepoProtectedBranchRules load all repository's protected rules
+func FindRepoProtectedBranchRules(ctx context.Context, repoID int64) (ProtectedBranchRules, error) {
+ var rules ProtectedBranchRules
+ err := db.GetEngine(ctx).Where("repo_id = ?", repoID).Asc("created_unix").Find(&rules)
+ if err != nil {
+ return nil, err
+ }
+ rules.sort()
+ return rules, nil
+}
+
+// FindAllMatchedBranches find all matched branches
+func FindAllMatchedBranches(ctx context.Context, gitRepo *git.Repository, ruleName string) ([]string, error) {
+ // FIXME: how many should we get?
+ branches, _, err := gitRepo.GetBranchNames(0, 9999999)
+ if err != nil {
+ return nil, err
+ }
+ rule := glob.MustCompile(ruleName)
+ results := make([]string, 0, len(branches))
+ for _, branch := range branches {
+ if rule.Match(branch) {
+ results = append(results, branch)
+ }
+ }
+ return results, nil
+}
+
+// GetFirstMatchProtectedBranchRule returns the first matched rules
+func GetFirstMatchProtectedBranchRule(ctx context.Context, repoID int64, branchName string) (*ProtectedBranch, error) {
+ rules, err := FindRepoProtectedBranchRules(ctx, repoID)
+ if err != nil {
+ return nil, err
+ }
+ return rules.GetFirstMatched(branchName), nil
+}
+
+// IsBranchProtected checks if branch is protected
+func IsBranchProtected(ctx context.Context, repoID int64, branchName string) (bool, error) {
+ rule, err := GetFirstMatchProtectedBranchRule(ctx, repoID, branchName)
+ if err != nil {
+ return false, err
+ }
+ return rule != nil, nil
+}
diff --git a/models/git/protected_branch_test.go b/models/git/protected_branch_test.go
new file mode 100644
index 0000000000..1962859a8c
--- /dev/null
+++ b/models/git/protected_branch_test.go
@@ -0,0 +1,78 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+ "fmt"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestBranchRuleMatch(t *testing.T) {
+ kases := []struct {
+ Rule string
+ BranchName string
+ ExpectedMatch bool
+ }{
+ {
+ Rule: "release/*",
+ BranchName: "release/v1.17",
+ ExpectedMatch: true,
+ },
+ {
+ Rule: "release/**/v1.17",
+ BranchName: "release/test/v1.17",
+ ExpectedMatch: true,
+ },
+ {
+ Rule: "release/**/v1.17",
+ BranchName: "release/test/1/v1.17",
+ ExpectedMatch: true,
+ },
+ {
+ Rule: "release/*/v1.17",
+ BranchName: "release/test/1/v1.17",
+ ExpectedMatch: false,
+ },
+ {
+ Rule: "release/v*",
+ BranchName: "release/v1.16",
+ ExpectedMatch: true,
+ },
+ {
+ Rule: "*",
+ BranchName: "release/v1.16",
+ ExpectedMatch: false,
+ },
+ {
+ Rule: "**",
+ BranchName: "release/v1.16",
+ ExpectedMatch: true,
+ },
+ {
+ Rule: "main",
+ BranchName: "main",
+ ExpectedMatch: true,
+ },
+ {
+ Rule: "master",
+ BranchName: "main",
+ ExpectedMatch: false,
+ },
+ }
+
+ for _, kase := range kases {
+ pb := ProtectedBranch{RuleName: kase.Rule}
+ var should, infact string
+ if !kase.ExpectedMatch {
+ should = " not"
+ } else {
+ infact = " not"
+ }
+ assert.EqualValues(t, kase.ExpectedMatch, pb.Match(kase.BranchName),
+ fmt.Sprintf("%s should%s match %s but it is%s", kase.BranchName, should, kase.Rule, infact),
+ )
+ }
+}
diff --git a/models/issues/pull.go b/models/issues/pull.go
index 7af9400d17..93b227f3fd 100644
--- a/models/issues/pull.go
+++ b/models/issues/pull.go
@@ -164,9 +164,8 @@ type PullRequest struct {
HeadBranch string
HeadCommitID string `xorm:"-"`
BaseBranch string
- ProtectedBranch *git_model.ProtectedBranch `xorm:"-"`
- MergeBase string `xorm:"VARCHAR(40)"`
- AllowMaintainerEdit bool `xorm:"NOT NULL DEFAULT false"`
+ MergeBase string `xorm:"VARCHAR(40)"`
+ AllowMaintainerEdit bool `xorm:"NOT NULL DEFAULT false"`
HasMerged bool `xorm:"INDEX"`
MergedCommitID string `xorm:"VARCHAR(40)"`
@@ -293,23 +292,6 @@ func (pr *PullRequest) LoadIssue(ctx context.Context) (err error) {
return err
}
-// LoadProtectedBranch loads the protected branch of the base branch
-func (pr *PullRequest) LoadProtectedBranch(ctx context.Context) (err error) {
- if pr.ProtectedBranch == nil {
- if pr.BaseRepo == nil {
- if pr.BaseRepoID == 0 {
- return nil
- }
- pr.BaseRepo, err = repo_model.GetRepositoryByID(ctx, pr.BaseRepoID)
- if err != nil {
- return
- }
- }
- pr.ProtectedBranch, err = git_model.GetProtectedBranchBy(ctx, pr.BaseRepo.ID, pr.BaseBranch)
- }
- return err
-}
-
// ReviewCount represents a count of Reviews
type ReviewCount struct {
IssueID int64
diff --git a/models/issues/review.go b/models/issues/review.go
index ae4029e80f..d8e517ad3c 100644
--- a/models/issues/review.go
+++ b/models/issues/review.go
@@ -263,15 +263,17 @@ func IsOfficialReviewer(ctx context.Context, issue *Issue, reviewers ...*user_mo
if err != nil {
return false, err
}
- if err = pr.LoadProtectedBranch(ctx); err != nil {
+
+ rule, err := git_model.GetFirstMatchProtectedBranchRule(ctx, pr.BaseRepoID, pr.BaseBranch)
+ if err != nil {
return false, err
}
- if pr.ProtectedBranch == nil {
+ if rule == nil {
return false, nil
}
for _, reviewer := range reviewers {
- official, err := git_model.IsUserOfficialReviewer(ctx, pr.ProtectedBranch, reviewer)
+ official, err := git_model.IsUserOfficialReviewer(ctx, rule, reviewer)
if official || err != nil {
return official, err
}
@@ -286,18 +288,19 @@ func IsOfficialReviewerTeam(ctx context.Context, issue *Issue, team *organizatio
if err != nil {
return false, err
}
- if err = pr.LoadProtectedBranch(ctx); err != nil {
+ pb, err := git_model.GetFirstMatchProtectedBranchRule(ctx, pr.BaseRepoID, pr.BaseBranch)
+ if err != nil {
return false, err
}
- if pr.ProtectedBranch == nil {
+ if pb == nil {
return false, nil
}
- if !pr.ProtectedBranch.EnableApprovalsWhitelist {
+ if !pb.EnableApprovalsWhitelist {
return team.UnitAccessMode(ctx, unit.TypeCode) >= perm.AccessModeWrite, nil
}
- return base.Int64sContains(pr.ProtectedBranch.ApprovalsWhitelistTeamIDs, team.ID), nil
+ return base.Int64sContains(pb.ApprovalsWhitelistTeamIDs, team.ID), nil
}
// CreateReview creates a new review based on opts
diff --git a/models/org_team.go b/models/org_team.go
index 2bbf1d8d8c..be3b63b52e 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -378,7 +378,6 @@ func DeleteTeam(t *organization.Team) error {
return err
}
defer committer.Close()
- sess := db.GetEngine(ctx)
if err := t.LoadRepositories(ctx); err != nil {
return err
@@ -391,27 +390,15 @@ func DeleteTeam(t *organization.Team) error {
// update branch protections
{
protections := make([]*git_model.ProtectedBranch, 0, 10)
- err := sess.In("repo_id",
+ err := db.GetEngine(ctx).In("repo_id",
builder.Select("id").From("repository").Where(builder.Eq{"owner_id": t.OrgID})).
Find(&protections)
if err != nil {
return fmt.Errorf("findProtectedBranches: %w", err)
}
for _, p := range protections {
- lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistTeamIDs), len(p.ApprovalsWhitelistTeamIDs), len(p.MergeWhitelistTeamIDs)
- p.WhitelistTeamIDs = util.SliceRemoveAll(p.WhitelistTeamIDs, t.ID)
- p.ApprovalsWhitelistTeamIDs = util.SliceRemoveAll(p.ApprovalsWhitelistTeamIDs, t.ID)
- p.MergeWhitelistTeamIDs = util.SliceRemoveAll(p.MergeWhitelistTeamIDs, t.ID)
- if lenIDs != len(p.WhitelistTeamIDs) ||
- lenApprovalIDs != len(p.ApprovalsWhitelistTeamIDs) ||
- lenMergeIDs != len(p.MergeWhitelistTeamIDs) {
- if _, err = sess.ID(p.ID).Cols(
- "whitelist_team_i_ds",
- "merge_whitelist_team_i_ds",
- "approvals_whitelist_team_i_ds",
- ).Update(p); err != nil {
- return fmt.Errorf("updateProtectedBranches: %w", err)
- }
+ if err := git_model.RemoveTeamIDFromProtectedBranch(ctx, p, t.ID); err != nil {
+ return err
}
}
}
@@ -432,7 +419,7 @@ func DeleteTeam(t *organization.Team) error {
}
// Update organization number of teams.
- if _, err := sess.Exec("UPDATE `user` SET num_teams=num_teams-1 WHERE id=?", t.OrgID); err != nil {
+ if _, err := db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams-1 WHERE id=?", t.OrgID); err != nil {
return err
}
diff --git a/models/user.go b/models/user.go
index 10282d0db4..746553c35b 100644
--- a/models/user.go
+++ b/models/user.go
@@ -23,7 +23,6 @@ import (
repo_model "code.gitea.io/gitea/models/repo"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/setting"
- "code.gitea.io/gitea/modules/util"
)
// DeleteUser deletes models associated to an user.
@@ -141,20 +140,8 @@ func DeleteUser(ctx context.Context, u *user_model.User, purge bool) (err error)
break
}
for _, p := range protections {
- lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistUserIDs), len(p.ApprovalsWhitelistUserIDs), len(p.MergeWhitelistUserIDs)
- p.WhitelistUserIDs = util.SliceRemoveAll(p.WhitelistUserIDs, u.ID)
- p.ApprovalsWhitelistUserIDs = util.SliceRemoveAll(p.ApprovalsWhitelistUserIDs, u.ID)
- p.MergeWhitelistUserIDs = util.SliceRemoveAll(p.MergeWhitelistUserIDs, u.ID)
- if lenIDs != len(p.WhitelistUserIDs) ||
- lenApprovalIDs != len(p.ApprovalsWhitelistUserIDs) ||
- lenMergeIDs != len(p.MergeWhitelistUserIDs) {
- if _, err = e.ID(p.ID).Cols(
- "whitelist_user_i_ds",
- "merge_whitelist_user_i_ds",
- "approvals_whitelist_user_i_ds",
- ).Update(p); err != nil {
- return fmt.Errorf("updateProtectedBranches: %w", err)
- }
+ if err := git_model.RemoveUserIDFromProtectedBranch(ctx, p, u.ID); err != nil {
+ return err
}
}
}