diff options
| author | Giteabot <teabot@gitea.io> | 2023-07-09 17:00:42 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-07-09 21:00:42 +0000 |
| commit | 372b622c2b76d0fcc1fd5623f71bd48b086a03a3 (patch) | |
| tree | 279ca0d8faec58b7adc441fe35ba3f1c52f6abea /modules | |
| parent | 06bcdfe77a2cf6c1ab9dc3d75a60894ffd3abb68 (diff) | |
| download | gitea-372b622c2b76d0fcc1fd5623f71bd48b086a03a3.tar.gz gitea-372b622c2b76d0fcc1fd5623f71bd48b086a03a3.zip | |
Revert package access change from #23879 (#25707) (#25785)
Backport #25707 by @KN4CK3R
Fixes (?) #25538
Fixes https://codeberg.org/forgejo/forgejo/issues/972
Regression #23879
#23879 introduced a change which prevents read access to packages if a
user is not a member of an organization.
That PR also contained a change which disallows package access if the
team unit is configured with "no access" for packages. I don't think
this change makes sense (at the moment). It may be relevant for private
orgs. But for public or limited orgs that's useless because an
unauthorized user would have more access rights than the team member.
This PR restores the old behaviour "If a user has read access for an
owner, they can read packages".
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/context/package.go | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/modules/context/package.go b/modules/context/package.go index 8e80fa66ec..be50e0a991 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -108,18 +108,28 @@ func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.A if doer != nil && !doer.IsGhost() { // 1. If user is logged in, check all team packages permissions - teams, err := organization.GetUserOrgTeams(ctx, org.ID, doer.ID) + var err error + accessMode, err = org.GetOrgUserMaxAuthorizeLevel(doer.ID) if err != nil { return accessMode, err } - for _, t := range teams { - perm := t.UnitAccessMode(ctx, unit.TypePackages) - if accessMode < perm { - accessMode = perm + // If access mode is less than write check every team for more permissions + // The minimum possible access mode is read for org members + if accessMode < perm.AccessModeWrite { + teams, err := organization.GetUserOrgTeams(ctx, org.ID, doer.ID) + if err != nil { + return accessMode, err + } + for _, t := range teams { + perm := t.UnitAccessMode(ctx, unit.TypePackages) + if accessMode < perm { + accessMode = perm + } } } - } else if organization.HasOrgOrUserVisible(ctx, pkg.Owner, doer) { - // 2. If user is non-login, check if org is visible to non-login user + } + if accessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, pkg.Owner, doer) { + // 2. If user is unauthorized or no org member, check if org is visible accessMode = perm.AccessModeRead } } else { |