diff options
| author | yp05327 <576951401@qq.com> | 2023-04-06 23:18:29 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-06 22:18:29 +0800 |
| commit | bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0 (patch) | |
| tree | 86f6b9e782874c8a88447f246ee6a9fbe2ee130d /modules | |
| parent | 5cb394ff2fb93935b90493894b97371734f1384e (diff) | |
| download | gitea-bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0.tar.gz gitea-bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0.zip | |
Improve permission check of packages (#23879)
At first, we have one unified team unit permission which is called
`Team.Authorize` in DB.
But since https://github.com/go-gitea/gitea/pull/17811, we allowed
different units to have different permission.
The old code is only designed for the old version. So after #17811, if
org users have write permission of other units, but have no permission
of packages, they can also get write permission of packages.
Co-authored-by: delvh <dev.lh@web.de>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/context/package.go | 28 |
1 files changed, 10 insertions, 18 deletions
diff --git a/modules/context/package.go b/modules/context/package.go index 2a55db3a77..2a0159eb5c 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -92,33 +92,25 @@ func determineAccessMode(ctx *Context) (perm.AccessMode, error) { return perm.AccessModeNone, nil } + // TODO: ActionUser permission check accessMode := perm.AccessModeNone if ctx.Package.Owner.IsOrganization() { org := organization.OrgFromUser(ctx.Package.Owner) - // 1. Get user max authorize level for the org (may be none, if user is not member of the org) - if ctx.Doer != nil { - var err error - accessMode, err = org.GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID) + if ctx.Doer != nil && !ctx.Doer.IsGhost() { + // 1. If user is logged in, check all team packages permissions + teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID) if err != nil { return accessMode, err } - // If access mode is less than write check every team for more permissions - if accessMode < perm.AccessModeWrite { - teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID) - if err != nil { - return accessMode, err - } - for _, t := range teams { - perm := t.UnitAccessMode(ctx, unit.TypePackages) - if accessMode < perm { - accessMode = perm - } + for _, t := range teams { + perm := t.UnitAccessMode(ctx, unit.TypePackages) + if accessMode < perm { + accessMode = perm } } - } - // 2. If authorize level is none, check if org is visible to user - if accessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) { + } else if organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) { + // 2. If user is non-login, check if org is visible to non-login user accessMode = perm.AccessModeRead } } else { |