Restrict permission check on repositories and fix some problems (#5314)

* fix units permission problems

* fix some bugs and merge LoadUnits to repoAssignment

* refactor permission struct and add some copyright heads

* remove unused codes

* fix routes units check

* improve permission check

* add unit tests for permission

* fix typo

* fix tests

* fix some routes

* fix api permission check

* improve permission check

* fix some permission check

* fix tests

* fix tests

* improve some permission check

* fix some permission check

* refactor AccessLevel

* fix bug

* fix tests

* fix tests

* fix tests

* fix AccessLevel

* rename CanAccess

* fix tests

* fix comment

* fix bug

* add missing unit for test repos

* fix bug

* rename some functions

* fix routes check

1 files changed, 10 insertions, 27 deletions

diff --git a/routers/repo/http.go b/routers/repo/http.go
index 5b469754ad..ec5fbe6c0d 100644
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -182,36 +182,19 @@ func HTTP(ctx *context.Context) {
 			}
 		}
 
-		if !isPublicPull {
-			has, err := models.HasAccess(authUser.ID, repo, accessMode)
-			if err != nil {
-				ctx.ServerError("HasAccess", err)
-				return
-			} else if !has {
-				if accessMode == models.AccessModeRead {
-					has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
-					if err != nil {
-						ctx.ServerError("HasAccess2", err)
-						return
-					} else if !has {
-						ctx.HandleText(http.StatusForbidden, "User permission denied")
-						return
-					}
-				} else {
-					ctx.HandleText(http.StatusForbidden, "User permission denied")
-					return
-				}
-			}
+		perm, err := models.GetUserRepoPermission(repo, authUser)
+		if err != nil {
+			ctx.ServerError("GetUserRepoPermission", err)
+			return
+		}
 
-			if !isPull && repo.IsMirror {
-				ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
-				return
-			}
+		if !perm.CanAccess(accessMode, unitType) {
+			ctx.HandleText(http.StatusForbidden, "User permission denied")
+			return
 		}
 
-		if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {
-			ctx.HandleText(http.StatusForbidden, fmt.Sprintf("User %s does not have allowed access to repository %s 's code",
-				authUser.Name, repo.RepoPath()))
+		if !isPull && repo.IsMirror {
+			ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
 			return
 		}