Team permission allow different unit has different permission (#17811)

* Team permission allow different unit has different permission

* Finish the interface and the logic

* Fix lint

* Fix translation

* align center for table cell content

* Fix fixture

* merge

* Fix test

* Add deprecated

* Improve code

* Add tooltip

* Fix swagger

* Fix newline

* Fix tests

* Fix tests

* Fix test

* Fix test

* Max permission of external wiki and issues should be read

* Move team units with limited max level below units table

* Update label and column names

* Some improvements

* Fix lint

* Some improvements

* Fix template variables

* Add permission docs

* improve doc

* Fix fixture

* Fix bug

* Fix some bug

* fix

* gofumpt

* Integration test for migration (#18124)

integrations: basic test for Gitea {dump,restore}-repo
This is a first step for integration testing of DumpRepository and
RestoreRepository. It:

runs a Gitea server,
dumps a repo via DumpRepository to the filesystem,
restores the repo via RestoreRepository from the filesystem,
dumps the restored repository to the filesystem,
compares the first and second dump and expects them to be identical

The verification is trivial and the goal is to add more tests for each
topic of the dump.

Signed-off-by: Loïc Dachary <loic@dachary.org>

* Team permission allow different unit has different permission

* Finish the interface and the logic

* Fix lint

* Fix translation

* align center for table cell content

* Fix fixture

* merge

* Fix test

* Add deprecated

* Improve code

* Add tooltip

* Fix swagger

* Fix newline

* Fix tests

* Fix tests

* Fix test

* Fix test

* Max permission of external wiki and issues should be read

* Move team units with limited max level below units table

* Update label and column names

* Some improvements

* Fix lint

* Some improvements

* Fix template variables

* Add permission docs

* improve doc

* Fix fixture

* Fix bug

* Fix some bug

* Fix bug

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Aravinth Manivannan <realaravinth@batsense.net>

2 files changed, 122 insertions, 55 deletions

diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index d39125b050..cc7a63af33 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -6,6 +6,7 @@
 package org
 
 import (
+	"errors"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -50,7 +51,6 @@ func ListTeams(ctx *context.APIContext) {
 		ListOptions: utils.GetListOptions(ctx),
 		OrgID:       ctx.Org.Organization.ID,
 	})
-
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "LoadTeams", err)
 		return
@@ -112,6 +112,10 @@ func ListUserTeams(ctx *context.APIContext) {
 			apiOrg = convert.ToOrganization(org)
 			cache[teams[i].OrgID] = apiOrg
 		}
+		if err := teams[i].GetUnits(); err != nil {
+			ctx.Error(http.StatusInternalServerError, "teams[i].GetUnits()", err)
+			return
+		}
 		apiTeams[i] = convert.ToTeam(teams[i])
 		apiTeams[i].Organization = apiOrg
 	}
@@ -138,9 +142,45 @@ func GetTeam(ctx *context.APIContext) {
 	//   "200":
 	//     "$ref": "#/responses/Team"
 
+	if err := ctx.Org.Team.GetUnits(); err != nil {
+		ctx.Error(http.StatusInternalServerError, "team.GetUnits", err)
+		return
+	}
+
 	ctx.JSON(http.StatusOK, convert.ToTeam(ctx.Org.Team))
 }
 
+func attachTeamUnits(team *models.Team, units []string) {
+	unitTypes := unit_model.FindUnitTypes(units...)
+	team.Units = make([]*models.TeamUnit, 0, len(units))
+	for _, tp := range unitTypes {
+		team.Units = append(team.Units, &models.TeamUnit{
+			OrgID:      team.OrgID,
+			Type:       tp,
+			AccessMode: team.AccessMode,
+		})
+	}
+}
+
+func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]perm.AccessMode {
+	res := make(map[unit_model.Type]perm.AccessMode, len(unitsMap))
+	for unitKey, p := range unitsMap {
+		res[unit_model.TypeFromKey(unitKey)] = perm.ParseAccessMode(p)
+	}
+	return res
+}
+
+func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
+	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
+	for unitKey, p := range unitsMap {
+		team.Units = append(team.Units, &models.TeamUnit{
+			OrgID:      team.OrgID,
+			Type:       unit_model.TypeFromKey(unitKey),
+			AccessMode: perm.ParseAccessMode(p),
+		})
+	}
+}
+
 // CreateTeam api for create a team
 func CreateTeam(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/teams organization orgCreateTeam
@@ -166,26 +206,28 @@ func CreateTeam(ctx *context.APIContext) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"
 	form := web.GetForm(ctx).(*api.CreateTeamOption)
+	p := perm.ParseAccessMode(form.Permission)
+	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
+		p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
+	}
 	team := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.Name,
 		Description:             form.Description,
 		IncludesAllRepositories: form.IncludesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
-		Authorize:               perm.ParseAccessMode(form.Permission),
+		AccessMode:              p,
 	}
 
-	unitTypes := unit_model.FindUnitTypes(form.Units...)
-
-	if team.Authorize < perm.AccessModeOwner {
-		var units = make([]*models.TeamUnit, 0, len(form.Units))
-		for _, tp := range unitTypes {
-			units = append(units, &models.TeamUnit{
-				OrgID: ctx.Org.Organization.ID,
-				Type:  tp,
-			})
+	if team.AccessMode < perm.AccessModeAdmin {
+		if len(form.UnitsMap) > 0 {
+			attachTeamUnitsMap(team, form.UnitsMap)
+		} else if len(form.Units) > 0 {
+			attachTeamUnits(team, form.Units)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "getTeamUnits", errors.New("units permission should not be empty"))
+			return
 		}
-		team.Units = units
 	}
 
 	if err := models.NewTeam(team); err != nil {
@@ -224,7 +266,6 @@ func EditTeam(ctx *context.APIContext) {
 	//     "$ref": "#/responses/Team"
 
 	form := web.GetForm(ctx).(*api.EditTeamOption)
-
 	team := ctx.Org.Team
 	if err := team.GetUnits(); err != nil {
 		ctx.InternalServerError(err)
@@ -247,11 +288,14 @@ func EditTeam(ctx *context.APIContext) {
 	isIncludeAllChanged := false
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
-		auth := perm.ParseAccessMode(form.Permission)
+		p := perm.ParseAccessMode(form.Permission)
+		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
+			p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
+		}
 
-		if team.Authorize != auth {
+		if team.AccessMode != p {
 			isAuthChanged = true
-			team.Authorize = auth
+			team.AccessMode = p
 		}
 
 		if form.IncludesAllRepositories != nil {
@@ -260,17 +304,11 @@ func EditTeam(ctx *context.APIContext) {
 		}
 	}
 
-	if team.Authorize < perm.AccessModeOwner {
-		if len(form.Units) > 0 {
-			var units = make([]*models.TeamUnit, 0, len(form.Units))
-			unitTypes := unit_model.FindUnitTypes(form.Units...)
-			for _, tp := range unitTypes {
-				units = append(units, &models.TeamUnit{
-					OrgID: ctx.Org.Team.OrgID,
-					Type:  tp,
-				})
-			}
-			team.Units = units
+	if team.AccessMode < perm.AccessModeAdmin {
+		if len(form.UnitsMap) > 0 {
+			attachTeamUnitsMap(team, form.UnitsMap)
+		} else if len(form.Units) > 0 {
+			attachTeamUnits(team, form.Units)
 		}
 	}
 
@@ -706,5 +744,4 @@ func SearchTeam(ctx *context.APIContext) {
 		"ok":   true,
 		"data": apiTeams,
 	})
-
 }
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 40fba5cd09..732f24b22c 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 
 	"code.gitea.io/gitea/models"
@@ -224,35 +225,57 @@ func NewTeam(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplTeamNew)
 }
 
+func getUnitPerms(forms url.Values) map[unit_model.Type]perm.AccessMode {
+	unitPerms := make(map[unit_model.Type]perm.AccessMode)
+	for k, v := range forms {
+		if strings.HasPrefix(k, "unit_") {
+			t, _ := strconv.Atoi(k[5:])
+			if t > 0 {
+				vv, _ := strconv.Atoi(v[0])
+				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
+			}
+		}
+	}
+	return unitPerms
+}
+
 // NewTeamPost response for create new team
 func NewTeamPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.CreateTeamForm)
-	ctx.Data["Title"] = ctx.Org.Organization.FullName
-	ctx.Data["PageIsOrgTeams"] = true
-	ctx.Data["PageIsOrgTeamsNew"] = true
-	ctx.Data["Units"] = unit_model.Units
-	var includesAllRepositories = form.RepoAccess == "all"
+	includesAllRepositories := form.RepoAccess == "all"
+	unitPerms := getUnitPerms(ctx.Req.Form)
+	p := perm.ParseAccessMode(form.Permission)
+	if p < perm.AccessModeAdmin {
+		// if p is less than admin accessmode, then it should be general accessmode,
+		// so we should calculate the minial accessmode from units accessmodes.
+		p = unit_model.MinUnitAccessMode(unitPerms)
+	}
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.TeamName,
 		Description:             form.Description,
-		Authorize:               perm.ParseAccessMode(form.Permission),
+		AccessMode:              p,
 		IncludesAllRepositories: includesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}
 
-	if t.Authorize < perm.AccessModeOwner {
-		var units = make([]*models.TeamUnit, 0, len(form.Units))
-		for _, tp := range form.Units {
+	if t.AccessMode < perm.AccessModeAdmin {
+		units := make([]*models.TeamUnit, 0, len(unitPerms))
+		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
-				OrgID: ctx.Org.Organization.ID,
-				Type:  tp,
+				OrgID:      ctx.Org.Organization.ID,
+				Type:       tp,
+				AccessMode: perm,
 			})
 		}
 		t.Units = units
 	}
 
+	ctx.Data["Title"] = ctx.Org.Organization.FullName
+	ctx.Data["PageIsOrgTeams"] = true
+	ctx.Data["PageIsOrgTeamsNew"] = true
+	ctx.Data["Units"] = unit_model.Units
 	ctx.Data["Team"] = t
 
 	if ctx.HasError() {
@@ -260,7 +283,7 @@ func NewTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
+	if t.AccessMode < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
@@ -317,22 +340,29 @@ func EditTeam(ctx *context.Context) {
 func EditTeamPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.CreateTeamForm)
 	t := ctx.Org.Team
+	unitPerms := getUnitPerms(ctx.Req.Form)
+	isAuthChanged := false
+	isIncludeAllChanged := false
+	includesAllRepositories := form.RepoAccess == "all"
+
 	ctx.Data["Title"] = ctx.Org.Organization.FullName
 	ctx.Data["PageIsOrgTeams"] = true
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
-	isAuthChanged := false
-	isIncludeAllChanged := false
-	var includesAllRepositories = form.RepoAccess == "all"
 	if !t.IsOwnerTeam() {
 		// Validate permission level.
-		auth := perm.ParseAccessMode(form.Permission)
+		newAccessMode := perm.ParseAccessMode(form.Permission)
+		if newAccessMode < perm.AccessModeAdmin {
+			// if p is less than admin accessmode, then it should be general accessmode,
+			// so we should calculate the minial accessmode from units accessmodes.
+			newAccessMode = unit_model.MinUnitAccessMode(unitPerms)
+		}
 
 		t.Name = form.TeamName
-		if t.Authorize != auth {
+		if t.AccessMode != newAccessMode {
 			isAuthChanged = true
-			t.Authorize = auth
+			t.AccessMode = newAccessMode
 		}
 
 		if t.IncludesAllRepositories != includesAllRepositories {
@@ -341,17 +371,17 @@ func EditTeamPost(ctx *context.Context) {
 		}
 	}
 	t.Description = form.Description
-	if t.Authorize < perm.AccessModeOwner {
-		var units = make([]models.TeamUnit, 0, len(form.Units))
-		for _, tp := range form.Units {
+	if t.AccessMode < perm.AccessModeAdmin {
+		units := make([]models.TeamUnit, 0, len(unitPerms))
+		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
-				OrgID:  t.OrgID,
-				TeamID: t.ID,
-				Type:   tp,
+				OrgID:      t.OrgID,
+				TeamID:     t.ID,
+				Type:       tp,
+				AccessMode: perm,
 			})
 		}
-		err := models.UpdateTeamUnits(t, units)
-		if err != nil {
+		if err := models.UpdateTeamUnits(t, units); err != nil {
 			ctx.Error(http.StatusInternalServerError, "LoadIssue", err.Error())
 			return
 		}
@@ -363,7 +393,7 @@ func EditTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
+	if t.AccessMode < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}