4 files changed, 120 insertions, 190 deletions

diff --git a/services/org/team.go b/services/org/team.go
index ee3bd898ea..773bd11f49 100644
--- a/services/org/team.go
+++ b/services/org/team.go
@@ -54,39 +54,33 @@ func NewTeam(ctx context.Context, t *organization.Team) (err error) {
 		return organization.ErrTeamAlreadyExist{OrgID: t.OrgID, Name: t.LowerName}
 	}
 
-	ctx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-
-	if err = db.Insert(ctx, t); err != nil {
-		return err
-	}
-
-	// insert units for team
-	if len(t.Units) > 0 {
-		for _, unit := range t.Units {
-			unit.TeamID = t.ID
-		}
-		if err = db.Insert(ctx, &t.Units); err != nil {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if err = db.Insert(ctx, t); err != nil {
 			return err
 		}
-	}
 
-	// Add all repositories to the team if it has access to all of them.
-	if t.IncludesAllRepositories {
-		err = repo_service.AddAllRepositoriesToTeam(ctx, t)
-		if err != nil {
-			return fmt.Errorf("addAllRepositories: %w", err)
+		// insert units for team
+		if len(t.Units) > 0 {
+			for _, unit := range t.Units {
+				unit.TeamID = t.ID
+			}
+			if err = db.Insert(ctx, &t.Units); err != nil {
+				return err
+			}
+		}
+
+		// Add all repositories to the team if it has access to all of them.
+		if t.IncludesAllRepositories {
+			err = repo_service.AddAllRepositoriesToTeam(ctx, t)
+			if err != nil {
+				return fmt.Errorf("addAllRepositories: %w", err)
+			}
 		}
-	}
 
-	// Update organization number of teams.
-	if _, err = db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams+1 WHERE id = ?", t.OrgID); err != nil {
+		// Update organization number of teams.
+		_, err = db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams+1 WHERE id = ?", t.OrgID)
 		return err
-	}
-	return committer.Commit()
+	})
 }
 
 // UpdateTeam updates information of team.
@@ -99,128 +93,117 @@ func UpdateTeam(ctx context.Context, t *organization.Team, authChanged, includeA
 		t.Description = t.Description[:255]
 	}
 
-	ctx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-
-	t.LowerName = strings.ToLower(t.Name)
-	has, err := db.Exist[organization.Team](ctx, builder.Eq{
-		"org_id":     t.OrgID,
-		"lower_name": t.LowerName,
-	}.And(builder.Neq{"id": t.ID}),
-	)
-	if err != nil {
-		return err
-	} else if has {
-		return organization.ErrTeamAlreadyExist{OrgID: t.OrgID, Name: t.LowerName}
-	}
-
-	sess := db.GetEngine(ctx)
-	if _, err = sess.ID(t.ID).Cols("name", "lower_name", "description",
-		"can_create_org_repo", "authorize", "includes_all_repositories").Update(t); err != nil {
-		return fmt.Errorf("update: %w", err)
-	}
-
-	// update units for team
-	if len(t.Units) > 0 {
-		for _, unit := range t.Units {
-			unit.TeamID = t.ID
-		}
-		// Delete team-unit.
-		if _, err := sess.
-			Where("team_id=?", t.ID).
-			Delete(new(organization.TeamUnit)); err != nil {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		t.LowerName = strings.ToLower(t.Name)
+		has, err := db.Exist[organization.Team](ctx, builder.Eq{
+			"org_id":     t.OrgID,
+			"lower_name": t.LowerName,
+		}.And(builder.Neq{"id": t.ID}),
+		)
+		if err != nil {
 			return err
+		} else if has {
+			return organization.ErrTeamAlreadyExist{OrgID: t.OrgID, Name: t.LowerName}
 		}
-		if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil {
-			return err
+
+		sess := db.GetEngine(ctx)
+		if _, err = sess.ID(t.ID).Cols("name", "lower_name", "description",
+			"can_create_org_repo", "authorize", "includes_all_repositories").Update(t); err != nil {
+			return fmt.Errorf("update: %w", err)
 		}
-	}
 
-	// Update access for team members if needed.
-	if authChanged {
-		repos, err := repo_model.GetTeamRepositories(ctx, &repo_model.SearchTeamRepoOptions{
-			TeamID: t.ID,
-		})
-		if err != nil {
-			return fmt.Errorf("GetTeamRepositories: %w", err)
+		// update units for team
+		if len(t.Units) > 0 {
+			for _, unit := range t.Units {
+				unit.TeamID = t.ID
+			}
+			// Delete team-unit.
+			if _, err := sess.
+				Where("team_id=?", t.ID).
+				Delete(new(organization.TeamUnit)); err != nil {
+				return err
+			}
+			if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil {
+				return err
+			}
 		}
 
-		for _, repo := range repos {
-			if err = access_model.RecalculateTeamAccesses(ctx, repo, 0); err != nil {
-				return fmt.Errorf("recalculateTeamAccesses: %w", err)
+		// Update access for team members if needed.
+		if authChanged {
+			repos, err := repo_model.GetTeamRepositories(ctx, &repo_model.SearchTeamRepoOptions{
+				TeamID: t.ID,
+			})
+			if err != nil {
+				return fmt.Errorf("GetTeamRepositories: %w", err)
+			}
+
+			for _, repo := range repos {
+				if err = access_model.RecalculateTeamAccesses(ctx, repo, 0); err != nil {
+					return fmt.Errorf("recalculateTeamAccesses: %w", err)
+				}
 			}
 		}
-	}
 
-	// Add all repositories to the team if it has access to all of them.
-	if includeAllChanged && t.IncludesAllRepositories {
-		err = repo_service.AddAllRepositoriesToTeam(ctx, t)
-		if err != nil {
-			return fmt.Errorf("addAllRepositories: %w", err)
+		// Add all repositories to the team if it has access to all of them.
+		if includeAllChanged && t.IncludesAllRepositories {
+			err = repo_service.AddAllRepositoriesToTeam(ctx, t)
+			if err != nil {
+				return fmt.Errorf("addAllRepositories: %w", err)
+			}
 		}
-	}
 
-	return committer.Commit()
+		return nil
+	})
 }
 
 // DeleteTeam deletes given team.
 // It's caller's responsibility to assign organization ID.
 func DeleteTeam(ctx context.Context, t *organization.Team) error {
-	ctx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-
-	if err := t.LoadMembers(ctx); err != nil {
-		return err
-	}
-
-	// update branch protections
-	{
-		protections := make([]*git_model.ProtectedBranch, 0, 10)
-		err := db.GetEngine(ctx).In("repo_id",
-			builder.Select("id").From("repository").Where(builder.Eq{"owner_id": t.OrgID})).
-			Find(&protections)
-		if err != nil {
-			return fmt.Errorf("findProtectedBranches: %w", err)
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if err := t.LoadMembers(ctx); err != nil {
+			return err
 		}
-		for _, p := range protections {
-			if err := git_model.RemoveTeamIDFromProtectedBranch(ctx, p, t.ID); err != nil {
-				return err
+
+		// update branch protections
+		{
+			protections := make([]*git_model.ProtectedBranch, 0, 10)
+			err := db.GetEngine(ctx).In("repo_id",
+				builder.Select("id").From("repository").Where(builder.Eq{"owner_id": t.OrgID})).
+				Find(&protections)
+			if err != nil {
+				return fmt.Errorf("findProtectedBranches: %w", err)
+			}
+			for _, p := range protections {
+				if err := git_model.RemoveTeamIDFromProtectedBranch(ctx, p, t.ID); err != nil {
+					return err
+				}
 			}
 		}
-	}
-
-	if err := repo_service.RemoveAllRepositoriesFromTeam(ctx, t); err != nil {
-		return err
-	}
 
-	if err := db.DeleteBeans(ctx,
-		&organization.Team{ID: t.ID},
-		&organization.TeamUser{OrgID: t.OrgID, TeamID: t.ID},
-		&organization.TeamUnit{TeamID: t.ID},
-		&organization.TeamInvite{TeamID: t.ID},
-		&issues_model.Review{Type: issues_model.ReviewTypeRequest, ReviewerTeamID: t.ID}, // batch delete the binding relationship between team and PR (request review from team)
-	); err != nil {
-		return err
-	}
+		if err := repo_service.RemoveAllRepositoriesFromTeam(ctx, t); err != nil {
+			return err
+		}
 
-	for _, tm := range t.Members {
-		if err := removeInvalidOrgUser(ctx, t.OrgID, tm); err != nil {
+		if err := db.DeleteBeans(ctx,
+			&organization.Team{ID: t.ID},
+			&organization.TeamUser{OrgID: t.OrgID, TeamID: t.ID},
+			&organization.TeamUnit{TeamID: t.ID},
+			&organization.TeamInvite{TeamID: t.ID},
+			&issues_model.Review{Type: issues_model.ReviewTypeRequest, ReviewerTeamID: t.ID}, // batch delete the binding relationship between team and PR (request review from team)
+		); err != nil {
 			return err
 		}
-	}
 
-	// Update organization number of teams.
-	if _, err := db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams-1 WHERE id=?", t.OrgID); err != nil {
-		return err
-	}
+		for _, tm := range t.Members {
+			if err := removeInvalidOrgUser(ctx, t.OrgID, tm); err != nil {
+				return err
+			}
+		}
 
-	return committer.Commit()
+		// Update organization number of teams.
+		_, err := db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams-1 WHERE id=?", t.OrgID)
+		return err
+	})
 }
 
 // AddTeamMember adds new membership of given team to given organization,
@@ -259,37 +242,6 @@ func AddTeamMember(ctx context.Context, team *organization.Team, user *user_mode
 		}
 
 		team.NumMembers++
-
-		// Give access to team repositories.
-		// update exist access if mode become bigger
-		subQuery := builder.Select("repo_id").From("team_repo").
-			Where(builder.Eq{"team_id": team.ID})
-
-		if _, err := sess.Where("user_id=?", user.ID).
-			In("repo_id", subQuery).
-			And("mode < ?", team.AccessMode).
-			SetExpr("mode", team.AccessMode).
-			Update(new(access_model.Access)); err != nil {
-			return fmt.Errorf("update user accesses: %w", err)
-		}
-
-		// for not exist access
-		var repoIDs []int64
-		accessSubQuery := builder.Select("repo_id").From("access").Where(builder.Eq{"user_id": user.ID})
-		if err := sess.SQL(subQuery.And(builder.NotIn("repo_id", accessSubQuery))).Find(&repoIDs); err != nil {
-			return fmt.Errorf("select id accesses: %w", err)
-		}
-
-		accesses := make([]*access_model.Access, 0, 100)
-		for i, repoID := range repoIDs {
-			accesses = append(accesses, &access_model.Access{RepoID: repoID, UserID: user.ID, Mode: team.AccessMode})
-			if (i%100 == 0 || i == len(repoIDs)-1) && len(accesses) > 0 {
-				if err = db.Insert(ctx, accesses); err != nil {
-					return fmt.Errorf("insert new user accesses: %w", err)
-				}
-				accesses = accesses[:0]
-			}
-		}
 		return nil
 	})
 	if err != nil {
@@ -394,13 +346,7 @@ func removeInvalidOrgUser(ctx context.Context, orgID int64, user *user_model.Use
 
 // RemoveTeamMember removes member from given team of given organization.
 func RemoveTeamMember(ctx context.Context, team *organization.Team, user *user_model.User) error {
-	ctx, committer, err := db.TxContext(ctx)
-	if err != nil {
-		return err
-	}
-	defer committer.Close()
-	if err := removeTeamMember(ctx, team, user); err != nil {
-		return err
-	}
-	return committer.Commit()
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		return removeTeamMember(ctx, team, user)
+	})
 }
diff --git a/services/org/team_test.go b/services/org/team_test.go
index 3791776e46..c1a69d8ee7 100644
--- a/services/org/team_test.go
+++ b/services/org/team_test.go
@@ -88,7 +88,7 @@ func TestUpdateTeam(t *testing.T) {
 	assert.True(t, strings.HasPrefix(team.Description, "A long description!"))
 
 	access := unittest.AssertExistsAndLoadBean(t, &access_model.Access{UserID: 4, RepoID: 3})
-	assert.EqualValues(t, perm.AccessModeAdmin, access.Mode)
+	assert.Equal(t, perm.AccessModeAdmin, access.Mode)
 
 	unittest.CheckConsistencyFor(t, &organization.Team{ID: team.ID})
 }
@@ -166,24 +166,6 @@ func TestRemoveTeamMember(t *testing.T) {
 	assert.True(t, organization.IsErrLastOrgOwner(err))
 }
 
-func TestRepository_RecalculateAccesses3(t *testing.T) {
-	assert.NoError(t, unittest.PrepareTestDatabase())
-	team5 := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 5})
-	user29 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29})
-
-	has, err := db.GetEngine(db.DefaultContext).Get(&access_model.Access{UserID: user29.ID, RepoID: 23})
-	assert.NoError(t, err)
-	assert.False(t, has)
-
-	// adding user29 to team5 should add an explicit access row for repo 23
-	// even though repo 23 is public
-	assert.NoError(t, AddTeamMember(db.DefaultContext, team5, user29))
-
-	has, err = db.GetEngine(db.DefaultContext).Get(&access_model.Access{UserID: user29.ID, RepoID: 23})
-	assert.NoError(t, err)
-	assert.True(t, has)
-}
-
 func TestIncludesAllRepositoriesTeams(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 
@@ -222,8 +204,9 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 
 	// Create repos.
 	repoIDs := make([]int64, 0)
-	for i := 0; i < 3; i++ {
-		r, err := repo_service.CreateRepositoryDirectly(db.DefaultContext, user, org.AsUser(), repo_service.CreateRepoOptions{Name: fmt.Sprintf("repo-%d", i)})
+	for i := range 3 {
+		r, err := repo_service.CreateRepositoryDirectly(db.DefaultContext, user, org.AsUser(),
+			repo_service.CreateRepoOptions{Name: fmt.Sprintf("repo-%d", i)}, true)
 		assert.NoError(t, err, "CreateRepository %d", i)
 		if r != nil {
 			repoIDs = append(repoIDs, r.ID)
@@ -285,7 +268,7 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 	}
 
 	// Create repo and check teams repositories.
-	r, err := repo_service.CreateRepositoryDirectly(db.DefaultContext, user, org.AsUser(), repo_service.CreateRepoOptions{Name: "repo-last"})
+	r, err := repo_service.CreateRepositoryDirectly(db.DefaultContext, user, org.AsUser(), repo_service.CreateRepoOptions{Name: "repo-last"}, true)
 	assert.NoError(t, err, "CreateRepository last")
 	if r != nil {
 		repoIDs = append(repoIDs, r.ID)
@@ -298,7 +281,7 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 	}
 
 	// Remove repo and check teams repositories.
-	assert.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repoIDs[0]), "DeleteRepository")
+	assert.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, repoIDs[0]), "DeleteRepository")
 	teamRepos[0] = repoIDs[1:]
 	teamRepos[1] = repoIDs[1:]
 	teamRepos[3] = repoIDs[1:3]
@@ -310,7 +293,7 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 	// Wipe created items.
 	for i, rid := range repoIDs {
 		if i > 0 { // first repo already deleted.
-			assert.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, rid), "DeleteRepository %d", i)
+			assert.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, rid), "DeleteRepository %d", i)
 		}
 	}
 	assert.NoError(t, DeleteOrganization(db.DefaultContext, org, false), "DeleteOrganization")
diff --git a/services/org/user.go b/services/org/user.go
index 3565ecc2fc..26927253d2 100644
--- a/services/org/user.go
+++ b/services/org/user.go
@@ -64,10 +64,11 @@ func RemoveOrgUser(ctx context.Context, org *organization.Organization, user *us
 	if err != nil {
 		return fmt.Errorf("AccessibleReposEnv: %w", err)
 	}
-	repoIDs, err := env.RepoIDs(ctx, 1, org.NumRepos)
+	repoIDs, err := env.RepoIDs(ctx)
 	if err != nil {
 		return fmt.Errorf("GetUserRepositories [%d]: %w", user.ID, err)
 	}
+
 	for _, repoID := range repoIDs {
 		repo, err := repo_model.GetRepositoryByID(ctx, repoID)
 		if err != nil {
diff --git a/services/org/user_test.go b/services/org/user_test.go
index 96d1a1c8ca..c61d600d90 100644
--- a/services/org/user_test.go
+++ b/services/org/user_test.go
@@ -53,7 +53,7 @@ func TestRemoveOrgUser(t *testing.T) {
 		assert.NoError(t, RemoveOrgUser(db.DefaultContext, org, user))
 		unittest.AssertNotExistsBean(t, &organization.OrgUser{OrgID: org.ID, UID: user.ID})
 		org = unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: org.ID})
-		assert.EqualValues(t, expectedNumMembers, org.NumMembers)
+		assert.Equal(t, expectedNumMembers, org.NumMembers)
 	}
 
 	org3 := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})