mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14398 Commits
17 Branches
Tree: a1fcb1cfb8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a1fcb1cfb8'
${ noResults }
gitea/models/git/protected_branch.go

protected_branch.go 16KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501 
  1. // Copyright 2022 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package git

  5. 

  6. import (

  7. 	"context"

  8. 	"errors"

  9. 	"fmt"

  10. 	"strings"

  11. 

  12. 	"code.gitea.io/gitea/models/db"

  13. 	"code.gitea.io/gitea/models/organization"

  14. 	"code.gitea.io/gitea/models/perm"

  15. 	access_model "code.gitea.io/gitea/models/perm/access"

  16. 	repo_model "code.gitea.io/gitea/models/repo"

  17. 	"code.gitea.io/gitea/models/unit"

  18. 	user_model "code.gitea.io/gitea/models/user"

  19. 	"code.gitea.io/gitea/modules/base"

  20. 	"code.gitea.io/gitea/modules/log"

  21. 	"code.gitea.io/gitea/modules/timeutil"

  22. 	"code.gitea.io/gitea/modules/util"

  23. 

  24. 	"github.com/gobwas/glob"

  25. 	"github.com/gobwas/glob/syntax"

  26. )

  27. 

  28. var ErrBranchIsProtected = errors.New("branch is protected")

  29. 

  30. // ProtectedBranch struct

  31. type ProtectedBranch struct {

  32. 	ID                            int64                  `xorm:"pk autoincr"`

  33. 	RepoID                        int64                  `xorm:"UNIQUE(s)"`

  34. 	Repo                          *repo_model.Repository `xorm:"-"`

  35. 	RuleName                      string                 `xorm:"'branch_name' UNIQUE(s)"` // a branch name or a glob match to branch name

  36. 	globRule                      glob.Glob              `xorm:"-"`

  37. 	isPlainName                   bool                   `xorm:"-"`

  38. 	CanPush                       bool                   `xorm:"NOT NULL DEFAULT false"`

  39. 	EnableWhitelist               bool

  40. 	WhitelistUserIDs              []int64  `xorm:"JSON TEXT"`

  41. 	WhitelistTeamIDs              []int64  `xorm:"JSON TEXT"`

  42. 	EnableMergeWhitelist          bool     `xorm:"NOT NULL DEFAULT false"`

  43. 	WhitelistDeployKeys           bool     `xorm:"NOT NULL DEFAULT false"`

  44. 	MergeWhitelistUserIDs         []int64  `xorm:"JSON TEXT"`

  45. 	MergeWhitelistTeamIDs         []int64  `xorm:"JSON TEXT"`

  46. 	EnableStatusCheck             bool     `xorm:"NOT NULL DEFAULT false"`

  47. 	StatusCheckContexts           []string `xorm:"JSON TEXT"`

  48. 	EnableApprovalsWhitelist      bool     `xorm:"NOT NULL DEFAULT false"`

  49. 	ApprovalsWhitelistUserIDs     []int64  `xorm:"JSON TEXT"`

  50. 	ApprovalsWhitelistTeamIDs     []int64  `xorm:"JSON TEXT"`

  51. 	RequiredApprovals             int64    `xorm:"NOT NULL DEFAULT 0"`

  52. 	BlockOnRejectedReviews        bool     `xorm:"NOT NULL DEFAULT false"`

  53. 	BlockOnOfficialReviewRequests bool     `xorm:"NOT NULL DEFAULT false"`

  54. 	BlockOnOutdatedBranch         bool     `xorm:"NOT NULL DEFAULT false"`

  55. 	DismissStaleApprovals         bool     `xorm:"NOT NULL DEFAULT false"`

  56. 	RequireSignedCommits          bool     `xorm:"NOT NULL DEFAULT false"`

  57. 	ProtectedFilePatterns         string   `xorm:"TEXT"`

  58. 	UnprotectedFilePatterns       string   `xorm:"TEXT"`

  59. 

  60. 	CreatedUnix timeutil.TimeStamp `xorm:"created"`

  61. 	UpdatedUnix timeutil.TimeStamp `xorm:"updated"`

  62. }

  63. 

  64. func init() {

  65. 	db.RegisterModel(new(ProtectedBranch))

  66. }

  67. 

  68. // IsRuleNameSpecial return true if it contains special character

  69. func IsRuleNameSpecial(ruleName string) bool {

  70. 	for i := 0; i < len(ruleName); i++ {

  71. 		if syntax.Special(ruleName[i]) {

  72. 			return true

  73. 		}

  74. 	}

  75. 	return false

  76. }

  77. 

  78. func (protectBranch *ProtectedBranch) loadGlob() {

  79. 	if protectBranch.globRule == nil {

  80. 		var err error

  81. 		protectBranch.globRule, err = glob.Compile(protectBranch.RuleName, '/')

  82. 		if err != nil {

  83. 			log.Warn("Invalid glob rule for ProtectedBranch[%d]: %s %v", protectBranch.ID, protectBranch.RuleName, err)

  84. 			protectBranch.globRule = glob.MustCompile(glob.QuoteMeta(protectBranch.RuleName), '/')

  85. 		}

  86. 		protectBranch.isPlainName = !IsRuleNameSpecial(protectBranch.RuleName)

  87. 	}

  88. }

  89. 

  90. // Match tests if branchName matches the rule

  91. func (protectBranch *ProtectedBranch) Match(branchName string) bool {

  92. 	protectBranch.loadGlob()

  93. 	if protectBranch.isPlainName {

  94. 		return strings.EqualFold(protectBranch.RuleName, branchName)

  95. 	}

  96. 

  97. 	return protectBranch.globRule.Match(branchName)

  98. }

  99. 

  100. func (protectBranch *ProtectedBranch) LoadRepo(ctx context.Context) (err error) {

  101. 	if protectBranch.Repo != nil {

  102. 		return nil

  103. 	}

  104. 	protectBranch.Repo, err = repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)

  105. 	return err

  106. }

  107. 

  108. // CanUserPush returns if some user could push to this protected branch

  109. func (protectBranch *ProtectedBranch) CanUserPush(ctx context.Context, user *user_model.User) bool {

  110. 	if !protectBranch.CanPush {

  111. 		return false

  112. 	}

  113. 

  114. 	if !protectBranch.EnableWhitelist {

  115. 		if err := protectBranch.LoadRepo(ctx); err != nil {

  116. 			log.Error("LoadRepo: %v", err)

  117. 			return false

  118. 		}

  119. 

  120. 		writeAccess, err := access_model.HasAccessUnit(ctx, user, protectBranch.Repo, unit.TypeCode, perm.AccessModeWrite)

  121. 		if err != nil {

  122. 			log.Error("HasAccessUnit: %v", err)

  123. 			return false

  124. 		}

  125. 		return writeAccess

  126. 	}

  127. 

  128. 	if base.Int64sContains(protectBranch.WhitelistUserIDs, user.ID) {

  129. 		return true

  130. 	}

  131. 

  132. 	if len(protectBranch.WhitelistTeamIDs) == 0 {

  133. 		return false

  134. 	}

  135. 

  136. 	in, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.WhitelistTeamIDs)

  137. 	if err != nil {

  138. 		log.Error("IsUserInTeams: %v", err)

  139. 		return false

  140. 	}

  141. 	return in

  142. }

  143. 

  144. // IsUserMergeWhitelisted checks if some user is whitelisted to merge to this branch

  145. func IsUserMergeWhitelisted(ctx context.Context, protectBranch *ProtectedBranch, userID int64, permissionInRepo access_model.Permission) bool {

  146. 	if !protectBranch.EnableMergeWhitelist {

  147. 		// Then we need to fall back on whether the user has write permission

  148. 		return permissionInRepo.CanWrite(unit.TypeCode)

  149. 	}

  150. 

  151. 	if base.Int64sContains(protectBranch.MergeWhitelistUserIDs, userID) {

  152. 		return true

  153. 	}

  154. 

  155. 	if len(protectBranch.MergeWhitelistTeamIDs) == 0 {

  156. 		return false

  157. 	}

  158. 

  159. 	in, err := organization.IsUserInTeams(ctx, userID, protectBranch.MergeWhitelistTeamIDs)

  160. 	if err != nil {

  161. 		log.Error("IsUserInTeams: %v", err)

  162. 		return false

  163. 	}

  164. 	return in

  165. }

  166. 

  167. // IsUserOfficialReviewer check if user is official reviewer for the branch (counts towards required approvals)

  168. func IsUserOfficialReviewer(ctx context.Context, protectBranch *ProtectedBranch, user *user_model.User) (bool, error) {

  169. 	repo, err := repo_model.GetRepositoryByID(ctx, protectBranch.RepoID)

  170. 	if err != nil {

  171. 		return false, err

  172. 	}

  173. 

  174. 	if !protectBranch.EnableApprovalsWhitelist {

  175. 		// Anyone with write access is considered official reviewer

  176. 		writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite)

  177. 		if err != nil {

  178. 			return false, err

  179. 		}

  180. 		return writeAccess, nil

  181. 	}

  182. 

  183. 	if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, user.ID) {

  184. 		return true, nil

  185. 	}

  186. 

  187. 	inTeam, err := organization.IsUserInTeams(ctx, user.ID, protectBranch.ApprovalsWhitelistTeamIDs)

  188. 	if err != nil {

  189. 		return false, err

  190. 	}

  191. 

  192. 	return inTeam, nil

  193. }

  194. 

  195. // GetProtectedFilePatterns parses a semicolon separated list of protected file patterns and returns a glob.Glob slice

  196. func (protectBranch *ProtectedBranch) GetProtectedFilePatterns() []glob.Glob {

  197. 	return getFilePatterns(protectBranch.ProtectedFilePatterns)

  198. }

  199. 

  200. // GetUnprotectedFilePatterns parses a semicolon separated list of unprotected file patterns and returns a glob.Glob slice

  201. func (protectBranch *ProtectedBranch) GetUnprotectedFilePatterns() []glob.Glob {

  202. 	return getFilePatterns(protectBranch.UnprotectedFilePatterns)

  203. }

  204. 

  205. func getFilePatterns(filePatterns string) []glob.Glob {

  206. 	extarr := make([]glob.Glob, 0, 10)

  207. 	for _, expr := range strings.Split(strings.ToLower(filePatterns), ";") {

  208. 		expr = strings.TrimSpace(expr)

  209. 		if expr != "" {

  210. 			if g, err := glob.Compile(expr, '.', '/'); err != nil {

  211. 				log.Info("Invalid glob expression '%s' (skipped): %v", expr, err)

  212. 			} else {

  213. 				extarr = append(extarr, g)

  214. 			}

  215. 		}

  216. 	}

  217. 	return extarr

  218. }

  219. 

  220. // MergeBlockedByProtectedFiles returns true if merge is blocked by protected files change

  221. func (protectBranch *ProtectedBranch) MergeBlockedByProtectedFiles(changedProtectedFiles []string) bool {

  222. 	glob := protectBranch.GetProtectedFilePatterns()

  223. 	if len(glob) == 0 {

  224. 		return false

  225. 	}

  226. 

  227. 	return len(changedProtectedFiles) > 0

  228. }

  229. 

  230. // IsProtectedFile return if path is protected

  231. func (protectBranch *ProtectedBranch) IsProtectedFile(patterns []glob.Glob, path string) bool {

  232. 	if len(patterns) == 0 {

  233. 		patterns = protectBranch.GetProtectedFilePatterns()

  234. 		if len(patterns) == 0 {

  235. 			return false

  236. 		}

  237. 	}

  238. 

  239. 	lpath := strings.ToLower(strings.TrimSpace(path))

  240. 

  241. 	r := false

  242. 	for _, pat := range patterns {

  243. 		if pat.Match(lpath) {

  244. 			r = true

  245. 			break

  246. 		}

  247. 	}

  248. 

  249. 	return r

  250. }

  251. 

  252. // IsUnprotectedFile return if path is unprotected

  253. func (protectBranch *ProtectedBranch) IsUnprotectedFile(patterns []glob.Glob, path string) bool {

  254. 	if len(patterns) == 0 {

  255. 		patterns = protectBranch.GetUnprotectedFilePatterns()

  256. 		if len(patterns) == 0 {

  257. 			return false

  258. 		}

  259. 	}

  260. 

  261. 	lpath := strings.ToLower(strings.TrimSpace(path))

  262. 

  263. 	r := false

  264. 	for _, pat := range patterns {

  265. 		if pat.Match(lpath) {

  266. 			r = true

  267. 			break

  268. 		}

  269. 	}

  270. 

  271. 	return r

  272. }

  273. 

  274. // GetProtectedBranchRuleByName getting protected branch rule by name

  275. func GetProtectedBranchRuleByName(ctx context.Context, repoID int64, ruleName string) (*ProtectedBranch, error) {

  276. 	rel := &ProtectedBranch{RepoID: repoID, RuleName: ruleName}

  277. 	has, err := db.GetByBean(ctx, rel)

  278. 	if err != nil {

  279. 		return nil, err

  280. 	}

  281. 	if !has {

  282. 		return nil, nil

  283. 	}

  284. 	return rel, nil

  285. }

  286. 

  287. // GetProtectedBranchRuleByID getting protected branch rule by rule ID

  288. func GetProtectedBranchRuleByID(ctx context.Context, repoID, ruleID int64) (*ProtectedBranch, error) {

  289. 	rel := &ProtectedBranch{ID: ruleID, RepoID: repoID}

  290. 	has, err := db.GetByBean(ctx, rel)

  291. 	if err != nil {

  292. 		return nil, err

  293. 	}

  294. 	if !has {

  295. 		return nil, nil

  296. 	}

  297. 	return rel, nil

  298. }

  299. 

  300. // WhitelistOptions represent all sorts of whitelists used for protected branches

  301. type WhitelistOptions struct {

  302. 	UserIDs []int64

  303. 	TeamIDs []int64

  304. 

  305. 	MergeUserIDs []int64

  306. 	MergeTeamIDs []int64

  307. 

  308. 	ApprovalsUserIDs []int64

  309. 	ApprovalsTeamIDs []int64

  310. }

  311. 

  312. // UpdateProtectBranch saves branch protection options of repository.

  313. // If ID is 0, it creates a new record. Otherwise, updates existing record.

  314. // This function also performs check if whitelist user and team's IDs have been changed

  315. // to avoid unnecessary whitelist delete and regenerate.

  316. func UpdateProtectBranch(ctx context.Context, repo *repo_model.Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {

  317. 	if err = repo.GetOwner(ctx); err != nil {

  318. 		return fmt.Errorf("GetOwner: %v", err)

  319. 	}

  320. 

  321. 	whitelist, err := updateUserWhitelist(ctx, repo, protectBranch.WhitelistUserIDs, opts.UserIDs)

  322. 	if err != nil {

  323. 		return err

  324. 	}

  325. 	protectBranch.WhitelistUserIDs = whitelist

  326. 

  327. 	whitelist, err = updateUserWhitelist(ctx, repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)

  328. 	if err != nil {

  329. 		return err

  330. 	}

  331. 	protectBranch.MergeWhitelistUserIDs = whitelist

  332. 

  333. 	whitelist, err = updateApprovalWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)

  334. 	if err != nil {

  335. 		return err

  336. 	}

  337. 	protectBranch.ApprovalsWhitelistUserIDs = whitelist

  338. 

  339. 	// if the repo is in an organization

  340. 	whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)

  341. 	if err != nil {

  342. 		return err

  343. 	}

  344. 	protectBranch.WhitelistTeamIDs = whitelist

  345. 

  346. 	whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)

  347. 	if err != nil {

  348. 		return err

  349. 	}

  350. 	protectBranch.MergeWhitelistTeamIDs = whitelist

  351. 

  352. 	whitelist, err = updateTeamWhitelist(ctx, repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)

  353. 	if err != nil {

  354. 		return err

  355. 	}

  356. 	protectBranch.ApprovalsWhitelistTeamIDs = whitelist

  357. 

  358. 	// Make sure protectBranch.ID is not 0 for whitelists

  359. 	if protectBranch.ID == 0 {

  360. 		if _, err = db.GetEngine(ctx).Insert(protectBranch); err != nil {

  361. 			return fmt.Errorf("Insert: %v", err)

  362. 		}

  363. 		return nil

  364. 	}

  365. 

  366. 	if _, err = db.GetEngine(ctx).ID(protectBranch.ID).AllCols().Update(protectBranch); err != nil {

  367. 		return fmt.Errorf("Update: %v", err)

  368. 	}

  369. 

  370. 	return nil

  371. }

  372. 

  373. // updateApprovalWhitelist checks whether the user whitelist changed and returns a whitelist with

  374. // the users from newWhitelist which have explicit read or write access to the repo.

  375. func updateApprovalWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {

  376. 	hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)

  377. 	if !hasUsersChanged {

  378. 		return currentWhitelist, nil

  379. 	}

  380. 

  381. 	whitelist = make([]int64, 0, len(newWhitelist))

  382. 	for _, userID := range newWhitelist {

  383. 		if reader, err := access_model.IsRepoReader(ctx, repo, userID); err != nil {

  384. 			return nil, err

  385. 		} else if !reader {

  386. 			continue

  387. 		}

  388. 		whitelist = append(whitelist, userID)

  389. 	}

  390. 

  391. 	return whitelist, err

  392. }

  393. 

  394. // updateUserWhitelist checks whether the user whitelist changed and returns a whitelist with

  395. // the users from newWhitelist which have write access to the repo.

  396. func updateUserWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {

  397. 	hasUsersChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)

  398. 	if !hasUsersChanged {

  399. 		return currentWhitelist, nil

  400. 	}

  401. 

  402. 	whitelist = make([]int64, 0, len(newWhitelist))

  403. 	for _, userID := range newWhitelist {

  404. 		user, err := user_model.GetUserByID(ctx, userID)

  405. 		if err != nil {

  406. 			return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)

  407. 		}

  408. 		perm, err := access_model.GetUserRepoPermission(ctx, repo, user)

  409. 		if err != nil {

  410. 			return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)

  411. 		}

  412. 

  413. 		if !perm.CanWrite(unit.TypeCode) {

  414. 			continue // Drop invalid user ID

  415. 		}

  416. 

  417. 		whitelist = append(whitelist, userID)

  418. 	}

  419. 

  420. 	return whitelist, err

  421. }

  422. 

  423. // updateTeamWhitelist checks whether the team whitelist changed and returns a whitelist with

  424. // the teams from newWhitelist which have write access to the repo.

  425. func updateTeamWhitelist(ctx context.Context, repo *repo_model.Repository, currentWhitelist, newWhitelist []int64) (whitelist []int64, err error) {

  426. 	hasTeamsChanged := !util.SliceSortedEqual(currentWhitelist, newWhitelist)

  427. 	if !hasTeamsChanged {

  428. 		return currentWhitelist, nil

  429. 	}

  430. 

  431. 	teams, err := organization.GetTeamsWithAccessToRepo(ctx, repo.OwnerID, repo.ID, perm.AccessModeRead)

  432. 	if err != nil {

  433. 		return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)

  434. 	}

  435. 

  436. 	whitelist = make([]int64, 0, len(teams))

  437. 	for i := range teams {

  438. 		if util.SliceContains(newWhitelist, teams[i].ID) {

  439. 			whitelist = append(whitelist, teams[i].ID)

  440. 		}

  441. 	}

  442. 

  443. 	return whitelist, err

  444. }

  445. 

  446. // DeleteProtectedBranch removes ProtectedBranch relation between the user and repository.

  447. func DeleteProtectedBranch(ctx context.Context, repoID, id int64) (err error) {

  448. 	protectedBranch := &ProtectedBranch{

  449. 		RepoID: repoID,

  450. 		ID:     id,

  451. 	}

  452. 

  453. 	if affected, err := db.GetEngine(ctx).Delete(protectedBranch); err != nil {

  454. 		return err

  455. 	} else if affected != 1 {

  456. 		return fmt.Errorf("delete protected branch ID(%v) failed", id)

  457. 	}

  458. 

  459. 	return nil

  460. }

  461. 

  462. // RemoveUserIDFromProtectedBranch remove all user ids from protected branch options

  463. func RemoveUserIDFromProtectedBranch(ctx context.Context, p *ProtectedBranch, userID int64) error {

  464. 	lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistUserIDs), len(p.ApprovalsWhitelistUserIDs), len(p.MergeWhitelistUserIDs)

  465. 	p.WhitelistUserIDs = util.SliceRemoveAll(p.WhitelistUserIDs, userID)

  466. 	p.ApprovalsWhitelistUserIDs = util.SliceRemoveAll(p.ApprovalsWhitelistUserIDs, userID)

  467. 	p.MergeWhitelistUserIDs = util.SliceRemoveAll(p.MergeWhitelistUserIDs, userID)

  468. 

  469. 	if lenIDs != len(p.WhitelistUserIDs) || lenApprovalIDs != len(p.ApprovalsWhitelistUserIDs) ||

  470. 		lenMergeIDs != len(p.MergeWhitelistUserIDs) {

  471. 		if _, err := db.GetEngine(ctx).ID(p.ID).Cols(

  472. 			"whitelist_user_i_ds",

  473. 			"merge_whitelist_user_i_ds",

  474. 			"approvals_whitelist_user_i_ds",

  475. 		).Update(p); err != nil {

  476. 			return fmt.Errorf("updateProtectedBranches: %v", err)

  477. 		}

  478. 	}

  479. 	return nil

  480. }

  481. 

  482. // RemoveTeamIDFromProtectedBranch remove all team ids from protected branch options

  483. func RemoveTeamIDFromProtectedBranch(ctx context.Context, p *ProtectedBranch, teamID int64) error {

  484. 	lenIDs, lenApprovalIDs, lenMergeIDs := len(p.WhitelistTeamIDs), len(p.ApprovalsWhitelistTeamIDs), len(p.MergeWhitelistTeamIDs)

  485. 	p.WhitelistTeamIDs = util.SliceRemoveAll(p.WhitelistTeamIDs, teamID)

  486. 	p.ApprovalsWhitelistTeamIDs = util.SliceRemoveAll(p.ApprovalsWhitelistTeamIDs, teamID)

  487. 	p.MergeWhitelistTeamIDs = util.SliceRemoveAll(p.MergeWhitelistTeamIDs, teamID)

  488. 

  489. 	if lenIDs != len(p.WhitelistTeamIDs) ||

  490. 		lenApprovalIDs != len(p.ApprovalsWhitelistTeamIDs) ||

  491. 		lenMergeIDs != len(p.MergeWhitelistTeamIDs) {

  492. 		if _, err := db.GetEngine(ctx).ID(p.ID).Cols(

  493. 			"whitelist_team_i_ds",

  494. 			"merge_whitelist_team_i_ds",

  495. 			"approvals_whitelist_team_i_ds",

  496. 		).Update(p); err != nil {

  497. 			return fmt.Errorf("updateProtectedBranches: %v", err)

  498. 		}

  499. 	}

  500. 	return nil

  501. }