start on API perms

2025-12-09 02:31:47 +01:00 · 2024-11-29 11:28:10 -08:00 · 2024-11-29 11:28:10 -08:00 · 14f6e4cad0
commit 14f6e4cad0
parent a860b3e101
2 changed files with 38 additions and 2 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -432,6 +432,18 @@ func reqRepoWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {
 	}
 }

+// reqRepoCommitStatusWriter user should have a permission to write to commit
+// statuses, or write to a repo, or be a site admin
+func reqRepoCommitStatusWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		// TODO
+		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
+			ctx.Error(http.StatusForbidden, "reqRepoCommitStatusWriter", "user should have a permission to write to a repo")
+			return
+		}
+	}
+}
+
 // reqRepoBranchWriter user should have a permission to write to a branch, or be a site admin
 func reqRepoBranchWriter(ctx *context.APIContext) {
 	options, ok := web.GetForm(ctx).(api.FileOptionInterface)
@ -451,6 +463,18 @@ func reqRepoReader(unitType unit.Type) func(ctx *context.APIContext) {
 	}
 }

+// reqRepoReader user should have specific commit status read permission, or
+// repo read permission, or be a repo admin or a site admin
+func reqRepoCommitStatusReader(unitType unit.Type) func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		// TODO
+		if !ctx.Repo.CanRead(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
+			ctx.Error(http.StatusForbidden, "reqRepoCommitStatusReader", "user should have specific read permission or be a repo admin or a site admin")
+			return
+		}
+	}
+}
+
 // reqAnyRepoReader user should have any permission to read repository or permissions of site admin
 func reqAnyRepoReader() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
@ -1323,8 +1347,8 @@ func Routes() *web.Router {
 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())
 				m.Group("/statuses", func() {
 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).
-						Post(reqToken(), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
-				}, reqRepoReader(unit.TypeCode))
+						Post(reqToken(), reqRepoCommitStatusWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
+				}, reqRepoCommitStatusReader(unit.TypeCode))
 				m.Group("/commits", func() {
 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)
 					m.Group("/{ref}", func() {
--- a/services/context/api.go
+++ b/services/context/api.go
@ -388,3 +388,15 @@ func (ctx *APIContext) IsUserRepoWriter(unitTypes []unit.Type) bool {

 	return false
 }
+
+// IsUserRepoWriter returns true if current user has write commit status privilege in current repo
+func (ctx *APIContext) IsUserCommitStatusWriter(unitTypes []unit.Type) bool {
+	for _, unitType := range unitTypes {
+		// TODO
+		if ctx.Repo.CanWrite(unitType) {
+			return true
+		}
+	}
+
+	return false
+}