Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-17 01:33:17 +02:00
Code Issues Activity

update AccessibleGroupCondition function to take a minimum perm.AccessMode as a parameter

Browse Source
This commit is contained in:
☙◦ The Tablet ❀ GamerGirlandCo ◦❧ 2025-08-13 21:59:19 -04:00
parent bdb88fd7f0
commit 21d499d42e
No known key found for this signature in database
GPG Key ID: 924A5F6AF051E87C
3 changed files with 13 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
models/group/group.go
View File

@ -94,7 +94,7 @@ func (g *Group) LoadSubgroups(ctx context.Context, recursive bool) error {
} }
func (g *Group) LoadAccessibleSubgroups(ctx context.Context, recursive bool, doer *user_model.User) error { func (g *Group) LoadAccessibleSubgroups(ctx context.Context, recursive bool, doer *user_model.User) error {
return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid), 0) return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid, perm.AccessModeRead), 0)
} }
func (g *Group) LoadAttributes(ctx context.Context) error { func (g *Group) LoadAttributes(ctx context.Context) error {
@ -129,13 +129,12 @@ func (g *Group) LoadOwner(ctx context.Context) error {
return err return err
} }
func (g *Group) CanAccess(ctx context.Context, userID int64) (bool, error) { func (g *Group) CanAccess(ctx context.Context, user *user_model.User) (bool, error) {
return g.CanAccessAtLevel(ctx, userID, perm.AccessModeRead) return g.CanAccessAtLevel(ctx, user, perm.AccessModeRead)
} }
func (g *Group) CanAccessAtLevel(ctx context.Context, userID int64, level perm.AccessMode) (bool, error) { func (g *Group) CanAccessAtLevel(ctx context.Context, user *user_model.User, level perm.AccessMode) (bool, error) {
return db.GetEngine(ctx). return db.GetEngine(ctx).Where(AccessibleGroupCondition(user, unit.TypeInvalid, level).And(builder.Eq{"`repo_group`.id": g.ID})).Exist(&Group{})
Where(UserOrgTeamPermCond("id", userID, level)).Table("repo_group").Exist()
} }
func (g *Group) IsOwnedBy(ctx context.Context, userID int64) (bool, error) { func (g *Group) IsOwnedBy(ctx context.Context, userID int64) (bool, error) {
@ -337,9 +336,10 @@ func UpdateGroup(ctx context.Context, group *Group) error {
func MoveGroup(ctx context.Context, group *Group, newParent int64, newSortOrder int) error { func MoveGroup(ctx context.Context, group *Group, newParent int64, newSortOrder int) error {
sess := db.GetEngine(ctx) sess := db.GetEngine(ctx)
ng, err := GetGroupByID(ctx, newParent) ng, err := GetGroupByID(ctx, newParent)
if !IsErrGroupNotExist(err) { if err != nil && !IsErrGroupNotExist(err) {
return err return err
} }
if ng != nil { if ng != nil {
if ng.OwnerID != group.OwnerID { if ng.OwnerID != group.OwnerID {
return fmt.Errorf("group[%d]'s ownerID is not equal to new parent group[%d]'s owner ID", group.ID, ng.ID) return fmt.Errorf("group[%d]'s ownerID is not equal to new parent group[%d]'s owner ID", group.ID, ng.ID)

6
models/group/group_list.go
View File

@ -33,6 +33,7 @@ func userOrgTeamGroupBuilder(userID int64) *builder.Builder {
Where(builder.Eq{"`team_user`.uid": userID}) Where(builder.Eq{"`team_user`.uid": userID})
} }
// UserOrgTeamPermCond returns a condition to select ids of groups that a user can access at the level described by `level`
func UserOrgTeamPermCond(idStr string, userID int64, level perm.AccessMode) builder.Cond { func UserOrgTeamPermCond(idStr string, userID int64, level perm.AccessMode) builder.Cond {
selCond := userOrgTeamGroupBuilder(userID) selCond := userOrgTeamGroupBuilder(userID)
selCond = selCond.InnerJoin("team", "`team`.id = `repo_group_team`.team_id"). selCond = selCond.InnerJoin("team", "`team`.id = `repo_group_team`.team_id").
@ -60,7 +61,7 @@ func userOrgTeamUnitGroupBuilder(userID int64, unitType unit.Type) *builder.Buil
} }
// AccessibleGroupCondition returns a condition that matches groups which a user can access via the specified unit // AccessibleGroupCondition returns a condition that matches groups which a user can access via the specified unit
func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder.Cond { func AccessibleGroupCondition(user *user_model.User, unitType unit.Type, minMode perm.AccessMode) builder.Cond {
cond := builder.NewCond() cond := builder.NewCond()
if user == nil || !user.IsRestricted || user.ID <= 0 { if user == nil || !user.IsRestricted || user.ID <= 0 {
orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate} orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
@ -68,7 +69,7 @@ func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder
orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited) orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
} }
cond = cond.Or(builder.And( cond = cond.Or(builder.And(
builder.Eq{"`repo_group`.is_private": false}, builder.Eq{"`repo_group`.visibility": structs.VisibleTypePublic},
builder.NotIn("`repo_group`.owner_id", builder.Select("id").From("`user`").Where( builder.NotIn("`repo_group`.owner_id", builder.Select("id").From("`user`").Where(
builder.And( builder.And(
builder.Eq{"type": user_model.UserTypeOrganization}, builder.Eq{"type": user_model.UserTypeOrganization},
@ -76,6 +77,7 @@ func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder
)))) ))))
} }
if user != nil { if user != nil {
cond = cond.Or(UserOrgTeamPermCond("`repo_group`.id", user.ID, minMode))
if unitType == unit.TypeInvalid { if unitType == unit.TypeInvalid {
cond = cond.Or( cond = cond.Or(
UserOrgTeamGroupCond("`repo_group`.id", user.ID), UserOrgTeamGroupCond("`repo_group`.id", user.ID),

8
routers/api/v1/api.go
View File

@ -507,12 +507,8 @@ func reqGroupMembership(mode perm.AccessMode, needsCreatePerm bool) func(ctx *co
ctx.APIErrorInternal(err) ctx.APIErrorInternal(err)
return return
} }
var canAccess bool canAccess, err := g.CanAccessAtLevel(ctx, ctx.Doer, mode)
if ctx.IsSigned {
canAccess, err = g.CanAccessAtLevel(ctx, ctx.Doer.ID, mode)
} else {
canAccess, err = g.CanAccessAtLevel(ctx, 0, mode)
}
if err != nil { if err != nil {
ctx.APIErrorInternal(err) ctx.APIErrorInternal(err)
return return