From 5eaa0bc6035b259d33960b8686aecefd010dab43 Mon Sep 17 00:00:00 2001 From: Giteabot Date: Mon, 11 May 2026 10:36:07 -0700 Subject: [PATCH] fix(packages): Add label for private and internal package and fix composor package source permission check (#37610) (#37643) Backport #37610 by @lunny - Add permission checks for Composer package source links - Add private/internal visibility labels for packages, similar to repository visibility labels image - Add a link to change package visibility image - Update link package descriptions image --------- Co-authored-by: Lunny Xiao Co-authored-by: Nicolas Co-authored-by: silverwind --- models/user/user.go | 7 ++ options/locale/locale_en-US.json | 8 +- routers/api/packages/composer/api.go | 18 ++-- routers/api/packages/composer/composer.go | 1 + templates/package/settings.tmpl | 18 +++- .../package/shared/cleanup_rules/preview.tmpl | 7 +- templates/package/shared/list.tmpl | 5 +- templates/package/shared/versionlist.tmpl | 8 +- templates/package/shared/view.tmpl | 7 +- .../package/shared/visibility_badge.tmpl | 7 ++ .../integration/api_packages_composer_test.go | 83 +++++++++++++++++++ 11 files changed, 158 insertions(+), 11 deletions(-) create mode 100644 templates/package/shared/visibility_badge.tmpl diff --git a/models/user/user.go b/models/user/user.go index cdea4e146e..d2dd7990b0 100644 --- a/models/user/user.go +++ b/models/user/user.go @@ -307,6 +307,13 @@ func (u *User) DashboardLink() string { return setting.AppSubURL + "/" } +func (u *User) SettingsLink() string { + if u.IsOrganization() { + return u.OrganisationLink() + "/settings" + } + return setting.AppSubURL + "/user/settings" +} + // HomeLink returns the user or organization home page link. func (u *User) HomeLink() string { return setting.AppSubURL + "/" + url.PathEscape(u.Name) diff --git a/options/locale/locale_en-US.json b/options/locale/locale_en-US.json index 0d31e045c8..7c20cdc9f2 100644 --- a/options/locale/locale_en-US.json +++ b/options/locale/locale_en-US.json @@ -3619,7 +3619,13 @@ "packages.terraform.delete.latest": "The latest version of a Terraform state cannot be deleted.", "packages.vagrant.install": "To add a Vagrant box, run the following command:", "packages.settings.link": "Link this package to a repository", - "packages.settings.link.description": "If you link a package with a repository, the package will appear in the repository's package list. Only repositories under the same owner can be linked. Leaving the field empty will remove the link.", + "packages.settings.link.description": "If you link a package with a repository, the package will appear in the repository's package list.", + "packages.settings.link.notice1": "Only repositories under the same owner can be linked.", + "packages.settings.link.notice2": "Linking a repository does not change the package visibility.", + "packages.settings.link.notice3": "Leaving the field empty will remove the link.", + "packages.settings.visibility": "Package visibility", + "packages.settings.visibility.inherit": "Package visibility is inherited from the owner and cannot be changed independently here. To change it, update the visibility settings of the user or organization that owns this package.", + "packages.settings.visibility.button": "Change owner visibility", "packages.settings.link.select": "Select Repository", "packages.settings.link.button": "Update Repository Link", "packages.settings.link.success": "Repository link was successfully updated.", diff --git a/routers/api/packages/composer/api.go b/routers/api/packages/composer/api.go index a3ea2c2f9a..0d95ab3ed9 100644 --- a/routers/api/packages/composer/api.go +++ b/routers/api/packages/composer/api.go @@ -9,7 +9,10 @@ import ( "time" packages_model "code.gitea.io/gitea/models/packages" + access_model "code.gitea.io/gitea/models/perm/access" + "code.gitea.io/gitea/modules/log" composer_module "code.gitea.io/gitea/modules/packages/composer" + "code.gitea.io/gitea/services/context" ) // ServiceIndexResponse contains registry endpoints @@ -91,7 +94,7 @@ type Source struct { Reference string `json:"reference"` } -func createPackageMetadataResponse(registryURL string, pds []*packages_model.PackageDescriptor) *PackageMetadataResponse { +func createPackageMetadataResponse(ctx *context.Context, registryURL string, pds []*packages_model.PackageDescriptor) *PackageMetadataResponse { versions := make([]*PackageVersionMetadata, 0, len(pds)) for _, pd := range pds { @@ -116,10 +119,15 @@ func createPackageMetadataResponse(registryURL string, pds []*packages_model.Pac }, } if pd.Repository != nil { - pkg.Source = Source{ - URL: pd.Repository.HTMLURL(), - Type: "git", - Reference: pd.Version.Version, + permission, err := access_model.GetDoerRepoPermission(ctx, pd.Repository, ctx.Doer) + if err != nil { + log.Error("GetDoerRepoPermission[%d]: %v", pd.Repository.ID, err) + } else if permission.HasAnyUnitAccessOrPublicAccess() { + pkg.Source = Source{ + URL: pd.Repository.HTMLURL(), + Type: "git", + Reference: pd.Version.Version, + } } } diff --git a/routers/api/packages/composer/composer.go b/routers/api/packages/composer/composer.go index 8eb66ca244..b18cdc242c 100644 --- a/routers/api/packages/composer/composer.go +++ b/routers/api/packages/composer/composer.go @@ -146,6 +146,7 @@ func PackageMetadata(ctx *context.Context) { } resp := createPackageMetadataResponse( + ctx, setting.AppURL+"api/packages/"+ctx.Package.Owner.Name+"/composer", pds, ) diff --git a/templates/package/settings.tmpl b/templates/package/settings.tmpl index f9f8b7476a..b7b069a95b 100644 --- a/templates/package/settings.tmpl +++ b/templates/package/settings.tmpl @@ -10,12 +10,28 @@ {{template "user/overview/header" .}} {{end}} {{template "base/alert" .}} -

{{.PackageDescriptor.Package.Name}} / {{ctx.Locale.Tr "repo.settings"}}

+

+ {{.PackageDescriptor.Package.Name}} + + {{template "package/shared/visibility_badge" dict "Package" .PackageDescriptor.Package "Owner" .PackageDescriptor.Owner}} + + / {{ctx.Locale.Tr "repo.settings"}} +

+

+ {{ctx.Locale.Tr "packages.settings.visibility"}} +

+
+

{{ctx.Locale.Tr "packages.settings.visibility.inherit"}}

+ {{ctx.Locale.Tr "packages.settings.visibility.button"}} +

{{ctx.Locale.Tr "packages.settings.link"}}

{{ctx.Locale.Tr "packages.settings.link.description"}}

+

- {{ctx.Locale.Tr "packages.settings.link.notice1"}}

+

- {{ctx.Locale.Tr "packages.settings.link.notice2"}}

+

- {{ctx.Locale.Tr "packages.settings.link.notice3"}}

diff --git a/templates/package/shared/cleanup_rules/preview.tmpl b/templates/package/shared/cleanup_rules/preview.tmpl index 0991a07fbc..15ad94debd 100644 --- a/templates/package/shared/cleanup_rules/preview.tmpl +++ b/templates/package/shared/cleanup_rules/preview.tmpl @@ -18,7 +18,12 @@ {{range .VersionsToRemove}} {{.Package.Type.Name}} - {{.Package.Name}} + + {{.Package.Name}} + + {{template "package/shared/visibility_badge" dict "Package" .Package "Owner" .Owner}} + + {{.Version.Version}} {{.Creator.Name}} {{FileSize .CalculateBlobSize}} diff --git a/templates/package/shared/list.tmpl b/templates/package/shared/list.tmpl index e4ecbd06c4..a7950c3c53 100644 --- a/templates/package/shared/list.tmpl +++ b/templates/package/shared/list.tmpl @@ -21,7 +21,10 @@
{{.Package.Name}} - {{svg .Package.Type.SVGName 16}} {{.Package.Type.Name}} + + {{template "package/shared/visibility_badge" dict "Package" .Package "Owner" .Owner}} + {{svg .Package.Type.SVGName 16}} {{.Package.Type.Name}} +
{{$timeStr := DateUtils.TimeSince .Version.CreatedUnix}} diff --git a/templates/package/shared/versionlist.tmpl b/templates/package/shared/versionlist.tmpl index 7a1059e262..e05f272dd6 100644 --- a/templates/package/shared/versionlist.tmpl +++ b/templates/package/shared/versionlist.tmpl @@ -1,4 +1,10 @@ -

{{.PackageDescriptor.Package.Name}} / {{ctx.Locale.Tr "packages.versions"}}

+

+ {{.PackageDescriptor.Package.Name}} + + {{template "package/shared/visibility_badge" dict "Package" .PackageDescriptor.Package "Owner" .PackageDescriptor.Owner}} + + / {{ctx.Locale.Tr "packages.versions"}} +

{{template "shared/search/input" dict "Value" .Query "Placeholder" (ctx.Locale.Tr "search.package_kind")}} diff --git a/templates/package/shared/view.tmpl b/templates/package/shared/view.tmpl index 9e32d5fdc2..5bd093178b 100644 --- a/templates/package/shared/view.tmpl +++ b/templates/package/shared/view.tmpl @@ -1,6 +1,11 @@
{{$packageVersionLink := print $.PackageDescriptor.PackageWebLink "/" (PathEscape .PackageDescriptor.Version.LowerVersion)}} -

{{.PackageDescriptor.Package.Name}} ({{.PackageDescriptor.Version.Version}})

+
+

{{.PackageDescriptor.Package.Name}} ({{.PackageDescriptor.Version.Version}})

+ + {{template "package/shared/visibility_badge" dict "Package" .PackageDescriptor.Package "Owner" .PackageDescriptor.Owner}} + +
{{$timeStr := DateUtils.TimeSince .PackageDescriptor.Version.CreatedUnix}} {{if .HasRepositoryAccess}} diff --git a/templates/package/shared/visibility_badge.tmpl b/templates/package/shared/visibility_badge.tmpl new file mode 100644 index 0000000000..0677391afc --- /dev/null +++ b/templates/package/shared/visibility_badge.tmpl @@ -0,0 +1,7 @@ +{{if .Package.IsInternal}} + {{ctx.Locale.Tr "repo.desc.internal"}} +{{else if .Owner.Visibility.IsPrivate}} + {{ctx.Locale.Tr "repo.desc.private"}} +{{else if .Owner.Visibility.IsLimited}} + {{ctx.Locale.Tr "repo.desc.internal"}} +{{end}} diff --git a/tests/integration/api_packages_composer_test.go b/tests/integration/api_packages_composer_test.go index a11c2e7eab..56b862a521 100644 --- a/tests/integration/api_packages_composer_test.go +++ b/tests/integration/api_packages_composer_test.go @@ -17,6 +17,7 @@ import ( user_model "code.gitea.io/gitea/models/user" composer_module "code.gitea.io/gitea/modules/packages/composer" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/test" "code.gitea.io/gitea/routers/api/packages/composer" "code.gitea.io/gitea/tests" @@ -27,6 +28,8 @@ func TestPackageComposer(t *testing.T) { defer tests.PrepareTestEnv(t)() user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) + otherUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) + privateUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 31}) vendorName := "gitea" projectName := "composer-package" @@ -251,5 +254,85 @@ func TestPackageComposer(t *testing.T) { assert.Equal(t, repo1.HTMLURL(), pkgs[0].Source.URL) assert.Equal(t, "git", pkgs[0].Source.Type) assert.Equal(t, packageVersion, pkgs[0].Source.Reference) + + // Private repository links remain visible to callers who can access the repository. + repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) + err = packages.SetRepositoryLink(t.Context(), userPkgs[0].ID, repo2.ID) + assert.NoError(t, err) + + req = NewRequest(t, "GET", fmt.Sprintf("%s/p2/%s/%s.json", url, vendorName, projectName)). + AddBasicAuth(user.Name) + resp = MakeRequest(t, req, http.StatusOK) + + result = composer.PackageMetadataResponse{} + DecodeJSON(t, resp, &result) + pkgs = result.Packages[packageName] + assert.Len(t, pkgs, 1) + assert.Equal(t, repo2.HTMLURL(), pkgs[0].Source.URL) + assert.Equal(t, "git", pkgs[0].Source.Type) + assert.Equal(t, packageVersion, pkgs[0].Source.Reference) + + // Callers without repository access still get the package metadata, but not the private source URL. + req = NewRequest(t, "GET", fmt.Sprintf("%s/p2/%s/%s.json", url, vendorName, projectName)). + AddBasicAuth(otherUser.Name) + resp = MakeRequest(t, req, http.StatusOK) + + result = composer.PackageMetadataResponse{} + DecodeJSON(t, resp, &result) + pkgs = result.Packages[packageName] + assert.Len(t, pkgs, 1) + assert.Empty(t, pkgs[0].Source.URL) + assert.Empty(t, pkgs[0].Source.Type) + assert.Empty(t, pkgs[0].Source.Reference) + }) + + t.Run("WebVisibilityBadge", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + + listReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages", user.Name)). + AddBasicAuth(user.Name) + listResp := MakeRequest(t, listReq, http.StatusOK) + listDoc := NewHTMLParser(t, listResp.Body) + assert.Equal(t, 0, listDoc.Find(".flex-item-title .ui.basic.label").Length()) + + viewReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages/composer/%s/%s", user.Name, neturl.PathEscape(packageName), neturl.PathEscape(packageVersion))). + AddBasicAuth(user.Name) + viewResp := MakeRequest(t, viewReq, http.StatusOK) + viewDoc := NewHTMLParser(t, viewResp.Body) + assert.Equal(t, 0, viewDoc.Find(".issue-title-header .ui.basic.label").Length()) + + privatePackageName := privateUser.Name + "/private-composer-package" + privatePackageVersion := "1.0.0" + privateContent := test.WriteZipArchive(map[string]string{ + "composer.json": `{ + "name": "` + privatePackageName + `", + "description": "Private Package", + "type": "` + packageType + `", + "license": "` + packageLicense + `", + "authors": [ + { + "name": "` + packageAuthor + `" + } + ] + }`, + }).Bytes() + privateUploadURL := fmt.Sprintf("%sapi/packages/%s/composer?version=%s", setting.AppURL, privateUser.Name, privatePackageVersion) + + uploadReq := NewRequestWithBody(t, "PUT", privateUploadURL, bytes.NewReader(privateContent)). + AddBasicAuth(privateUser.Name) + MakeRequest(t, uploadReq, http.StatusCreated) + privateSession := loginUser(t, privateUser.Name) + + privateListReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages", privateUser.Name)) + privateListResp := privateSession.MakeRequest(t, privateListReq, http.StatusOK) + privateListDoc := NewHTMLParser(t, privateListResp.Body) + assert.Equal(t, 1, privateListDoc.Find(".flex-item-title .ui.basic.label").Length()) + assert.Equal(t, "Private", privateListDoc.Find(".flex-item-title .ui.basic.label").First().Text()) + + privateViewReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages/composer/%s/%s", privateUser.Name, neturl.PathEscape(privatePackageName), neturl.PathEscape(privatePackageVersion))) + privateViewResp := privateSession.MakeRequest(t, privateViewReq, http.StatusOK) + privateViewDoc := NewHTMLParser(t, privateViewResp.Body) + assert.Equal(t, 1, privateViewDoc.Find(".issue-title-header .ui.basic.label").Length()) + assert.Equal(t, "Private", privateViewDoc.Find(".issue-title-header .ui.basic.label").First().Text()) }) }