Restricted users (#6274)

* Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aabd5acd997a3b35687d322439732c200. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
2020-01-13 19:33:46 +02:00 · 2020-01-13 19:33:46 +02:00 · 1751d5fcf2
commit 1751d5fcf2
parent 0b3aaa6196
31 changed files with 310 additions and 124 deletions
--- a/routers/admin/users.go
+++ b/routers/admin/users.go
@ -233,6 +233,7 @@ func EditUserPost(ctx *context.Context, form auth.AdminEditUserForm) {
 	u.MaxRepoCreation = form.MaxRepoCreation
 	u.IsActive = form.Active
 	u.IsAdmin = form.Admin
+	u.IsRestricted = form.Restricted
 	u.AllowGitHook = form.AllowGitHook
 	u.AllowImportLocal = form.AllowImportLocal
 	u.AllowCreateOrganization = form.AllowCreateOrganization
--- a/routers/api/v1/repo/issue.go
+++ b/routers/api/v1/repo/issue.go
@ -73,13 +73,12 @@ func SearchIssues(ctx *context.APIContext) {
 		AllPublic:   true,
 		TopicOnly:   false,
 		Collaborate: util.OptionalBoolNone,
-		UserIsAdmin: ctx.IsUserSiteAdmin(),
 		OrderBy:     models.SearchOrderByRecentUpdated,
+		Actor:       ctx.User,
 	}
 	if ctx.IsSigned {
 		opts.Private = true
 		opts.AllLimited = true
-		opts.UserID = ctx.User.ID
 	}
 	issueCount := 0
 	for page := 1; ; page++ {
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@ -126,6 +126,7 @@ func Search(ctx *context.APIContext) {
 	//     "$ref": "#/responses/validationError"

 	opts := &models.SearchRepoOptions{
+		Actor:              ctx.User,
 		Keyword:            strings.Trim(ctx.Query("q"), " "),
 		OwnerID:            ctx.QueryInt64("uid"),
 		PriorityOwnerID:    ctx.QueryInt64("priority_owner_id"),
@ -135,8 +136,6 @@ func Search(ctx *context.APIContext) {
 		Collaborate:        util.OptionalBoolNone,
 		Private:            ctx.IsSigned && (ctx.Query("private") == "" || ctx.QueryBool("private")),
 		Template:           util.OptionalBoolNone,
-		UserIsAdmin:        ctx.IsUserSiteAdmin(),
-		UserID:             ctx.Data["SignedUserID"].(int64),
 		StarredByID:        ctx.QueryInt64("starredBy"),
 		IncludeDescription: ctx.QueryBool("includeDesc"),
 	}
--- a/routers/home.go
+++ b/routers/home.go
@ -72,10 +72,11 @@ func Home(ctx *context.Context) {

 // RepoSearchOptions when calling search repositories
 type RepoSearchOptions struct {
-	OwnerID  int64
-	Private  bool
-	PageSize int
-	TplName  base.TplName
+	OwnerID    int64
+	Private    bool
+	Restricted bool
+	PageSize   int
+	TplName    base.TplName
 }

 var (
@ -136,6 +137,7 @@ func RenderRepoSearch(ctx *context.Context, opts *RepoSearchOptions) {
 	ctx.Data["TopicOnly"] = topicOnly

 	repos, count, err = models.SearchRepository(&models.SearchRepoOptions{
+		Actor:              ctx.User,
 		Page:               page,
 		PageSize:           opts.PageSize,
 		OrderBy:            orderBy,
@ -190,6 +192,7 @@ func RenderUserSearch(ctx *context.Context, opts *models.SearchUserOptions, tplN
 	if opts.Page <= 1 {
 		opts.Page = 1
 	}
+	opts.Actor = ctx.User

 	var (
 		users   []*models.User
@ -261,22 +264,16 @@ func ExploreOrganizations(ctx *context.Context) {
 	ctx.Data["PageIsExploreOrganizations"] = true
 	ctx.Data["IsRepoIndexerEnabled"] = setting.Indexer.RepoIndexerEnabled

-	var ownerID int64
-	if ctx.User != nil && !ctx.User.IsAdmin {
-		ownerID = ctx.User.ID
+	visibleTypes := []structs.VisibleType{structs.VisibleTypePublic}
+	if ctx.User != nil {
+		visibleTypes = append(visibleTypes, structs.VisibleTypeLimited, structs.VisibleTypePrivate)
 	}

-	opts := models.SearchUserOptions{
+	RenderUserSearch(ctx, &models.SearchUserOptions{
 		Type:     models.UserTypeOrganization,
 		PageSize: setting.UI.ExplorePagingNum,
-		OwnerID:  ownerID,
-	}
-	if ctx.User != nil {
-		opts.Visible = []structs.VisibleType{structs.VisibleTypePublic, structs.VisibleTypeLimited, structs.VisibleTypePrivate}
-	} else {
-		opts.Visible = []structs.VisibleType{structs.VisibleTypePublic}
-	}
-	RenderUserSearch(ctx, &opts, tplExploreOrganizations)
+		Visible:  visibleTypes,
+	}, tplExploreOrganizations)
 }

 // ExploreCode render explore code page
@ -310,7 +307,7 @@ func ExploreCode(ctx *context.Context) {

 	// guest user or non-admin user
 	if ctx.User == nil || !isAdmin {
-		repoIDs, err = models.FindUserAccessibleRepoIDs(userID)
+		repoIDs, err = models.FindUserAccessibleRepoIDs(ctx.User)
 		if err != nil {
 			ctx.ServerError("SearchResults", err)
 			return
--- a/routers/org/home.go
+++ b/routers/org/home.go
@ -80,8 +80,7 @@ func Home(ctx *context.Context) {
 		OwnerID:            org.ID,
 		OrderBy:            orderBy,
 		Private:            ctx.IsSigned,
-		UserIsAdmin:        ctx.IsUserSiteAdmin(),
-		UserID:             ctx.Data["SignedUserID"].(int64),
+		Actor:              ctx.User,
 		Page:               page,
 		IsProfile:          true,
 		PageSize:           setting.UI.User.RepoPagingNum,
--- a/routers/user/home.go
+++ b/routers/user/home.go
@ -144,6 +144,7 @@ func Dashboard(ctx *context.Context) {

 	retrieveFeeds(ctx, models.GetFeedsOptions{
 		RequestedUser:   ctxUser,
+		Actor:           ctx.User,
 		IncludePrivate:  true,
 		OnlyPerformedBy: false,
 		IncludeDeleted:  false,
--- a/routers/user/profile.go
+++ b/routers/user/profile.go
@ -161,6 +161,7 @@ func Profile(ctx *context.Context) {
 	switch tab {
 	case "activity":
 		retrieveFeeds(ctx, models.GetFeedsOptions{RequestedUser: ctxUser,
+			Actor:           ctx.User,
 			IncludePrivate:  showPrivate,
 			OnlyPerformedBy: true,
 			IncludeDeleted:  false,
@ -171,11 +172,10 @@ func Profile(ctx *context.Context) {
 	case "stars":
 		ctx.Data["PageIsProfileStarList"] = true
 		repos, count, err = models.SearchRepository(&models.SearchRepoOptions{
+			Actor:              ctx.User,
 			Keyword:            keyword,
 			OrderBy:            orderBy,
 			Private:            ctx.IsSigned,
-			UserIsAdmin:        ctx.IsUserSiteAdmin(),
-			UserID:             ctx.Data["SignedUserID"].(int64),
 			Page:               page,
 			PageSize:           setting.UI.User.RepoPagingNum,
 			StarredByID:        ctxUser.ID,
@ -191,12 +191,11 @@ func Profile(ctx *context.Context) {
 		total = int(count)
 	default:
 		repos, count, err = models.SearchRepository(&models.SearchRepoOptions{
+			Actor:              ctx.User,
 			Keyword:            keyword,
 			OwnerID:            ctxUser.ID,
 			OrderBy:            orderBy,
 			Private:            ctx.IsSigned,
-			UserIsAdmin:        ctx.IsUserSiteAdmin(),
-			UserID:             ctx.Data["SignedUserID"].(int64),
 			Page:               page,
 			IsProfile:          true,
 			PageSize:           setting.UI.User.RepoPagingNum,