Move accessmode into models/perm (#17828)

2021-11-28 19:58:28 +08:00 · 2021-11-28 19:58:28 +08:00 · 1fee11d69a
commit 1fee11d69a
parent 24a8d54bfb
59 changed files with 359 additions and 295 deletions
--- a/routers/api/v1/org/org.go
+++ b/routers/api/v1/org/org.go
@ -10,6 +10,7 @@ import (

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -155,16 +156,16 @@ func GetUserOrgsPermissions(ctx *context.APIContext) {
 		return
 	}

-	if authorizeLevel > models.AccessModeNone {
+	if authorizeLevel > perm.AccessModeNone {
 		op.CanRead = true
 	}
-	if authorizeLevel > models.AccessModeRead {
+	if authorizeLevel > perm.AccessModeRead {
 		op.CanWrite = true
 	}
-	if authorizeLevel > models.AccessModeWrite {
+	if authorizeLevel > perm.AccessModeWrite {
 		op.IsAdmin = true
 	}
-	if authorizeLevel > models.AccessModeAdmin {
+	if authorizeLevel > perm.AccessModeAdmin {
 		op.IsOwner = true
 	}

--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@ -9,6 +9,7 @@ import (
 	"net/http"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -170,12 +171,12 @@ func CreateTeam(ctx *context.APIContext) {
 		Description:             form.Description,
 		IncludesAllRepositories: form.IncludesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
-		Authorize:               models.ParseAccessMode(form.Permission),
+		Authorize:               perm.ParseAccessMode(form.Permission),
 	}

 	unitTypes := unit_model.FindUnitTypes(form.Units...)

-	if team.Authorize < models.AccessModeOwner {
+	if team.Authorize < perm.AccessModeOwner {
 		var units = make([]*models.TeamUnit, 0, len(form.Units))
 		for _, tp := range unitTypes {
 			units = append(units, &models.TeamUnit{
@ -245,7 +246,7 @@ func EditTeam(ctx *context.APIContext) {
 	isIncludeAllChanged := false
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
-		auth := models.ParseAccessMode(form.Permission)
+		auth := perm.ParseAccessMode(form.Permission)

 		if team.Authorize != auth {
 			isAuthChanged = true
@ -258,7 +259,7 @@ func EditTeam(ctx *context.APIContext) {
 		}
 	}

-	if team.Authorize < models.AccessModeOwner {
+	if team.Authorize < perm.AccessModeOwner {
 		if len(form.Units) > 0 {
 			var units = make([]*models.TeamUnit, 0, len(form.Units))
 			unitTypes := unit_model.FindUnitTypes(form.Units...)
@ -561,7 +562,7 @@ func AddTeamRepository(ctx *context.APIContext) {
 	if access, err := models.AccessLevel(ctx.User, repo); err != nil {
 		ctx.Error(http.StatusInternalServerError, "AccessLevel", err)
 		return
-	} else if access < models.AccessModeAdmin {
+	} else if access < perm.AccessModeAdmin {
 		ctx.Error(http.StatusForbidden, "", "Must have admin-level access to the repository")
 		return
 	}
@ -611,7 +612,7 @@ func RemoveTeamRepository(ctx *context.APIContext) {
 	if access, err := models.AccessLevel(ctx.User, repo); err != nil {
 		ctx.Error(http.StatusInternalServerError, "AccessLevel", err)
 		return
-	} else if access < models.AccessModeAdmin {
+	} else if access < perm.AccessModeAdmin {
 		ctx.Error(http.StatusForbidden, "", "Must have admin-level access to the repository")
 		return
 	}
--- a/routers/api/v1/repo/collaborators.go
+++ b/routers/api/v1/repo/collaborators.go
@ -9,7 +9,7 @@ import (
 	"errors"
 	"net/http"

-	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -177,7 +177,7 @@ func AddCollaborator(ctx *context.APIContext) {
 	}

 	if form.Permission != nil {
-		if err := ctx.Repo.Repository.ChangeCollaborationAccessMode(collaborator.ID, models.ParseAccessMode(*form.Permission)); err != nil {
+		if err := ctx.Repo.Repository.ChangeCollaborationAccessMode(collaborator.ID, perm.ParseAccessMode(*form.Permission)); err != nil {
 			ctx.Error(http.StatusInternalServerError, "ChangeCollaborationAccessMode", err)
 			return
 		}
--- a/routers/api/v1/repo/fork.go
+++ b/routers/api/v1/repo/fork.go
@ -10,6 +10,7 @@ import (
 	"net/http"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -135,5 +136,5 @@ func CreateFork(ctx *context.APIContext) {
 	}

 	//TODO change back to 201
-	ctx.JSON(http.StatusAccepted, convert.ToRepo(fork, models.AccessModeOwner))
+	ctx.JSON(http.StatusAccepted, convert.ToRepo(fork, perm.AccessModeOwner))
 }
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@ -8,7 +8,7 @@ package repo
 import (
 	"net/http"

-	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -162,9 +162,9 @@ func TestHook(ctx *context.APIContext) {
 		After:      ctx.Repo.Commit.ID.String(),
 		Commits:    []*api.PayloadCommit{commit},
 		HeadCommit: commit,
-		Repo:       convert.ToRepo(ctx.Repo.Repository, models.AccessModeNone),
-		Pusher:     convert.ToUserWithAccessMode(ctx.User, models.AccessModeNone),
-		Sender:     convert.ToUserWithAccessMode(ctx.User, models.AccessModeNone),
+		Repo:       convert.ToRepo(ctx.Repo.Repository, perm.AccessModeNone),
+		Pusher:     convert.ToUserWithAccessMode(ctx.User, perm.AccessModeNone),
+		Sender:     convert.ToUserWithAccessMode(ctx.User, perm.AccessModeNone),
 	}); err != nil {
 		ctx.Error(http.StatusInternalServerError, "PrepareWebhook: ", err)
 		return
--- a/routers/api/v1/repo/key.go
+++ b/routers/api/v1/repo/key.go
@ -11,6 +11,7 @@ import (
 	"net/url"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
 	"code.gitea.io/gitea/modules/setting"
@ -21,7 +22,7 @@ import (

 // appendPrivateInformation appends the owner and key type information to api.PublicKey
 func appendPrivateInformation(apiKey *api.DeployKey, key *models.DeployKey, repository *models.Repository) (*api.DeployKey, error) {
-	apiKey.ReadOnly = key.Mode == models.AccessModeRead
+	apiKey.ReadOnly = key.Mode == perm.AccessModeRead
 	if repository.ID == key.RepoID {
 		apiKey.Repository = convert.ToRepo(repository, key.Mode)
 	} else {
--- a/routers/api/v1/repo/migrate.go
+++ b/routers/api/v1/repo/migrate.go
@ -13,6 +13,7 @@ import (

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -207,7 +208,7 @@ func Migrate(ctx *context.APIContext) {
 	}

 	log.Trace("Repository migrated: %s/%s", repoOwner.Name, form.RepoName)
-	ctx.JSON(http.StatusCreated, convert.ToRepo(repo, models.AccessModeAdmin))
+	ctx.JSON(http.StatusCreated, convert.ToRepo(repo, perm.AccessModeAdmin))
 }

 func handleMigrateError(ctx *context.APIContext, repoOwner *user_model.User, remoteAddr string, err error) {
--- a/routers/api/v1/repo/release.go
+++ b/routers/api/v1/repo/release.go
@ -8,6 +8,7 @@ import (
 	"net/http"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -115,7 +116,7 @@ func ListReleases(ctx *context.APIContext) {

 	opts := models.FindReleasesOptions{
 		ListOptions:   listOptions,
-		IncludeDrafts: ctx.Repo.AccessMode >= models.AccessModeWrite || ctx.Repo.UnitAccessMode(unit.TypeReleases) >= models.AccessModeWrite,
+		IncludeDrafts: ctx.Repo.AccessMode >= perm.AccessModeWrite || ctx.Repo.UnitAccessMode(unit.TypeReleases) >= perm.AccessModeWrite,
 		IncludeTags:   false,
 		IsDraft:       ctx.FormOptionalBool("draft"),
 		IsPreRelease:  ctx.FormOptionalBool("pre-release"),
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@ -13,6 +13,7 @@ import (

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/perm"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
@ -276,7 +277,7 @@ func CreateUserRepo(ctx *context.APIContext, owner *user_model.User, opt api.Cre
 		ctx.Error(http.StatusInternalServerError, "GetRepositoryByID", err)
 	}

-	ctx.JSON(http.StatusCreated, convert.ToRepo(repo, models.AccessModeOwner))
+	ctx.JSON(http.StatusCreated, convert.ToRepo(repo, perm.AccessModeOwner))
 }

 // Create one repository of mine
@ -420,7 +421,7 @@ func Generate(ctx *context.APIContext) {
 	}
 	log.Trace("Repository generated [%d]: %s/%s", repo.ID, ctxUser.Name, repo.Name)

-	ctx.JSON(http.StatusCreated, convert.ToRepo(repo, models.AccessModeOwner))
+	ctx.JSON(http.StatusCreated, convert.ToRepo(repo, perm.AccessModeOwner))
 }

 // CreateOrgRepoDeprecated create one repository of the organization
--- a/routers/api/v1/repo/transfer.go
+++ b/routers/api/v1/repo/transfer.go
@ -9,6 +9,7 @@ import (
 	"net/http"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -113,10 +114,10 @@ func Transfer(ctx *context.APIContext) {

 	if ctx.Repo.Repository.Status == models.RepositoryPendingTransfer {
 		log.Trace("Repository transfer initiated: %s -> %s", ctx.Repo.Repository.FullName(), newOwner.Name)
-		ctx.JSON(http.StatusCreated, convert.ToRepo(ctx.Repo.Repository, models.AccessModeAdmin))
+		ctx.JSON(http.StatusCreated, convert.ToRepo(ctx.Repo.Repository, perm.AccessModeAdmin))
 		return
 	}

 	log.Trace("Repository transferred: %s -> %s", ctx.Repo.Repository.FullName(), newOwner.Name)
-	ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx.Repo.Repository, models.AccessModeAdmin))
+	ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx.Repo.Repository, perm.AccessModeAdmin))
 }
--- a/routers/api/v1/user/key.go
+++ b/routers/api/v1/user/key.go
@ -8,6 +8,7 @@ import (
 	"net/http"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -37,7 +38,7 @@ func appendPrivateInformation(apiKey *api.PublicKey, key *models.PublicKey, defa
 	} else {
 		apiKey.KeyType = "unknown"
 	}
-	apiKey.ReadOnly = key.Mode == models.AccessModeRead
+	apiKey.ReadOnly = key.Mode == perm.AccessModeRead
 	return apiKey, nil
 }

--- a/routers/api/v1/user/repo.go
+++ b/routers/api/v1/user/repo.go
@ -8,6 +8,7 @@ import (
 	"net/http"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/convert"
@ -37,7 +38,7 @@ func listUserRepos(ctx *context.APIContext, u *user_model.User, private bool) {
 			ctx.Error(http.StatusInternalServerError, "AccessLevel", err)
 			return
 		}
-		if ctx.IsSigned && ctx.User.IsAdmin || access >= models.AccessModeRead {
+		if ctx.IsSigned && ctx.User.IsAdmin || access >= perm.AccessModeRead {
 			apiRepos = append(apiRepos, convert.ToRepo(repos[i], access))
 		}
 	}
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@ -11,6 +11,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
@ -79,7 +80,7 @@ func ServCommand(ctx *context.PrivateContext) {
 	keyID := ctx.ParamsInt64(":keyid")
 	ownerName := ctx.Params(":owner")
 	repoName := ctx.Params(":repo")
-	mode := models.AccessMode(ctx.FormInt("mode"))
+	mode := perm.AccessMode(ctx.FormInt("mode"))

 	// Set the basic parts of the results to return
 	results := private.ServCommandResults{
@ -90,7 +91,7 @@ func ServCommand(ctx *context.PrivateContext) {

 	// Now because we're not translating things properly let's just default some English strings here
 	modeString := "read"
-	if mode > models.AccessModeRead {
+	if mode > perm.AccessModeRead {
 		modeString = "write to"
 	}

@ -172,7 +173,7 @@ func ServCommand(ctx *context.PrivateContext) {
 		}

 		// We can shortcut at this point if the repo is a mirror
-		if mode > models.AccessModeRead && repo.IsMirror {
+		if mode > perm.AccessModeRead && repo.IsMirror {
 			ctx.JSON(http.StatusForbidden, private.ErrServCommand{
 				Results: results,
 				Err:     fmt.Sprintf("Mirror Repository %s/%s is read-only", results.OwnerName, results.RepoName),
@ -280,7 +281,7 @@ func ServCommand(ctx *context.PrivateContext) {
 	}

 	// Don't allow pushing if the repo is archived
-	if repoExist && mode > models.AccessModeRead && repo.IsArchived {
+	if repoExist && mode > perm.AccessModeRead && repo.IsArchived {
 		ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
 			Results: results,
 			Err:     fmt.Sprintf("Repo: %s/%s is archived.", results.OwnerName, results.RepoName),
@ -290,7 +291,7 @@ func ServCommand(ctx *context.PrivateContext) {

 	// Permissions checking:
 	if repoExist &&
-		(mode > models.AccessModeRead ||
+		(mode > perm.AccessModeRead ||
 			repo.IsPrivate ||
 			owner.Visibility.IsPrivate() ||
 			(user != nil && user.IsRestricted) || // user will be nil if the key is a deploykey
@ -306,7 +307,7 @@ func ServCommand(ctx *context.PrivateContext) {
 		} else {
 			// Because of the special ref "refs/for" we will need to delay write permission check
 			if git.SupportProcReceive && unitType == unit.TypeCode {
-				mode = models.AccessModeRead
+				mode = perm.AccessModeRead
 			}

 			perm, err := models.GetUserRepoPermission(repo, user)
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@ -12,6 +12,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@ -235,12 +236,12 @@ func NewTeamPost(ctx *context.Context) {
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.TeamName,
 		Description:             form.Description,
-		Authorize:               models.ParseAccessMode(form.Permission),
+		Authorize:               perm.ParseAccessMode(form.Permission),
 		IncludesAllRepositories: includesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}

-	if t.Authorize < models.AccessModeOwner {
+	if t.Authorize < perm.AccessModeOwner {
 		var units = make([]*models.TeamUnit, 0, len(form.Units))
 		for _, tp := range form.Units {
 			units = append(units, &models.TeamUnit{
@ -258,7 +259,7 @@ func NewTeamPost(ctx *context.Context) {
 		return
 	}

-	if t.Authorize < models.AccessModeAdmin && len(form.Units) == 0 {
+	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
@ -325,7 +326,7 @@ func EditTeamPost(ctx *context.Context) {
 	var includesAllRepositories = form.RepoAccess == "all"
 	if !t.IsOwnerTeam() {
 		// Validate permission level.
-		auth := models.ParseAccessMode(form.Permission)
+		auth := perm.ParseAccessMode(form.Permission)

 		t.Name = form.TeamName
 		if t.Authorize != auth {
@ -339,7 +340,7 @@ func EditTeamPost(ctx *context.Context) {
 		}
 	}
 	t.Description = form.Description
-	if t.Authorize < models.AccessModeOwner {
+	if t.Authorize < perm.AccessModeOwner {
 		var units = make([]models.TeamUnit, 0, len(form.Units))
 		for _, tp := range form.Units {
 			units = append(units, models.TeamUnit{
@ -361,7 +362,7 @@ func EditTeamPost(ctx *context.Context) {
 		return
 	}

-	if t.Authorize < models.AccessModeAdmin && len(form.Units) == 0 {
+	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@ -22,6 +22,7 @@ import (

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/login"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
@ -93,11 +94,11 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 		isPull = ctx.Req.Method == "GET"
 	}

-	var accessMode models.AccessMode
+	var accessMode perm.AccessMode
 	if isPull {
-		accessMode = models.AccessModeRead
+		accessMode = perm.AccessModeRead
 	} else {
-		accessMode = models.AccessModeWrite
+		accessMode = perm.AccessModeWrite
 	}

 	isWiki := false
@ -194,7 +195,7 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 		}

 		if repoExist {
-			perm, err := models.GetUserRepoPermission(repo, ctx.User)
+			p, err := models.GetUserRepoPermission(repo, ctx.User)
 			if err != nil {
 				ctx.ServerError("GetUserRepoPermission", err)
 				return
@ -202,10 +203,10 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {

 			// Because of special ref "refs/for" .. , need delay write permission check
 			if git.SupportProcReceive {
-				accessMode = models.AccessModeRead
+				accessMode = perm.AccessModeRead
 			}

-			if !perm.CanAccess(accessMode, unitType) {
+			if !p.CanAccess(accessMode, unitType) {
 				ctx.HandleText(http.StatusForbidden, "User permission denied")
 				return
 			}
--- a/routers/web/repo/projects.go
+++ b/routers/web/repo/projects.go
@ -11,6 +11,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
@ -373,7 +374,7 @@ func DeleteProjectBoard(ctx *context.Context) {
 		return
 	}

-	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(models.AccessModeWrite, unit.TypeProjects) {
+	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(perm.AccessModeWrite, unit.TypeProjects) {
 		ctx.JSON(http.StatusForbidden, map[string]string{
 			"message": "Only authorized users are allowed to perform this action.",
 		})
@ -422,7 +423,7 @@ func DeleteProjectBoard(ctx *context.Context) {
 // AddBoardToProjectPost allows a new board to be added to a project.
 func AddBoardToProjectPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.EditProjectBoardForm)
-	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(models.AccessModeWrite, unit.TypeProjects) {
+	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(perm.AccessModeWrite, unit.TypeProjects) {
 		ctx.JSON(http.StatusForbidden, map[string]string{
 			"message": "Only authorized users are allowed to perform this action.",
 		})
@ -462,7 +463,7 @@ func checkProjectBoardChangePermissions(ctx *context.Context) (*models.Project,
 		return nil, nil
 	}

-	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(models.AccessModeWrite, unit.TypeProjects) {
+	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(perm.AccessModeWrite, unit.TypeProjects) {
 		ctx.JSON(http.StatusForbidden, map[string]string{
 			"message": "Only authorized users are allowed to perform this action.",
 		})
@ -556,7 +557,7 @@ func MoveIssueAcrossBoards(ctx *context.Context) {
 		return
 	}

-	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(models.AccessModeWrite, unit.TypeProjects) {
+	if !ctx.Repo.IsOwner() && !ctx.Repo.IsAdmin() && !ctx.Repo.CanAccess(perm.AccessModeWrite, unit.TypeProjects) {
 		ctx.JSON(http.StatusForbidden, map[string]string{
 			"message": "Only authorized users are allowed to perform this action.",
 		})
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@ -16,6 +16,7 @@ import (

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/perm"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@ -846,7 +847,7 @@ func CollaborationPost(ctx *context.Context) {
 func ChangeCollaborationAccessMode(ctx *context.Context) {
 	if err := ctx.Repo.Repository.ChangeCollaborationAccessMode(
 		ctx.FormInt64("uid"),
-		models.AccessMode(ctx.FormInt("mode"))); err != nil {
+		perm.AccessMode(ctx.FormInt("mode"))); err != nil {
 		log.Error("ChangeCollaborationAccessMode: %v", err)
 	}
 }
--- a/routers/web/repo/setting_protected_branch.go
+++ b/routers/web/repo/setting_protected_branch.go
@ -11,6 +11,7 @@ import (
 	"time"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/git"
@ -156,7 +157,7 @@ func SettingsProtectedBranch(c *context.Context) {
 	}

 	if c.Repo.Owner.IsOrganization() {
-		teams, err := models.OrgFromUser(c.Repo.Owner).TeamsWithAccessToRepo(c.Repo.Repository.ID, models.AccessModeRead)
+		teams, err := models.OrgFromUser(c.Repo.Owner).TeamsWithAccessToRepo(c.Repo.Repository.ID, perm.AccessModeRead)
 		if err != nil {
 			c.ServerError("Repo.Owner.TeamsWithAccessToRepo", err)
 			return
--- a/routers/web/repo/settings_test.go
+++ b/routers/web/repo/settings_test.go
@ -10,6 +10,7 @@ import (
 	"testing"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
@ -62,7 +63,7 @@ func TestAddReadOnlyDeployKey(t *testing.T) {
 	unittest.AssertExistsAndLoadBean(t, &models.DeployKey{
 		Name:    addKeyForm.Title,
 		Content: addKeyForm.Content,
-		Mode:    models.AccessModeRead,
+		Mode:    perm.AccessModeRead,
 	})
 }

@ -92,7 +93,7 @@ func TestAddReadWriteOnlyDeployKey(t *testing.T) {
 	unittest.AssertExistsAndLoadBean(t, &models.DeployKey{
 		Name:    addKeyForm.Title,
 		Content: addKeyForm.Content,
-		Mode:    models.AccessModeWrite,
+		Mode:    perm.AccessModeWrite,
 	})
 }

--- a/routers/web/repo/tag.go
+++ b/routers/web/repo/tag.go
@ -10,6 +10,7 @@ import (
 	"strings"

 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/setting"
@ -149,7 +150,7 @@ func setTagsContext(ctx *context.Context) error {
 	ctx.Data["Users"] = users

 	if ctx.Repo.Owner.IsOrganization() {
-		teams, err := models.OrgFromUser(ctx.Repo.Owner).TeamsWithAccessToRepo(ctx.Repo.Repository.ID, models.AccessModeRead)
+		teams, err := models.OrgFromUser(ctx.Repo.Owner).TeamsWithAccessToRepo(ctx.Repo.Repository.ID, perm.AccessModeRead)
 		if err != nil {
 			ctx.ServerError("Repo.Owner.TeamsWithAccessToRepo", err)
 			return err
--- a/routers/web/repo/webhook.go
+++ b/routers/web/repo/webhook.go
@ -13,8 +13,8 @@ import (
 	"path"
 	"strings"

-	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/perm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/models/webhook"
 	"code.gitea.io/gitea/modules/base"
@ -1159,7 +1159,7 @@ func TestWebhook(ctx *context.Context) {
 		}
 	}

-	apiUser := convert.ToUserWithAccessMode(ctx.User, models.AccessModeNone)
+	apiUser := convert.ToUserWithAccessMode(ctx.User, perm.AccessModeNone)

 	apiCommit := &api.PayloadCommit{
 		ID:      commit.ID.String(),
@ -1181,7 +1181,7 @@ func TestWebhook(ctx *context.Context) {
 		After:      commit.ID.String(),
 		Commits:    []*api.PayloadCommit{apiCommit},
 		HeadCommit: apiCommit,
-		Repo:       convert.ToRepo(ctx.Repo.Repository, models.AccessModeNone),
+		Repo:       convert.ToRepo(ctx.Repo.Repository, perm.AccessModeNone),
 		Pusher:     apiUser,
 		Sender:     apiUser,
 	}