finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Team permission allow different unit has different permission (#17811)

Browse source 
* Team permission allow different unit has different permission

* Finish the interface and the logic

* Fix lint

* Fix translation

* align center for table cell content

* Fix fixture

* merge

* Fix test

* Add deprecated

* Improve code

* Add tooltip

* Fix swagger

* Fix newline

* Fix tests

* Fix tests

* Fix test

* Fix test

* Max permission of external wiki and issues should be read

* Move team units with limited max level below units table

* Update label and column names

* Some improvements

* Fix lint

* Some improvements

* Fix template variables

* Add permission docs

* improve doc

* Fix fixture

* Fix bug

* Fix some bug

* fix

* gofumpt

* Integration test for migration (#18124)

integrations: basic test for Gitea {dump,restore}-repo
This is a first step for integration testing of DumpRepository and
RestoreRepository. It:

runs a Gitea server,
dumps a repo via DumpRepository to the filesystem,
restores the repo via RestoreRepository from the filesystem,
dumps the restored repository to the filesystem,
compares the first and second dump and expects them to be identical

The verification is trivial and the goal is to add more tests for each
topic of the dump.

Signed-off-by: Loïc Dachary <loic@dachary.org>

* Team permission allow different unit has different permission

* Finish the interface and the logic

* Fix lint

* Fix translation

* align center for table cell content

* Fix fixture

* merge

* Fix test

* Add deprecated

* Improve code

* Add tooltip

* Fix swagger

* Fix newline

* Fix tests

* Fix tests

* Fix test

* Fix test

* Max permission of external wiki and issues should be read

* Move team units with limited max level below units table

* Update label and column names

* Some improvements

* Fix lint

* Some improvements

* Fix template variables

* Add permission docs

* improve doc

* Fix fixture

* Fix bug

* Fix some bug

* Fix bug

Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Aravinth Manivannan <realaravinth@batsense.net>
This commit is contained in:
Lunny Xiao 2022-01-05 11:37:00 +08:00 committed by GitHub
parent 12ad6dd0e3
commit 8760af752a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
27 changed files with 610 additions and 170 deletions
Download patch file Download diff file Expand all files Collapse all files

8
models/access.go
View file

@ -162,7 +162,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i
// Owner team gets owner access, and skip for teams that do not
// have relations with repository.
if t.IsOwnerTeam() {
t.Authorize = perm.AccessModeOwner
t.AccessMode = perm.AccessModeOwner
} else if !t.hasRepository(e, repo.ID) {
continue
}
@ -171,7 +171,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i
return fmt.Errorf("getMembers '%d': %v", t.ID, err)
}
for _, m := range t.Members {
updateUserAccess(accessMap, m, t.Authorize)
updateUserAccess(accessMap, m, t.AccessMode)
}
}
@ -210,10 +210,10 @@ func recalculateUserAccess(ctx context.Context, repo *repo_model.Repository, uid
for _, t := range teams {
if t.IsOwnerTeam() {
t.Authorize = perm.AccessModeOwner
t.AccessMode = perm.AccessModeOwner
}
accessMode = maxAccessMode(accessMode, t.Authorize)
accessMode = maxAccessMode(accessMode, t.AccessMode)
}
}

47
models/fixtures/team_unit.yml
View file

@ -2,223 +2,268 @@
id: 1
team_id: 1
type: 1
access_mode: 4
-
id: 2
team_id: 1
type: 2
access_mode: 4
-
id: 3
team_id: 1
type: 3
access_mode: 4
-
id: 4
team_id: 1
type: 4
access_mode: 4
-
id: 5
team_id: 1
type: 5
access_mode: 4
-
id: 6
team_id: 1
type: 6
access_mode: 4
-
id: 7
team_id: 1
type: 7
access_mode: 4
-
id: 8
team_id: 2
type: 1
access_mode: 2
-
id: 9
team_id: 2
type: 2
access_mode: 2
-
id: 10
team_id: 2
type: 3
access_mode: 2
-
id: 11
team_id: 2
type: 4
access_mode: 2
-
id: 12
team_id: 2
type: 5
access_mode: 2
-
id: 13
team_id: 2
type: 6
access_mode: 2
-
id: 14
team_id: 2
type: 7
access_mode: 2
-
id: 15
team_id: 3
type: 1
access_mode: 4
-
id: 16
team_id: 3
type: 2
access_mode: 4
-
id: 17
team_id: 3
type: 3
access_mode: 4
-
id: 18
team_id: 3
type: 4
access_mode: 4
-
id: 19
team_id: 3
type: 5
access_mode: 4
-
id: 20
team_id: 3
type: 6
access_mode: 4
-
id: 21
team_id: 3
type: 7
access_mode: 4
-
id: 22
team_id: 4
type: 1
access_mode: 4
-
id: 23
team_id: 4
type: 2
access_mode: 4
-
id: 24
team_id: 4
type: 3
access_mode: 4
-
id: 25
team_id: 4
type: 4
access_mode: 4
-
id: 26
team_id: 4
type: 5
access_mode: 4
-
id: 27
team_id: 4
type: 6
access_mode: 4
-
id: 28
team_id: 4
type: 7
access_mode: 4
-
id: 29
team_id: 5
type: 1
access_mode: 4
-
id: 30
team_id: 5
type: 2
access_mode: 4
-
id: 31
team_id: 5
type: 3
access_mode: 4
-
id: 32
team_id: 5
type: 4
access_mode: 4
-
id: 33
team_id: 5
type: 5
access_mode: 4
-
id: 34
team_id: 5
type: 6
access_mode: 4
-
id: 35
team_id: 5
type: 7
access_mode: 4
-
id: 36
team_id: 6
type: 1
access_mode: 4
-
id: 37
team_id: 6
type: 2
access_mode: 4
-
id: 38
team_id: 6
type: 3
access_mode: 4
-
id: 39
team_id: 6
type: 4
access_mode: 4
-
id: 40
team_id: 6
type: 5
access_mode: 4
-
id: 41
team_id: 6
type: 6
access_mode: 4
-
id: 42
team_id: 6
type: 7
access_mode: 4
-
id: 43
team_id: 7
type: 2 # issues
access_mode: 2
-
id: 44
team_id: 8
type: 2 # issues
access_mode: 2
-
id: 45
team_id: 9
type: 1 # code
type: 1 # code
access_mode: 1

6
models/issue.go
View file

@ -1350,8 +1350,8 @@ func (opts *IssuesOptions) setupSession(sess *xorm.Session) {
// issuePullAccessibleRepoCond userID must not be zero, this condition require join repository table
func issuePullAccessibleRepoCond(repoIDstr string, userID int64, org *Organization, team *Team, isPull bool) builder.Cond {
var cond = builder.NewCond()
var unitType = unit.TypeIssues
cond := builder.NewCond()
unitType := unit.TypeIssues
if isPull {
unitType = unit.TypePullRequests
}
@ -2147,7 +2147,7 @@ func (issue *Issue) ResolveMentionsByVisibility(ctx context.Context, doer *user_
unittype = unit.TypePullRequests
}
for _, team := range teams {
if team.Authorize >= perm.AccessModeOwner {
if team.AccessMode >= perm.AccessModeAdmin {
checked = append(checked, team.ID)
resolved[issue.Repo.Owner.LowerName+"/"+team.LowerName] = true
continue

3
models/migrations/migrations.go
View file

@ -60,7 +60,6 @@ type Version struct {
// If you want to "retire" a migration, remove it from the top of the list and
// update minDBVersion accordingly
var migrations = []Migration{
// Gitea 1.5.0 ends at v69
// v70 -> v71
@ -365,6 +364,8 @@ var migrations = []Migration{
NewMigration("Add key is verified to ssh key", addSSHKeyIsVerified),
// v205 -> v206
NewMigration("Migrate to higher varchar on user struct", migrateUserPasswordSalt),
// v206 -> v207
NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
}
// GetCurrentDBVersion returns the current db version

29
models/migrations/v206.go Normal file
View file

@ -0,0 +1,29 @@
// Copyright 2022 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package migrations
import (
"fmt"
"xorm.io/xorm"
)
func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
type TeamUnit struct {
ID int64 `xorm:"pk autoincr"`
OrgID int64 `xorm:"INDEX"`
TeamID int64 `xorm:"UNIQUE(s)"`
Type int `xorm:"UNIQUE(s)"`
AccessMode int
}
if err := x.Sync2(new(TeamUnit)); err != nil {
return fmt.Errorf("sync2: %v", err)
}
// migrate old permission
_, err := x.Exec("UPDATE team_unit SET access_mode = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
return err
}

6
models/org.go
View file

@ -265,7 +265,7 @@ func CreateOrganization(org *Organization, owner *user_model.User) (err error) {
OrgID: org.ID,
LowerName: strings.ToLower(ownerTeamName),
Name: ownerTeamName,
Authorize: perm.AccessModeOwner,
AccessMode: perm.AccessModeOwner,
NumMembers: 1,
IncludesAllRepositories: true,
CanCreateOrgRepo: true,
@ -523,7 +523,7 @@ type FindOrgOptions struct {
}
func queryUserOrgIDs(userID int64, includePrivate bool) *builder.Builder {
var cond = builder.Eq{"uid": userID}
cond := builder.Eq{"uid": userID}
if !includePrivate {
cond["is_public"] = true
}
@ -531,7 +531,7 @@ func queryUserOrgIDs(userID int64, includePrivate bool) *builder.Builder {
}
func (opts FindOrgOptions) toConds() builder.Cond {
var cond = builder.NewCond()
cond := builder.NewCond()
if opts.UserID > 0 {
cond = cond.And(builder.In("`user`.`id`", queryUserOrgIDs(opts.UserID, opts.IncludePrivate)))
}

48
models/org_team.go
View file

@ -32,7 +32,7 @@ type Team struct {
LowerName string
Name string
Description string
Authorize perm.AccessMode
AccessMode perm.AccessMode `xorm:"'authorize'"`
Repos []*repo_model.Repository `xorm:"-"`
Members []*user_model.User `xorm:"-"`
NumRepos int
@ -126,7 +126,7 @@ func (t *Team) ColorFormat(s fmt.State) {
log.NewColoredIDValue(t.ID),
t.Name,
log.NewColoredIDValue(t.OrgID),
t.Authorize)
t.AccessMode)
}
// GetUnits return a list of available units for a team
@ -145,15 +145,29 @@ func (t *Team) getUnits(e db.Engine) (err error) {
// GetUnitNames returns the team units names
func (t *Team) GetUnitNames() (res []string) {
if t.AccessMode >= perm.AccessModeAdmin {
return unit.AllUnitKeyNames()
}
for _, u := range t.Units {
res = append(res, unit.Units[u.Type].NameKey)
}
return
}
// HasWriteAccess returns true if team has at least write level access mode.
func (t *Team) HasWriteAccess() bool {
return t.Authorize >= perm.AccessModeWrite
// GetUnitsMap returns the team units permissions
func (t *Team) GetUnitsMap() map[string]string {
m := make(map[string]string)
if t.AccessMode >= perm.AccessModeAdmin {
for _, u := range unit.Units {
m[u.NameKey] = t.AccessMode.String()
}
} else {
for _, u := range t.Units {
m[u.Unit().NameKey] = u.AccessMode.String()
}
}
return m
}
// IsOwnerTeam returns true if team is owner team.
@ -455,16 +469,25 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
}
func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
return t.unitAccessMode(e, tp) > perm.AccessModeNone
}
// UnitAccessMode returns if the team has the given unit type enabled
func (t *Team) UnitAccessMode(tp unit.Type) perm.AccessMode {
return t.unitAccessMode(db.GetEngine(db.DefaultContext), tp)
}
func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) perm.AccessMode {
if err := t.getUnits(e); err != nil {
log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
}
for _, unit := range t.Units {
if unit.Type == tp {
return true
return unit.AccessMode
}
}
return false
return perm.AccessModeNone
}
// IsUsableTeamName tests if a name could be as team name
@ -661,7 +684,7 @@ func UpdateTeam(t *Team, authChanged, includeAllChanged bool) (err error) {
Delete(new(TeamUnit)); err != nil {
return err
}
if _, err = sess.Cols("org_id", "team_id", "type").Insert(&t.Units); err != nil {
if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil {
return err
}
}
@ -1033,10 +1056,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea
// TeamUnit describes all units of a repository
type TeamUnit struct {
ID int64 `xorm:"pk autoincr"`
OrgID int64 `xorm:"INDEX"`
TeamID int64 `xorm:"UNIQUE(s)"`
Type unit.Type `xorm:"UNIQUE(s)"`
ID int64 `xorm:"pk autoincr"`
OrgID int64 `xorm:"INDEX"`
TeamID int64 `xorm:"UNIQUE(s)"`
Type unit.Type `xorm:"UNIQUE(s)"`
AccessMode perm.AccessMode
}
// Unit returns Unit

2
models/org_team_test.go
View file

@ -211,7 +211,7 @@ func TestUpdateTeam(t *testing.T) {
team.LowerName = "newname"
team.Name = "newName"
team.Description = strings.Repeat("A long description!", 100)
team.Authorize = perm.AccessModeAdmin
team.AccessMode = perm.AccessModeAdmin
assert.NoError(t, UpdateTeam(team, true, false))
team = unittest.AssertExistsAndLoadBean(t, &Team{Name: "newName"}).(*Team)

4
models/perm/access_mode.go
View file

@ -51,11 +51,13 @@ func (mode AccessMode) ColorFormat(s fmt.State) {
// ParseAccessMode returns corresponding access mode to given permission string.
func ParseAccessMode(permission string) AccessMode {
switch permission {
case "read":
return AccessModeRead
case "write":
return AccessModeWrite
case "admin":
return AccessModeAdmin
default:
return AccessModeRead
return AccessModeNone
}
}

11
models/repo_permission.go
View file

@ -239,7 +239,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
// if user in an owner team
for _, team := range teams {
if team.Authorize >= perm_model.AccessModeOwner {
if team.AccessMode >= perm_model.AccessModeAdmin {
perm.AccessMode = perm_model.AccessModeOwner
perm.UnitsMode = nil
return
@ -249,10 +249,11 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
for _, u := range repo.Units {
var found bool
for _, team := range teams {
if team.unitEnabled(e, u.Type) {
teamMode := team.unitAccessMode(e, u.Type)
if teamMode > perm_model.AccessModeNone {
m := perm.UnitsMode[u.Type]
if m < team.Authorize {
perm.UnitsMode[u.Type] = team.Authorize
if m < teamMode {
perm.UnitsMode[u.Type] = teamMode
}
found = true
}
@ -324,7 +325,7 @@ func isUserRepoAdmin(e db.Engine, repo *repo_model.Repository, user *user_model.
}
for _, team := range teams {
if team.Authorize >= perm_model.AccessModeAdmin {
if team.AccessMode >= perm_model.AccessModeAdmin {
return true, nil
}
}

2
models/review.go
View file

@ -280,7 +280,7 @@ func isOfficialReviewerTeam(ctx context.Context, issue *Issue, team *Team) (bool
}
if !pr.ProtectedBranch.EnableApprovalsWhitelist {
return team.Authorize >= perm.AccessModeWrite, nil
return team.UnitAccessMode(unit.TypeCode) >= perm.AccessModeWrite, nil
}
return base.Int64sContains(pr.ProtectedBranch.ApprovalsWhitelistTeamIDs, team.ID), nil

75
models/unit/unit.go
View file

@ -8,6 +8,7 @@ import (
"fmt"
"strings"
"code.gitea.io/gitea/models/perm"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
)
@ -17,14 +18,15 @@ type Type int
// Enumerate all the unit types
const (
TypeCode Type = iota + 1 // 1 code
TypeIssues // 2 issues
TypePullRequests // 3 PRs
TypeReleases // 4 Releases
TypeWiki // 5 Wiki
TypeExternalWiki // 6 ExternalWiki
TypeExternalTracker // 7 ExternalTracker
TypeProjects // 8 Kanban board
TypeInvalid Type = iota // 0 invalid
TypeCode // 1 code
TypeIssues // 2 issues
TypePullRequests // 3 PRs
TypeReleases // 4 Releases
TypeWiki // 5 Wiki
TypeExternalWiki // 6 ExternalWiki
TypeExternalTracker // 7 ExternalTracker
TypeProjects // 8 Kanban board
)
// Value returns integer value for unit type
@ -170,11 +172,12 @@ func (u *Type) CanBeDefault() bool {
// Unit is a section of one repository
type Unit struct {
Type Type
NameKey string
URI string
DescKey string
Idx int
Type Type
NameKey string
URI string
DescKey string
Idx int
MaxAccessMode perm.AccessMode // The max access mode of the unit. i.e. Read means this unit can only be read.
}
// CanDisable returns if this unit could be disabled.
@ -198,6 +201,7 @@ var (
"/",
"repo.code.desc",
0,
perm.AccessModeOwner,
}
UnitIssues = Unit{
@ -206,6 +210,7 @@ var (
"/issues",
"repo.issues.desc",
1,
perm.AccessModeOwner,
}
UnitExternalTracker = Unit{
@ -214,6 +219,7 @@ var (
"/issues",
"repo.ext_issues.desc",
1,
perm.AccessModeRead,
}
UnitPullRequests = Unit{
@ -222,6 +228,7 @@ var (
"/pulls",
"repo.pulls.desc",
2,
perm.AccessModeOwner,
}
UnitReleases = Unit{
@ -230,6 +237,7 @@ var (
"/releases",
"repo.releases.desc",
3,
perm.AccessModeOwner,
}
UnitWiki = Unit{
@ -238,6 +246,7 @@ var (
"/wiki",
"repo.wiki.desc",
4,
perm.AccessModeOwner,
}
UnitExternalWiki = Unit{
@ -246,6 +255,7 @@ var (
"/wiki",
"repo.ext_wiki.desc",
4,
perm.AccessModeRead,
}
UnitProjects = Unit{
@ -254,6 +264,7 @@ var (
"/projects",
"repo.projects.desc",
5,
perm.AccessModeOwner,
}
// Units contains all the units
@ -269,15 +280,51 @@ var (
}
)
// FindUnitTypes give the unit key name and return unit
// FindUnitTypes give the unit key names and return unit
func FindUnitTypes(nameKeys ...string) (res []Type) {
for _, key := range nameKeys {
var found bool
for t, u := range Units {
if strings.EqualFold(key, u.NameKey) {
res = append(res, t)
found = true
break
}
}
if !found {
res = append(res, TypeInvalid)
}
}
return
}
// TypeFromKey give the unit key name and return unit
func TypeFromKey(nameKey string) Type {
for t, u := range Units {
if strings.EqualFold(nameKey, u.NameKey) {
return t
}
}
return TypeInvalid
}
// AllUnitKeyNames returns all unit key names
func AllUnitKeyNames() []string {
res := make([]string, 0, len(Units))
for _, u := range Units {
res = append(res, u.NameKey)
}
return res
}
// MinUnitAccessMode returns the minial permission of the permission map
func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
res := perm.AccessModeNone
for _, mode := range unitsMap {
// get the minial permission great than AccessModeNone except all are AccessModeNone
if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
res = mode
}
}
return res
}