Fix SSH auth lfs locks (#3152)

* Fix SSH auth LFS locks * Activate SSH/lock test * Remove debug * Follow @lunny recommendation for AfterLoad method
2018-01-27 17:48:15 +01:00 · 2018-01-27 17:48:15 +01:00 · 9e842c8a72
commit 9e842c8a72
parent 97fe773491
7 changed files with 162 additions and 143 deletions
--- a/models/error.go
+++ b/models/error.go
@ -530,21 +530,24 @@ func (err ErrLFSLockNotExist) Error() string {
 	return fmt.Sprintf("lfs lock does not exist [id: %d, rid: %d, path: %s]", err.ID, err.RepoID, err.Path)
 }

-// ErrLFSLockUnauthorizedAction represents a "LFSLockUnauthorizedAction" kind of error.
-type ErrLFSLockUnauthorizedAction struct {
+// ErrLFSUnauthorizedAction represents a "LFSUnauthorizedAction" kind of error.
+type ErrLFSUnauthorizedAction struct {
 	RepoID   int64
 	UserName string
-	Action   string
+	Mode     AccessMode
 }

-// IsErrLFSLockUnauthorizedAction checks if an error is a ErrLFSLockUnauthorizedAction.
-func IsErrLFSLockUnauthorizedAction(err error) bool {
-	_, ok := err.(ErrLFSLockUnauthorizedAction)
+// IsErrLFSUnauthorizedAction checks if an error is a ErrLFSUnauthorizedAction.
+func IsErrLFSUnauthorizedAction(err error) bool {
+	_, ok := err.(ErrLFSUnauthorizedAction)
 	return ok
 }

-func (err ErrLFSLockUnauthorizedAction) Error() string {
-	return fmt.Sprintf("User %s doesn't have rigth to %s for lfs lock [rid: %d]", err.UserName, err.Action, err.RepoID)
+func (err ErrLFSUnauthorizedAction) Error() string {
+	if err.Mode == AccessModeWrite {
+		return fmt.Sprintf("User %s doesn't have write access for lfs lock [rid: %d]", err.UserName, err.RepoID)
+	}
+	return fmt.Sprintf("User %s doesn't have read access for lfs lock [rid: %d]", err.UserName, err.RepoID)
 }

 // ErrLFSLockAlreadyExist represents a "LFSLockAlreadyExist" kind of error.
--- a/models/lfs_lock.go
+++ b/models/lfs_lock.go
@ -11,28 +11,40 @@ import (
 	"strings"
 	"time"

+	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/sdk/gitea"
+	"github.com/go-xorm/xorm"
 )

 // LFSLock represents a git lfs lock of repository.
 type LFSLock struct {
-	ID      int64     `xorm:"pk autoincr"`
-	RepoID  int64     `xorm:"INDEX NOT NULL"`
-	Owner   *User     `xorm:"-"`
-	OwnerID int64     `xorm:"INDEX NOT NULL"`
-	Path    string    `xorm:"TEXT"`
-	Created time.Time `xorm:"created"`
+	ID      int64       `xorm:"pk autoincr"`
+	Repo    *Repository `xorm:"-"`
+	RepoID  int64       `xorm:"INDEX NOT NULL"`
+	Owner   *User       `xorm:"-"`
+	OwnerID int64       `xorm:"INDEX NOT NULL"`
+	Path    string      `xorm:"TEXT"`
+	Created time.Time   `xorm:"created"`
 }

 // BeforeInsert is invoked from XORM before inserting an object of this type.
 func (l *LFSLock) BeforeInsert() {
 	l.OwnerID = l.Owner.ID
+	l.RepoID = l.Repo.ID
 	l.Path = cleanPath(l.Path)
 }

 // AfterLoad is invoked from XORM after setting the values of all fields of this object.
-func (l *LFSLock) AfterLoad() {
-	l.Owner, _ = GetUserByID(l.OwnerID)
+func (l *LFSLock) AfterLoad(session *xorm.Session) {
+	var err error
+	l.Owner, err = getUserByID(session, l.OwnerID)
+	if err != nil {
+		log.Error(2, "LFS lock AfterLoad failed OwnerId[%d] not found: %v", l.OwnerID, err)
+	}
+	l.Repo, err = getRepositoryByID(session, l.RepoID)
+	if err != nil {
+		log.Error(2, "LFS lock AfterLoad failed RepoId[%d] not found: %v", l.RepoID, err)
+	}
 }

 func cleanPath(p string) string {
@ -53,12 +65,12 @@ func (l *LFSLock) APIFormat() *api.LFSLock {

 // CreateLFSLock creates a new lock.
 func CreateLFSLock(lock *LFSLock) (*LFSLock, error) {
-	err := CheckLFSAccessForRepo(lock.Owner, lock.RepoID, "create")
+	err := CheckLFSAccessForRepo(lock.Owner, lock.Repo, AccessModeWrite)
 	if err != nil {
 		return nil, err
 	}

-	l, err := GetLFSLock(lock.RepoID, lock.Path)
+	l, err := GetLFSLock(lock.Repo, lock.Path)
 	if err == nil {
 		return l, ErrLFSLockAlreadyExist{lock.RepoID, lock.Path}
 	}
@ -71,15 +83,15 @@ func CreateLFSLock(lock *LFSLock) (*LFSLock, error) {
 }

 // GetLFSLock returns release by given path.
-func GetLFSLock(repoID int64, path string) (*LFSLock, error) {
+func GetLFSLock(repo *Repository, path string) (*LFSLock, error) {
 	path = cleanPath(path)
-	rel := &LFSLock{RepoID: repoID}
+	rel := &LFSLock{RepoID: repo.ID}
 	has, err := x.Where("lower(path) = ?", strings.ToLower(path)).Get(rel)
 	if err != nil {
 		return nil, err
 	}
 	if !has {
-		return nil, ErrLFSLockNotExist{0, repoID, path}
+		return nil, ErrLFSLockNotExist{0, repo.ID, path}
 	}
 	return rel, nil
 }
@ -109,7 +121,7 @@ func DeleteLFSLockByID(id int64, u *User, force bool) (*LFSLock, error) {
 		return nil, err
 	}

-	err = CheckLFSAccessForRepo(u, lock.RepoID, "delete")
+	err = CheckLFSAccessForRepo(u, lock.Repo, AccessModeWrite)
 	if err != nil {
 		return nil, err
 	}
@ -123,24 +135,15 @@ func DeleteLFSLockByID(id int64, u *User, force bool) (*LFSLock, error) {
 }

 //CheckLFSAccessForRepo check needed access mode base on action
-func CheckLFSAccessForRepo(u *User, repoID int64, action string) error {
+func CheckLFSAccessForRepo(u *User, repo *Repository, mode AccessMode) error {
 	if u == nil {
-		return ErrLFSLockUnauthorizedAction{repoID, "undefined", action}
-	}
-	mode := AccessModeRead
-	if action == "create" || action == "delete" || action == "verify" {
-		mode = AccessModeWrite
-	}
-
-	repo, err := GetRepositoryByID(repoID)
-	if err != nil {
-		return err
+		return ErrLFSUnauthorizedAction{repo.ID, "undefined", mode}
 	}
 	has, err := HasAccess(u.ID, repo, mode)
 	if err != nil {
 		return err
 	} else if !has {
-		return ErrLFSLockUnauthorizedAction{repo.ID, u.DisplayName(), action}
+		return ErrLFSUnauthorizedAction{repo.ID, u.DisplayName(), mode}
 	}
 	return nil
 }