Improve permission check of packages (#23879)

At first, we have one unified team unit permission which is called `Team.Authorize` in DB. But since https://github.com/go-gitea/gitea/pull/17811, we allowed different units to have different permission. The old code is only designed for the old version. So after #17811, if org users have write permission of other units, but have no permission of packages, they can also get write permission of packages. Co-authored-by: delvh <dev.lh@web.de>
2023-04-06 23:18:29 +09:00 · 2023-04-06 23:18:29 +09:00 · bbf83f5d4b
commit bbf83f5d4b
parent 5cb394ff2f
8 changed files with 63 additions and 26 deletions
--- a/modules/context/package.go
+++ b/modules/context/package.go
@ -92,33 +92,25 @@ func determineAccessMode(ctx *Context) (perm.AccessMode, error) {
 		return perm.AccessModeNone, nil
 	}

+	// TODO: ActionUser permission check
 	accessMode := perm.AccessModeNone
 	if ctx.Package.Owner.IsOrganization() {
 		org := organization.OrgFromUser(ctx.Package.Owner)

-		// 1. Get user max authorize level for the org (may be none, if user is not member of the org)
-		if ctx.Doer != nil {
-			var err error
-			accessMode, err = org.GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
+		if ctx.Doer != nil && !ctx.Doer.IsGhost() {
+			// 1. If user is logged in, check all team packages permissions
+			teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID)
 			if err != nil {
 				return accessMode, err
 			}
-			// If access mode is less than write check every team for more permissions
-			if accessMode < perm.AccessModeWrite {
-				teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID)
-				if err != nil {
-					return accessMode, err
-				}
-				for _, t := range teams {
-					perm := t.UnitAccessMode(ctx, unit.TypePackages)
-					if accessMode < perm {
-						accessMode = perm
-					}
+			for _, t := range teams {
+				perm := t.UnitAccessMode(ctx, unit.TypePackages)
+				if accessMode < perm {
+					accessMode = perm
 				}
 			}
-		}
-		// 2. If authorize level is none, check if org is visible to user
-		if accessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
+		} else if organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
+			// 2. If user is non-login, check if org is visible to non-login user
 			accessMode = perm.AccessModeRead
 		}
 	} else {