Restrict permission check on repositories and fix some problems (#5314)

* fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check
2025-05-27 04:07:08 +00:00 · 2018-11-28 19:26:14 +08:00 · 2018-11-28 19:26:14 +08:00 · eabbddcd98
commit eabbddcd98
parent 0222623be9
80 changed files with 1360 additions and 774 deletions
--- a/routers/private/internal.go
+++ b/routers/private/internal.go
@ -38,27 +38,6 @@ func GetRepositoryByOwnerAndName(ctx *macaron.Context) {
 	ctx.JSON(200, repo)
 }

-//AccessLevel chainload to models.AccessLevel
-func AccessLevel(ctx *macaron.Context) {
-	repoID := ctx.ParamsInt64(":repoid")
-	userID := ctx.ParamsInt64(":userid")
-	repo, err := models.GetRepositoryByID(repoID)
-	if err != nil {
-		ctx.JSON(500, map[string]interface{}{
-			"err": err.Error(),
-		})
-		return
-	}
-	al, err := models.AccessLevel(userID, repo)
-	if err != nil {
-		ctx.JSON(500, map[string]interface{}{
-			"err": err.Error(),
-		})
-		return
-	}
-	ctx.JSON(200, al)
-}
-
 //CheckUnitUser chainload to models.CheckUnitUser
 func CheckUnitUser(ctx *macaron.Context) {
 	repoID := ctx.ParamsInt64(":repoid")
@ -70,11 +49,27 @@ func CheckUnitUser(ctx *macaron.Context) {
 		})
 		return
 	}
-	if repo.CheckUnitUser(userID, ctx.QueryBool("isAdmin"), models.UnitType(ctx.QueryInt("unitType"))) {
-		ctx.PlainText(200, []byte("success"))
+
+	var user *models.User
+	if userID > 0 {
+		user, err = models.GetUserByID(userID)
+		if err != nil {
+			ctx.JSON(500, map[string]interface{}{
+				"err": err.Error(),
+			})
+			return
+		}
+	}
+
+	perm, err := models.GetUserRepoPermission(repo, user)
+	if err != nil {
+		ctx.JSON(500, map[string]interface{}{
+			"err": err.Error(),
+		})
 		return
 	}
-	ctx.PlainText(404, []byte("no access"))
+
+	ctx.JSON(200, perm.UnitAccessMode(models.UnitType(ctx.QueryInt("unitType"))))
 }

 // RegisterRoutes registers all internal APIs routes to web application.
@ -85,7 +80,6 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Get("/ssh/:id/user", GetUserByKeyID)
 		m.Post("/ssh/:id/update", UpdatePublicKey)
 		m.Post("/repositories/:repoid/keys/:keyid/update", UpdateDeployKey)
-		m.Get("/repositories/:repoid/user/:userid/accesslevel", AccessLevel)
 		m.Get("/repositories/:repoid/user/:userid/checkunituser", CheckUnitUser)
 		m.Get("/repositories/:repoid/has-keys/:keyid", HasDeployKey)
 		m.Post("/push/update", PushUpdate)