mirror of https://github.com/go-gitea/gitea.git
Move permission check to router layer
This commit is contained in:
parent
697d238b43
commit
7e073ec811
|
@ -17,6 +17,7 @@ import (
|
||||||
"code.gitea.io/gitea/routers/api/v1/utils"
|
"code.gitea.io/gitea/routers/api/v1/utils"
|
||||||
"code.gitea.io/gitea/services/context"
|
"code.gitea.io/gitea/services/context"
|
||||||
"code.gitea.io/gitea/services/convert"
|
"code.gitea.io/gitea/services/convert"
|
||||||
|
issue_service "code.gitea.io/gitea/services/issue"
|
||||||
pull_service "code.gitea.io/gitea/services/pull"
|
pull_service "code.gitea.io/gitea/services/pull"
|
||||||
repo_service "code.gitea.io/gitea/services/repository"
|
repo_service "code.gitea.io/gitea/services/repository"
|
||||||
)
|
)
|
||||||
|
@ -321,6 +322,12 @@ func GetReviewers(ctx *context.APIContext) {
|
||||||
// "404":
|
// "404":
|
||||||
// "$ref": "#/responses/notFound"
|
// "$ref": "#/responses/notFound"
|
||||||
|
|
||||||
|
canChooseReviewer := issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, ctx.Repo.Repository, 0)
|
||||||
|
if !canChooseReviewer {
|
||||||
|
ctx.Error(http.StatusForbidden, "GetReviewers", errors.New("doer has no permission to get reviewers"))
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
reviewers, err := pull_service.GetReviewers(ctx, ctx.Repo.Repository, ctx.Doer.ID, 0)
|
reviewers, err := pull_service.GetReviewers(ctx, ctx.Repo.Repository, ctx.Doer.ID, 0)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.Error(http.StatusInternalServerError, "ListCollaborators", err)
|
ctx.Error(http.StatusInternalServerError, "ListCollaborators", err)
|
||||||
|
|
|
@ -186,7 +186,7 @@ func (d *IssuePageMetaData) retrieveReviewersData(ctx *context.Context) {
|
||||||
if d.Issue == nil {
|
if d.Issue == nil {
|
||||||
data.CanChooseReviewer = true
|
data.CanChooseReviewer = true
|
||||||
} else {
|
} else {
|
||||||
data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue)
|
data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue.PosterID)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -119,7 +119,7 @@ func isValidReviewRequest(ctx context.Context, reviewer, doer *user_model.User,
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue)
|
canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)
|
||||||
|
|
||||||
if isAdd {
|
if isAdd {
|
||||||
if !permReviewer.CanAccessAny(perm.AccessModeRead, unit.TypePullRequests) {
|
if !permReviewer.CanAccessAny(perm.AccessModeRead, unit.TypePullRequests) {
|
||||||
|
@ -178,7 +178,7 @@ func isValidTeamReviewRequest(ctx context.Context, reviewer *organization.Team,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue)
|
canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)
|
||||||
|
|
||||||
if isAdd {
|
if isAdd {
|
||||||
if issue.Repo.IsPrivate {
|
if issue.Repo.IsPrivate {
|
||||||
|
@ -276,12 +276,12 @@ func teamReviewRequestNotify(ctx context.Context, issue *issues_model.Issue, doe
|
||||||
}
|
}
|
||||||
|
|
||||||
// CanDoerChangeReviewRequests returns if the doer can add/remove review requests of a PR
|
// CanDoerChangeReviewRequests returns if the doer can add/remove review requests of a PR
|
||||||
func CanDoerChangeReviewRequests(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, issue *issues_model.Issue) bool {
|
func CanDoerChangeReviewRequests(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, posterID int64) bool {
|
||||||
if repo.IsArchived {
|
if repo.IsArchived {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
// The poster of the PR can change the reviewers
|
// The poster of the PR can change the reviewers
|
||||||
if doer.ID == issue.PosterID {
|
if doer.ID == posterID {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,6 @@ package pull
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
|
||||||
|
|
||||||
"code.gitea.io/gitea/models/db"
|
"code.gitea.io/gitea/models/db"
|
||||||
"code.gitea.io/gitea/models/organization"
|
"code.gitea.io/gitea/models/organization"
|
||||||
|
@ -53,14 +52,6 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
uniqueUserIDs.AddMultiple(additionalUserIDs...)
|
uniqueUserIDs.AddMultiple(additionalUserIDs...)
|
||||||
|
|
||||||
if repo.Owner.Visibility.IsLimited() && doerID == 0 {
|
|
||||||
return nil, fmt.Errorf("permission denied")
|
|
||||||
}
|
|
||||||
|
|
||||||
if (repo.IsPrivate || repo.Owner.Visibility.IsPrivate()) && !uniqueUserIDs.Contains(doerID) {
|
|
||||||
return nil, fmt.Errorf("permission denied")
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
userIDs := make([]int64, 0, 10)
|
userIDs := make([]int64, 0, 10)
|
||||||
if err := e.Table("access").
|
if err := e.Table("access").
|
||||||
|
@ -70,9 +61,6 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
uniqueUserIDs.AddMultiple(userIDs...)
|
uniqueUserIDs.AddMultiple(userIDs...)
|
||||||
if repo.IsPrivate && !uniqueUserIDs.Contains(doerID) && doerID != repo.OwnerID {
|
|
||||||
return nil, fmt.Errorf("permission denied")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
uniqueUserIDs.Remove(posterID) // posterID should not be in the list of reviewers
|
uniqueUserIDs.Remove(posterID) // posterID should not be in the list of reviewers
|
||||||
|
|
Loading…
Reference in New Issue