Move permission check to router layer

This commit is contained in:
Lunny Xiao 2024-11-13 10:02:36 -08:00
parent 697d238b43
commit 7e073ec811
No known key found for this signature in database
GPG Key ID: C3B7C91B632F738A
4 changed files with 12 additions and 17 deletions

View File

@ -17,6 +17,7 @@ import (
"code.gitea.io/gitea/routers/api/v1/utils" "code.gitea.io/gitea/routers/api/v1/utils"
"code.gitea.io/gitea/services/context" "code.gitea.io/gitea/services/context"
"code.gitea.io/gitea/services/convert" "code.gitea.io/gitea/services/convert"
issue_service "code.gitea.io/gitea/services/issue"
pull_service "code.gitea.io/gitea/services/pull" pull_service "code.gitea.io/gitea/services/pull"
repo_service "code.gitea.io/gitea/services/repository" repo_service "code.gitea.io/gitea/services/repository"
) )
@ -321,6 +322,12 @@ func GetReviewers(ctx *context.APIContext) {
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
canChooseReviewer := issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, ctx.Repo.Repository, 0)
if !canChooseReviewer {
ctx.Error(http.StatusForbidden, "GetReviewers", errors.New("doer has no permission to get reviewers"))
return
}
reviewers, err := pull_service.GetReviewers(ctx, ctx.Repo.Repository, ctx.Doer.ID, 0) reviewers, err := pull_service.GetReviewers(ctx, ctx.Repo.Repository, ctx.Doer.ID, 0)
if err != nil { if err != nil {
ctx.Error(http.StatusInternalServerError, "ListCollaborators", err) ctx.Error(http.StatusInternalServerError, "ListCollaborators", err)

View File

@ -186,7 +186,7 @@ func (d *IssuePageMetaData) retrieveReviewersData(ctx *context.Context) {
if d.Issue == nil { if d.Issue == nil {
data.CanChooseReviewer = true data.CanChooseReviewer = true
} else { } else {
data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue) data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue.PosterID)
} }
} }

View File

@ -119,7 +119,7 @@ func isValidReviewRequest(ctx context.Context, reviewer, doer *user_model.User,
return err return err
} }
canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue) canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)
if isAdd { if isAdd {
if !permReviewer.CanAccessAny(perm.AccessModeRead, unit.TypePullRequests) { if !permReviewer.CanAccessAny(perm.AccessModeRead, unit.TypePullRequests) {
@ -178,7 +178,7 @@ func isValidTeamReviewRequest(ctx context.Context, reviewer *organization.Team,
} }
} }
canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue) canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)
if isAdd { if isAdd {
if issue.Repo.IsPrivate { if issue.Repo.IsPrivate {
@ -276,12 +276,12 @@ func teamReviewRequestNotify(ctx context.Context, issue *issues_model.Issue, doe
} }
// CanDoerChangeReviewRequests returns if the doer can add/remove review requests of a PR // CanDoerChangeReviewRequests returns if the doer can add/remove review requests of a PR
func CanDoerChangeReviewRequests(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, issue *issues_model.Issue) bool { func CanDoerChangeReviewRequests(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, posterID int64) bool {
if repo.IsArchived { if repo.IsArchived {
return false return false
} }
// The poster of the PR can change the reviewers // The poster of the PR can change the reviewers
if doer.ID == issue.PosterID { if doer.ID == posterID {
return true return true
} }

View File

@ -5,7 +5,6 @@ package pull
import ( import (
"context" "context"
"fmt"
"code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/models/organization" "code.gitea.io/gitea/models/organization"
@ -53,14 +52,6 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
return nil, err return nil, err
} }
uniqueUserIDs.AddMultiple(additionalUserIDs...) uniqueUserIDs.AddMultiple(additionalUserIDs...)
if repo.Owner.Visibility.IsLimited() && doerID == 0 {
return nil, fmt.Errorf("permission denied")
}
if (repo.IsPrivate || repo.Owner.Visibility.IsPrivate()) && !uniqueUserIDs.Contains(doerID) {
return nil, fmt.Errorf("permission denied")
}
} else { } else {
userIDs := make([]int64, 0, 10) userIDs := make([]int64, 0, 10)
if err := e.Table("access"). if err := e.Table("access").
@ -70,9 +61,6 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
return nil, err return nil, err
} }
uniqueUserIDs.AddMultiple(userIDs...) uniqueUserIDs.AddMultiple(userIDs...)
if repo.IsPrivate && !uniqueUserIDs.Contains(doerID) && doerID != repo.OwnerID {
return nil, fmt.Errorf("permission denied")
}
} }
uniqueUserIDs.Remove(posterID) // posterID should not be in the list of reviewers uniqueUserIDs.Remove(posterID) // posterID should not be in the list of reviewers