From ad6d08d155c67d6d3833d2961ed0fd5a2ba1ff88 Mon Sep 17 00:00:00 2001 From: Florin Hillebrand Date: Fri, 29 Apr 2022 14:24:38 +0200 Subject: [PATCH] Add API to query collaborators permission for a repository (#18761) Targeting #14936, #15332 Adds a collaborator permissions API endpoint according to GitHub API: https://docs.github.com/en/rest/collaborators/collaborators#get-repository-permissions-for-a-user to retrieve a collaborators permissions for a specific repository. ### Checks the repository permissions of a collaborator. `GET` `/repos/{owner}/{repo}/collaborators/{collaborator}/permission` Possible `permission` values are `admin`, `write`, `read`, `owner`, `none`. ```json { "permission": "admin", "role_name": "admin", "user": {} } ``` Where `permission` and `role_name` hold the same `permission` value and `user` is filled with the user API object. Only admins are allowed to use this API endpoint. --- integrations/api_repo_collaborator_test.go | 131 +++++++++++++++++++++ models/fixtures/user.yml | 32 +++++ modules/convert/user.go | 9 ++ modules/structs/repo_collaborator.go | 7 ++ routers/api/v1/api.go | 9 +- routers/api/v1/repo/collaborators.go | 55 +++++++++ routers/api/v1/swagger/repo.go | 7 ++ templates/swagger/v1_json.tmpl | 70 +++++++++++ 8 files changed, 317 insertions(+), 3 deletions(-) create mode 100644 integrations/api_repo_collaborator_test.go diff --git a/integrations/api_repo_collaborator_test.go b/integrations/api_repo_collaborator_test.go new file mode 100644 index 0000000000..fdca1d9150 --- /dev/null +++ b/integrations/api_repo_collaborator_test.go @@ -0,0 +1,131 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package integrations + +import ( + "net/http" + "net/url" + "testing" + + "code.gitea.io/gitea/models/perm" + repo_model "code.gitea.io/gitea/models/repo" + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" + api "code.gitea.io/gitea/modules/structs" + + "github.com/stretchr/testify/assert" +) + +func TestAPIRepoCollaboratorPermission(t *testing.T) { + onGiteaRun(t, func(t *testing.T, u *url.URL) { + repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}).(*repo_model.Repository) + repo2Owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo2.OwnerID}).(*user_model.User) + + user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}).(*user_model.User) + user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User) + user10 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 10}).(*user_model.User) + user11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 11}).(*user_model.User) + + session := loginUser(t, repo2Owner.Name) + testCtx := NewAPITestContext(t, repo2Owner.Name, repo2.Name) + + t.Run("RepoOwnerShouldBeOwner", func(t *testing.T) { + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, repo2Owner.Name, testCtx.Token) + resp := session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "owner", repoPermission.Permission) + }) + + t.Run("CollaboratorWithReadAccess", func(t *testing.T) { + t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user4.Name, perm.AccessModeRead)) + + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user4.Name, testCtx.Token) + resp := session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "read", repoPermission.Permission) + }) + + t.Run("CollaboratorWithWriteAccess", func(t *testing.T) { + t.Run("AddUserAsCollaboratorWithWriteAccess", doAPIAddCollaborator(testCtx, user4.Name, perm.AccessModeWrite)) + + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user4.Name, testCtx.Token) + resp := session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "write", repoPermission.Permission) + }) + + t.Run("CollaboratorWithAdminAccess", func(t *testing.T) { + t.Run("AddUserAsCollaboratorWithAdminAccess", doAPIAddCollaborator(testCtx, user4.Name, perm.AccessModeAdmin)) + + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user4.Name, testCtx.Token) + resp := session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "admin", repoPermission.Permission) + }) + + t.Run("CollaboratorNotFound", func(t *testing.T) { + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, "non-existent-user", testCtx.Token) + session.MakeRequest(t, req, http.StatusNotFound) + }) + + t.Run("CollaboratorCanQueryItsPermissions", func(t *testing.T) { + t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user5.Name, perm.AccessModeRead)) + + _session := loginUser(t, user5.Name) + _testCtx := NewAPITestContext(t, user5.Name, repo2.Name) + + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token) + resp := _session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "read", repoPermission.Permission) + }) + + t.Run("CollaboratorCanQueryItsPermissions", func(t *testing.T) { + t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user5.Name, perm.AccessModeRead)) + + _session := loginUser(t, user5.Name) + _testCtx := NewAPITestContext(t, user5.Name, repo2.Name) + + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token) + resp := _session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "read", repoPermission.Permission) + }) + + t.Run("RepoAdminCanQueryACollaboratorsPermissions", func(t *testing.T) { + t.Run("AddUserAsCollaboratorWithAdminAccess", doAPIAddCollaborator(testCtx, user10.Name, perm.AccessModeAdmin)) + t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user11.Name, perm.AccessModeRead)) + + _session := loginUser(t, user10.Name) + _testCtx := NewAPITestContext(t, user10.Name, repo2.Name) + + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user11.Name, _testCtx.Token) + resp := _session.MakeRequest(t, req, http.StatusOK) + + var repoPermission api.RepoCollaboratorPermission + DecodeJSON(t, resp, &repoPermission) + + assert.Equal(t, "read", repoPermission.Permission) + }) + }) +} diff --git a/models/fixtures/user.yml b/models/fixtures/user.yml index 670b305621..67ba869c76 100644 --- a/models/fixtures/user.yml +++ b/models/fixtures/user.yml @@ -4,6 +4,7 @@ id: 1 lower_name: user1 name: user1 + login_name: user1 full_name: User One email: user1@example.com email_notifications_preference: enabled @@ -21,6 +22,7 @@ id: 2 lower_name: user2 name: user2 + login_name: user2 full_name: " < Ur Tw >< " email: user2@example.com keep_email_private: true @@ -42,6 +44,7 @@ id: 3 lower_name: user3 name: user3 + login_name: user3 full_name: " <<<< >> >> > >> > >>> >> " email: user3@example.com email_notifications_preference: onmention @@ -60,6 +63,7 @@ id: 4 lower_name: user4 name: user4 + login_name: user4 full_name: " " email: user4@example.com email_notifications_preference: onmention @@ -78,6 +82,7 @@ id: 5 lower_name: user5 name: user5 + login_name: user5 full_name: User Five email: user5@example.com email_notifications_preference: enabled @@ -97,6 +102,7 @@ id: 6 lower_name: user6 name: user6 + login_name: user6 full_name: User Six email: user6@example.com email_notifications_preference: enabled @@ -115,6 +121,7 @@ id: 7 lower_name: user7 name: user7 + login_name: user7 full_name: User Seven email: user7@example.com email_notifications_preference: disabled @@ -133,6 +140,7 @@ id: 8 lower_name: user8 name: user8 + login_name: user8 full_name: User Eight email: user8@example.com email_notifications_preference: enabled @@ -152,6 +160,7 @@ id: 9 lower_name: user9 name: user9 + login_name: user9 full_name: User Nine email: user9@example.com email_notifications_preference: onmention @@ -169,6 +178,7 @@ id: 10 lower_name: user10 name: user10 + login_name: user10 full_name: User Ten email: user10@example.com passwd_hash_algo: argon2 @@ -185,6 +195,7 @@ id: 11 lower_name: user11 name: user11 + login_name: user11 full_name: User Eleven email: user11@example.com passwd_hash_algo: argon2 @@ -201,6 +212,7 @@ id: 12 lower_name: user12 name: user12 + login_name: user12 full_name: User 12 email: user12@example.com passwd_hash_algo: argon2 @@ -217,6 +229,7 @@ id: 13 lower_name: user13 name: user13 + login_name: user13 full_name: User 13 email: user13@example.com passwd_hash_algo: argon2 @@ -233,6 +246,7 @@ id: 14 lower_name: user14 name: user14 + login_name: user14 full_name: User 14 email: user14@example.com passwd_hash_algo: argon2 @@ -249,6 +263,7 @@ id: 15 lower_name: user15 name: user15 + login_name: user15 full_name: User 15 email: user15@example.com passwd_hash_algo: argon2 @@ -265,6 +280,7 @@ id: 16 lower_name: user16 name: user16 + login_name: user16 full_name: User 16 email: user16@example.com passwd_hash_algo: argon2 @@ -281,6 +297,7 @@ id: 17 lower_name: user17 name: user17 + login_name: user17 full_name: User 17 email: user17@example.com passwd_hash_algo: argon2 @@ -299,6 +316,7 @@ id: 18 lower_name: user18 name: user18 + login_name: user18 full_name: User 18 email: user18@example.com passwd_hash_algo: argon2 @@ -315,6 +333,7 @@ id: 19 lower_name: user19 name: user19 + login_name: user19 full_name: User 19 email: user19@example.com passwd_hash_algo: argon2 @@ -333,6 +352,7 @@ id: 20 lower_name: user20 name: user20 + login_name: user20 full_name: User 20 email: user20@example.com passwd_hash_algo: argon2 @@ -349,6 +369,7 @@ id: 21 lower_name: user21 name: user21 + login_name: user21 full_name: User 21 email: user21@example.com passwd_hash_algo: argon2 @@ -365,6 +386,7 @@ id: 22 lower_name: limited_org name: limited_org + login_name: limited_org full_name: Limited Org email: limited_org@example.com passwd_hash_algo: argon2 @@ -384,6 +406,7 @@ id: 23 lower_name: privated_org name: privated_org + login_name: privated_org full_name: Privated Org email: privated_org@example.com passwd_hash_algo: argon2 @@ -403,6 +426,7 @@ id: 24 lower_name: user24 name: user24 + login_name: user24 full_name: "user24" email: user24@example.com keep_email_private: true @@ -423,6 +447,7 @@ id: 25 lower_name: org25 name: org25 + login_name: org25 full_name: "org25" email: org25@example.com passwd_hash_algo: argon2 @@ -440,6 +465,7 @@ id: 26 lower_name: org26 name: org26 + login_name: org26 full_name: "Org26" email: org26@example.com email_notifications_preference: onmention @@ -459,6 +485,7 @@ id: 27 lower_name: user27 name: user27 + login_name: user27 full_name: User Twenty-Seven email: user27@example.com email_notifications_preference: enabled @@ -475,6 +502,7 @@ id: 28 lower_name: user28 name: user28 + login_name: user28 full_name: "user27" email: user28@example.com keep_email_private: true @@ -495,6 +523,7 @@ id: 29 lower_name: user29 name: user29 + login_name: user29 full_name: User 29 email: user29@example.com passwd_hash_algo: argon2 @@ -512,6 +541,7 @@ id: 30 lower_name: user30 name: user30 + login_name: user30 full_name: User Thirty email: user30@example.com passwd_hash_algo: argon2 @@ -530,6 +560,7 @@ id: 31 lower_name: user31 name: user31 + login_name: user31 full_name: "user31" email: user31@example.com passwd_hash_algo: argon2 @@ -547,6 +578,7 @@ id: 32 lower_name: user32 name: user32 + login_name: user32 full_name: User 32 (U2F test) email: user32@example.com passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password diff --git a/modules/convert/user.go b/modules/convert/user.go index dc4a8c49c7..2b07d21838 100644 --- a/modules/convert/user.go +++ b/modules/convert/user.go @@ -95,3 +95,12 @@ func User2UserSettings(user *user_model.User) api.UserSettings { DiffViewStyle: user.DiffViewStyle, } } + +// ToUserAndPermission return User and its collaboration permission for a repository +func ToUserAndPermission(user, doer *user_model.User, accessMode perm.AccessMode) api.RepoCollaboratorPermission { + return api.RepoCollaboratorPermission{ + User: ToUser(user, doer), + Permission: accessMode.String(), + RoleName: accessMode.String(), + } +} diff --git a/modules/structs/repo_collaborator.go b/modules/structs/repo_collaborator.go index 2b4fa390d2..2f9c8992a1 100644 --- a/modules/structs/repo_collaborator.go +++ b/modules/structs/repo_collaborator.go @@ -8,3 +8,10 @@ package structs type AddCollaboratorOption struct { Permission *string `json:"permission"` } + +// RepoCollaboratorPermission to get repository permission for a collaborator +type RepoCollaboratorPermission struct { + Permission string `json:"permission"` + RoleName string `json:"role_name"` + User *User `json:"user"` +} diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 782500e6c8..9351cc1510 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -810,9 +810,12 @@ func Routes() *web.Route { }, reqToken(), reqAdmin(), reqWebhooksEnabled()) m.Group("/collaborators", func() { m.Get("", reqAnyRepoReader(), repo.ListCollaborators) - m.Combo("/{collaborator}").Get(reqAnyRepoReader(), repo.IsCollaborator). - Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator). - Delete(reqAdmin(), repo.DeleteCollaborator) + m.Group("/{collaborator}", func() { + m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator). + Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator). + Delete(reqAdmin(), repo.DeleteCollaborator) + m.Get("/permission", repo.GetRepoPermissions) + }, reqToken()) }, reqToken()) m.Get("/assignees", reqToken(), reqAnyRepoReader(), repo.GetAssignees) m.Get("/reviewers", reqToken(), reqAnyRepoReader(), repo.GetReviewers) diff --git a/routers/api/v1/repo/collaborators.go b/routers/api/v1/repo/collaborators.go index 3bb6113d77..2db1724b2a 100644 --- a/routers/api/v1/repo/collaborators.go +++ b/routers/api/v1/repo/collaborators.go @@ -233,6 +233,61 @@ func DeleteCollaborator(ctx *context.APIContext) { ctx.Status(http.StatusNoContent) } +// GetRepoPermissions gets repository permissions for a user +func GetRepoPermissions(ctx *context.APIContext) { + // swagger:operation GET /repos/{owner}/{repo}/collaborators/{collaborator}/permission repository repoGetRepoPermissions + // --- + // summary: Get repository permissions for a user + // produces: + // - application/json + // parameters: + // - name: owner + // in: path + // description: owner of the repo + // type: string + // required: true + // - name: repo + // in: path + // description: name of the repo + // type: string + // required: true + // - name: collaborator + // in: path + // description: username of the collaborator + // type: string + // required: true + // responses: + // "200": + // "$ref": "#/responses/RepoCollaboratorPermission" + // "404": + // "$ref": "#/responses/notFound" + // "403": + // "$ref": "#/responses/forbidden" + + if !ctx.Doer.IsAdmin && ctx.Doer.LoginName != ctx.Params(":collaborator") && !ctx.IsUserRepoAdmin() { + ctx.Error(http.StatusForbidden, "User", "Only admins can query all permissions, repo admins can query all repo permissions, collaborators can query only their own") + return + } + + collaborator, err := user_model.GetUserByName(ctx.Params(":collaborator")) + if err != nil { + if user_model.IsErrUserNotExist(err) { + ctx.Error(http.StatusNotFound, "GetUserByName", err) + } else { + ctx.Error(http.StatusInternalServerError, "GetUserByName", err) + } + return + } + + permission, err := models.GetUserRepoPermission(ctx, ctx.Repo.Repository, collaborator) + if err != nil { + ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err) + return + } + + ctx.JSON(http.StatusOK, convert.ToUserAndPermission(collaborator, ctx.ContextUser, permission.AccessMode)) +} + // GetReviewers return all users that can be requested to review in this repo func GetReviewers(ctx *context.APIContext) { // swagger:operation GET /repos/{owner}/{repo}/reviewers repository repoGetReviewers diff --git a/routers/api/v1/swagger/repo.go b/routers/api/v1/swagger/repo.go index 40aeca677d..ab802db781 100644 --- a/routers/api/v1/swagger/repo.go +++ b/routers/api/v1/swagger/repo.go @@ -344,3 +344,10 @@ type swaggerWikiCommitList struct { // in:body Body api.WikiCommitList `json:"body"` } + +// RepoCollaboratorPermission +// swagger:response RepoCollaboratorPermission +type swaggerRepoCollaboratorPermission struct { + // in:body + Body api.RepoCollaboratorPermission `json:"body"` +} diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index d57a3a580b..3e4813f22c 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -3129,6 +3129,52 @@ } } }, + "/repos/{owner}/{repo}/collaborators/{collaborator}/permission": { + "get": { + "produces": [ + "application/json" + ], + "tags": [ + "repository" + ], + "summary": "Get repository permissions for a user", + "operationId": "repoGetRepoPermissions", + "parameters": [ + { + "type": "string", + "description": "owner of the repo", + "name": "owner", + "in": "path", + "required": true + }, + { + "type": "string", + "description": "name of the repo", + "name": "repo", + "in": "path", + "required": true + }, + { + "type": "string", + "description": "username of the collaborator", + "name": "collaborator", + "in": "path", + "required": true + } + ], + "responses": { + "200": { + "$ref": "#/responses/RepoCollaboratorPermission" + }, + "403": { + "$ref": "#/responses/forbidden" + }, + "404": { + "$ref": "#/responses/notFound" + } + } + } + }, "/repos/{owner}/{repo}/commits": { "get": { "produces": [ @@ -17451,6 +17497,24 @@ }, "x-go-package": "code.gitea.io/gitea/modules/structs" }, + "RepoCollaboratorPermission": { + "description": "RepoCollaboratorPermission to get repository permission for a collaborator", + "type": "object", + "properties": { + "permission": { + "type": "string", + "x-go-name": "Permission" + }, + "role_name": { + "type": "string", + "x-go-name": "RoleName" + }, + "user": { + "$ref": "#/definitions/User" + } + }, + "x-go-package": "code.gitea.io/gitea/modules/structs" + }, "RepoCommit": { "type": "object", "title": "RepoCommit contains information of a commit in the context of a repository.", @@ -19126,6 +19190,12 @@ } } }, + "RepoCollaboratorPermission": { + "description": "RepoCollaboratorPermission", + "schema": { + "$ref": "#/definitions/RepoCollaboratorPermission" + } + }, "Repository": { "description": "Repository", "schema": {