From 174213530dc538c124cddc5cc43d9a514c6695b9 Mon Sep 17 00:00:00 2001 From: Jason Song Date: Thu, 22 Jun 2023 21:08:08 +0800 Subject: [PATCH] Fix `Permission` in API returned repository struct (#25388) The old code generates `structs.Repository.Permissions` with only `access.Permission.AccessMode`, however, it should check the units too, or the value could be incorrect. For example, `structs.Repository.Permissions.Push` could be false even the doer has write access to code unit. Should fix https://github.com/renovatebot/renovate/issues/14059#issuecomment-1047961128 (Not reported by it, I just found it when I was looking into this bug) --- Review tips: The major changes are - `modules/structs/repo.go` https://github.com/go-gitea/gitea/pull/25388/files#diff-870406f6857117f8b03611c43fca0ab9ed6d6e76a2d0069a7c1f17e8fa9092f7 - `services/convert/repository.go` https://github.com/go-gitea/gitea/pull/25388/files#diff-7736f6d2ae894c9edb7729a80ab89aa183b888a26a811a0c1fdebd18726a7101 And other changes are passive. --- modules/structs/repo.go | 6 +- routers/api/v1/org/team.go | 8 +- routers/api/v1/repo/fork.go | 8 +- routers/api/v1/repo/hook.go | 3 +- routers/api/v1/repo/key.go | 5 +- routers/api/v1/repo/migrate.go | 3 +- routers/api/v1/repo/repo.go | 20 ++--- routers/api/v1/repo/status.go | 2 +- routers/api/v1/repo/transfer.go | 9 ++- routers/api/v1/user/repo.go | 15 ++-- routers/api/v1/user/star.go | 4 +- routers/api/v1/user/watch.go | 4 +- routers/web/repo/webhook.go | 3 +- services/actions/notifier.go | 70 ++++++++-------- services/actions/notifier_helper.go | 4 +- services/convert/activity.go | 2 +- services/convert/notification.go | 3 +- services/convert/package.go | 2 +- services/convert/pull.go | 4 +- services/convert/pull_test.go | 3 +- services/convert/repository.go | 30 +++++-- services/webhook/notifier.go | 119 ++++++++++++++-------------- 22 files changed, 174 insertions(+), 153 deletions(-) diff --git a/modules/structs/repo.go b/modules/structs/repo.go index fc4ed03de553..3b43f74c7994 100644 --- a/modules/structs/repo.go +++ b/modules/structs/repo.go @@ -10,9 +10,9 @@ import ( // Permission represents a set of permissions type Permission struct { - Admin bool `json:"admin"` - Push bool `json:"push"` - Pull bool `json:"pull"` + Admin bool `json:"admin"` // Admin indicates if the user is an administrator of the repository. + Push bool `json:"push"` // Push indicates if the user can push code to the repository. + Pull bool `json:"pull"` // Pull indicates if the user can pull code from the repository. } // InternalTracker represents settings for internal tracker diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go index 8b7d7b195151..1aaefacdd596 100644 --- a/routers/api/v1/org/team.go +++ b/routers/api/v1/org/team.go @@ -561,12 +561,12 @@ func GetTeamRepos(ctx *context.APIContext) { } repos := make([]*api.Repository, len(teamRepos)) for i, repo := range teamRepos { - access, err := access_model.AccessLevel(ctx, ctx.Doer, repo) + permission, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer) if err != nil { ctx.Error(http.StatusInternalServerError, "GetTeamRepos", err) return } - repos[i] = convert.ToRepo(ctx, repo, access) + repos[i] = convert.ToRepo(ctx, repo, permission) } ctx.SetTotalCountHeader(int64(team.NumRepos)) ctx.JSON(http.StatusOK, repos) @@ -612,13 +612,13 @@ func GetTeamRepo(ctx *context.APIContext) { return } - access, err := access_model.AccessLevel(ctx, ctx.Doer, repo) + permission, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer) if err != nil { ctx.Error(http.StatusInternalServerError, "GetTeamRepos", err) return } - ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, access)) + ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, permission)) } // getRepositoryByParams get repository by a team's organization ID and repo name diff --git a/routers/api/v1/repo/fork.go b/routers/api/v1/repo/fork.go index 4cb3eddf58b0..f75153ab2d89 100644 --- a/routers/api/v1/repo/fork.go +++ b/routers/api/v1/repo/fork.go @@ -60,12 +60,12 @@ func ListForks(ctx *context.APIContext) { } apiForks := make([]*api.Repository, len(forks)) for i, fork := range forks { - access, err := access_model.AccessLevel(ctx, ctx.Doer, fork) + permission, err := access_model.GetUserRepoPermission(ctx, fork, ctx.Doer) if err != nil { - ctx.Error(http.StatusInternalServerError, "AccessLevel", err) + ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err) return } - apiForks[i] = convert.ToRepo(ctx, fork, access) + apiForks[i] = convert.ToRepo(ctx, fork, permission) } ctx.SetTotalCountHeader(int64(ctx.Repo.Repository.NumForks)) @@ -152,5 +152,5 @@ func CreateFork(ctx *context.APIContext) { } // TODO change back to 201 - ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx, fork, perm.AccessModeOwner)) + ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx, fork, access_model.Permission{AccessMode: perm.AccessModeOwner})) } diff --git a/routers/api/v1/repo/hook.go b/routers/api/v1/repo/hook.go index 39d83912b016..d0b77b5687ed 100644 --- a/routers/api/v1/repo/hook.go +++ b/routers/api/v1/repo/hook.go @@ -8,6 +8,7 @@ import ( "net/http" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" "code.gitea.io/gitea/models/webhook" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/git" @@ -185,7 +186,7 @@ func TestHook(ctx *context.APIContext) { Commits: []*api.PayloadCommit{commit}, TotalCommits: 1, HeadCommit: commit, - Repo: convert.ToRepo(ctx, ctx.Repo.Repository, perm.AccessModeNone), + Repo: convert.ToRepo(ctx, ctx.Repo.Repository, access_model.Permission{AccessMode: perm.AccessModeNone}), Pusher: convert.ToUserWithAccessMode(ctx, ctx.Doer, perm.AccessModeNone), Sender: convert.ToUserWithAccessMode(ctx, ctx.Doer, perm.AccessModeNone), }); err != nil { diff --git a/routers/api/v1/repo/key.go b/routers/api/v1/repo/key.go index d496c4a73c11..824880880a01 100644 --- a/routers/api/v1/repo/key.go +++ b/routers/api/v1/repo/key.go @@ -13,6 +13,7 @@ import ( asymkey_model "code.gitea.io/gitea/models/asymkey" "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" @@ -27,13 +28,13 @@ import ( func appendPrivateInformation(ctx stdCtx.Context, apiKey *api.DeployKey, key *asymkey_model.DeployKey, repository *repo_model.Repository) (*api.DeployKey, error) { apiKey.ReadOnly = key.Mode == perm.AccessModeRead if repository.ID == key.RepoID { - apiKey.Repository = convert.ToRepo(ctx, repository, key.Mode) + apiKey.Repository = convert.ToRepo(ctx, repository, access_model.Permission{AccessMode: key.Mode}) } else { repo, err := repo_model.GetRepositoryByID(ctx, key.RepoID) if err != nil { return apiKey, err } - apiKey.Repository = convert.ToRepo(ctx, repo, key.Mode) + apiKey.Repository = convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: key.Mode}) } return apiKey, nil } diff --git a/routers/api/v1/repo/migrate.go b/routers/api/v1/repo/migrate.go index b458cd122b8a..84327de5fbe4 100644 --- a/routers/api/v1/repo/migrate.go +++ b/routers/api/v1/repo/migrate.go @@ -14,6 +14,7 @@ import ( "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/organization" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/context" @@ -211,7 +212,7 @@ func Migrate(ctx *context.APIContext) { } log.Trace("Repository migrated: %s/%s", repoOwner.Name, form.RepoName) - ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, repo, perm.AccessModeAdmin)) + ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeAdmin})) } func handleMigrateError(ctx *context.APIContext, repoOwner *user_model.User, remoteAddr string, err error) { diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 114b93534ac3..a9f8b5b7e730 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -211,14 +211,14 @@ func Search(ctx *context.APIContext) { }) return } - accessMode, err := access_model.AccessLevel(ctx, ctx.Doer, repo) + permission, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer) if err != nil { ctx.JSON(http.StatusInternalServerError, api.SearchError{ OK: false, Error: err.Error(), }) } - results[i] = convert.ToRepo(ctx, repo, accessMode) + results[i] = convert.ToRepo(ctx, repo, permission) } ctx.SetLinkHeader(int(count), opts.PageSize) ctx.SetTotalCountHeader(count) @@ -272,7 +272,7 @@ func CreateUserRepo(ctx *context.APIContext, owner *user_model.User, opt api.Cre ctx.Error(http.StatusInternalServerError, "GetRepositoryByID", err) } - ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, repo, perm.AccessModeOwner)) + ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner})) } // Create one repository of mine @@ -419,7 +419,7 @@ func Generate(ctx *context.APIContext) { } log.Trace("Repository generated [%d]: %s/%s", repo.ID, ctxUser.Name, repo.Name) - ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, repo, perm.AccessModeOwner)) + ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner})) } // CreateOrgRepoDeprecated create one repository of the organization @@ -537,7 +537,7 @@ func Get(ctx *context.APIContext) { return } - ctx.JSON(http.StatusOK, convert.ToRepo(ctx, ctx.Repo.Repository, ctx.Repo.AccessMode)) + ctx.JSON(http.StatusOK, convert.ToRepo(ctx, ctx.Repo.Repository, ctx.Repo.Permission)) } // GetByID returns a single Repository @@ -568,15 +568,15 @@ func GetByID(ctx *context.APIContext) { return } - perm, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer) + permission, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer) if err != nil { - ctx.Error(http.StatusInternalServerError, "AccessLevel", err) + ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err) return - } else if !perm.HasAccess() { + } else if !permission.HasAccess() { ctx.NotFound() return } - ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, perm.AccessMode)) + ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, permission)) } // Edit edit repository properties @@ -638,7 +638,7 @@ func Edit(ctx *context.APIContext) { return } - ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, ctx.Repo.AccessMode)) + ctx.JSON(http.StatusOK, convert.ToRepo(ctx, repo, ctx.Repo.Permission)) } // updateBasicProperties updates the basic properties of a repo: Name, Description, Website and Visibility diff --git a/routers/api/v1/repo/status.go b/routers/api/v1/repo/status.go index c1110ebce553..028e3083c60a 100644 --- a/routers/api/v1/repo/status.go +++ b/routers/api/v1/repo/status.go @@ -264,7 +264,7 @@ func GetCombinedCommitStatusByRef(ctx *context.APIContext) { return } - combiStatus := convert.ToCombinedStatus(ctx, statuses, convert.ToRepo(ctx, repo, ctx.Repo.AccessMode)) + combiStatus := convert.ToCombinedStatus(ctx, statuses, convert.ToRepo(ctx, repo, ctx.Repo.Permission)) ctx.SetTotalCountHeader(count) ctx.JSON(http.StatusOK, combiStatus) diff --git a/routers/api/v1/repo/transfer.go b/routers/api/v1/repo/transfer.go index ded8edd41c06..8ff22a1193f1 100644 --- a/routers/api/v1/repo/transfer.go +++ b/routers/api/v1/repo/transfer.go @@ -10,6 +10,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/models/organization" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/context" @@ -122,12 +123,12 @@ func Transfer(ctx *context.APIContext) { if ctx.Repo.Repository.Status == repo_model.RepositoryPendingTransfer { log.Trace("Repository transfer initiated: %s -> %s", oldFullname, ctx.Repo.Repository.FullName()) - ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, ctx.Repo.Repository, perm.AccessModeAdmin)) + ctx.JSON(http.StatusCreated, convert.ToRepo(ctx, ctx.Repo.Repository, access_model.Permission{AccessMode: perm.AccessModeAdmin})) return } log.Trace("Repository transferred: %s -> %s", oldFullname, ctx.Repo.Repository.FullName()) - ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx, ctx.Repo.Repository, perm.AccessModeAdmin)) + ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx, ctx.Repo.Repository, access_model.Permission{AccessMode: perm.AccessModeAdmin})) } // AcceptTransfer accept a repo transfer @@ -165,7 +166,7 @@ func AcceptTransfer(ctx *context.APIContext) { return } - ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx, ctx.Repo.Repository, ctx.Repo.AccessMode)) + ctx.JSON(http.StatusAccepted, convert.ToRepo(ctx, ctx.Repo.Repository, ctx.Repo.Permission)) } // RejectTransfer reject a repo transfer @@ -203,7 +204,7 @@ func RejectTransfer(ctx *context.APIContext) { return } - ctx.JSON(http.StatusOK, convert.ToRepo(ctx, ctx.Repo.Repository, ctx.Repo.AccessMode)) + ctx.JSON(http.StatusOK, convert.ToRepo(ctx, ctx.Repo.Repository, ctx.Repo.Permission)) } func acceptOrRejectRepoTransfer(ctx *context.APIContext, accept bool) error { diff --git a/routers/api/v1/user/repo.go b/routers/api/v1/user/repo.go index 7a8978cc4e69..86af8cb4408e 100644 --- a/routers/api/v1/user/repo.go +++ b/routers/api/v1/user/repo.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/models/perm" access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" + unit_model "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/context" api "code.gitea.io/gitea/modules/structs" @@ -38,13 +39,13 @@ func listUserRepos(ctx *context.APIContext, u *user_model.User, private bool) { apiRepos := make([]*api.Repository, 0, len(repos)) for i := range repos { - access, err := access_model.AccessLevel(ctx, ctx.Doer, repos[i]) + permission, err := access_model.GetUserRepoPermission(ctx, repos[i], ctx.Doer) if err != nil { - ctx.Error(http.StatusInternalServerError, "AccessLevel", err) + ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err) return } - if ctx.IsSigned && ctx.Doer.IsAdmin || access >= perm.AccessModeRead { - apiRepos = append(apiRepos, convert.ToRepo(ctx, repos[i], access)) + if ctx.IsSigned && ctx.Doer.IsAdmin || permission.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeRead { + apiRepos = append(apiRepos, convert.ToRepo(ctx, repos[i], permission)) } } @@ -123,11 +124,11 @@ func ListMyRepos(ctx *context.APIContext) { ctx.Error(http.StatusInternalServerError, "LoadOwner", err) return } - accessMode, err := access_model.AccessLevel(ctx, ctx.Doer, repo) + permission, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer) if err != nil { - ctx.Error(http.StatusInternalServerError, "AccessLevel", err) + ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err) } - results[i] = convert.ToRepo(ctx, repo, accessMode) + results[i] = convert.ToRepo(ctx, repo, permission) } ctx.SetLinkHeader(int(count), opts.ListOptions.PageSize) diff --git a/routers/api/v1/user/star.go b/routers/api/v1/user/star.go index ad5a8bee33be..9399ad2b4db3 100644 --- a/routers/api/v1/user/star.go +++ b/routers/api/v1/user/star.go @@ -28,11 +28,11 @@ func getStarredRepos(ctx std_context.Context, user *user_model.User, private boo repos := make([]*api.Repository, len(starredRepos)) for i, starred := range starredRepos { - access, err := access_model.AccessLevel(ctx, user, starred) + permission, err := access_model.GetUserRepoPermission(ctx, starred, user) if err != nil { return nil, err } - repos[i] = convert.ToRepo(ctx, starred, access) + repos[i] = convert.ToRepo(ctx, starred, permission) } return repos, nil } diff --git a/routers/api/v1/user/watch.go b/routers/api/v1/user/watch.go index 211f36459a83..172d9d5cc597 100644 --- a/routers/api/v1/user/watch.go +++ b/routers/api/v1/user/watch.go @@ -26,11 +26,11 @@ func getWatchedRepos(ctx std_context.Context, user *user_model.User, private boo repos := make([]*api.Repository, len(watchedRepos)) for i, watched := range watchedRepos { - access, err := access_model.AccessLevel(ctx, user, watched) + permission, err := access_model.GetUserRepoPermission(ctx, watched, user) if err != nil { return nil, 0, err } - repos[i] = convert.ToRepo(ctx, watched, access) + repos[i] = convert.ToRepo(ctx, watched, permission) } return repos, total, nil } diff --git a/routers/web/repo/webhook.go b/routers/web/repo/webhook.go index 5139c0b09161..b358c7260da9 100644 --- a/routers/web/repo/webhook.go +++ b/routers/web/repo/webhook.go @@ -13,6 +13,7 @@ import ( "strings" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/models/webhook" "code.gitea.io/gitea/modules/base" @@ -685,7 +686,7 @@ func TestWebhook(ctx *context.Context) { Commits: []*api.PayloadCommit{apiCommit}, TotalCommits: 1, HeadCommit: apiCommit, - Repo: convert.ToRepo(ctx, ctx.Repo.Repository, perm.AccessModeNone), + Repo: convert.ToRepo(ctx, ctx.Repo.Repository, access_model.Permission{AccessMode: perm.AccessModeNone}), Pusher: apiUser, Sender: apiUser, } diff --git a/services/actions/notifier.go b/services/actions/notifier.go index da870bb84c8f..507eeaacf6cc 100644 --- a/services/actions/notifier.go +++ b/services/actions/notifier.go @@ -45,13 +45,13 @@ func (n *actionsNotifier) NotifyNewIssue(ctx context.Context, issue *issues_mode log.Error("issue.LoadPoster: %v", err) return } - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) newNotifyInputFromIssue(issue, webhook_module.HookEventIssues).WithPayload(&api.IssuePayload{ Action: api.HookIssueOpened, Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, issue.Poster, nil), }).Notify(withMethod(ctx, "NotifyNewIssue")) } @@ -59,7 +59,7 @@ func (n *actionsNotifier) NotifyNewIssue(ctx context.Context, issue *issues_mode // NotifyIssueChangeStatus notifies close or reopen issue to notifiers func (n *actionsNotifier) NotifyIssueChangeStatus(ctx context.Context, doer *user_model.User, commitID string, issue *issues_model.Issue, _ *issues_model.Comment, isClosed bool) { ctx = withMethod(ctx, "NotifyIssueChangeStatus") - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) if issue.IsPull { if err := issue.LoadPullRequest(ctx); err != nil { log.Error("LoadPullRequest: %v", err) @@ -69,7 +69,7 @@ func (n *actionsNotifier) NotifyIssueChangeStatus(ctx context.Context, doer *use apiPullRequest := &api.PullRequestPayload{ Index: issue.Index, PullRequest: convert.ToAPIPullRequest(db.DefaultContext, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), CommitID: commitID, } @@ -88,7 +88,7 @@ func (n *actionsNotifier) NotifyIssueChangeStatus(ctx context.Context, doer *use apiIssue := &api.IssuePayload{ Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), } if isClosed { @@ -118,7 +118,7 @@ func (n *actionsNotifier) NotifyIssueChangeLabels(ctx context.Context, doer *use return } - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) if issue.IsPull { if err = issue.LoadPullRequest(ctx); err != nil { log.Error("loadPullRequest: %v", err) @@ -134,7 +134,7 @@ func (n *actionsNotifier) NotifyIssueChangeLabels(ctx context.Context, doer *use Action: api.HookIssueLabelUpdated, Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, perm_model.AccessModeNone), + Repository: convert.ToRepo(ctx, issue.Repo, access_model.Permission{AccessMode: perm_model.AccessModeNone}), Sender: convert.ToUser(ctx, doer, nil), }). WithPullRequest(issue.PullRequest). @@ -147,7 +147,7 @@ func (n *actionsNotifier) NotifyIssueChangeLabels(ctx context.Context, doer *use Action: api.HookIssueLabelUpdated, Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }). Notify(ctx) @@ -159,7 +159,7 @@ func (n *actionsNotifier) NotifyCreateIssueComment(ctx context.Context, doer *us ) { ctx = withMethod(ctx, "NotifyCreateIssueComment") - mode, _ := access_model.AccessLevel(ctx, doer, repo) + permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer) if issue.IsPull { if err := issue.LoadPullRequest(ctx); err != nil { @@ -172,7 +172,7 @@ func (n *actionsNotifier) NotifyCreateIssueComment(ctx context.Context, doer *us Action: api.HookIssueCommentCreated, Issue: convert.ToAPIIssue(ctx, issue), Comment: convert.ToComment(ctx, comment), - Repository: convert.ToRepo(ctx, repo, mode), + Repository: convert.ToRepo(ctx, repo, permission), Sender: convert.ToUser(ctx, doer, nil), IsPull: true, }). @@ -186,7 +186,7 @@ func (n *actionsNotifier) NotifyCreateIssueComment(ctx context.Context, doer *us Action: api.HookIssueCommentCreated, Issue: convert.ToAPIIssue(ctx, issue), Comment: convert.ToComment(ctx, comment), - Repository: convert.ToRepo(ctx, repo, mode), + Repository: convert.ToRepo(ctx, repo, permission), Sender: convert.ToUser(ctx, doer, nil), IsPull: false, }). @@ -209,14 +209,14 @@ func (n *actionsNotifier) NotifyNewPullRequest(ctx context.Context, pull *issues return } - mode, _ := access_model.AccessLevel(ctx, pull.Issue.Poster, pull.Issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, pull.Issue.Repo, pull.Issue.Poster) newNotifyInputFromIssue(pull.Issue, webhook_module.HookEventPullRequest). WithPayload(&api.PullRequestPayload{ Action: api.HookIssueOpened, Index: pull.Issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, pull, nil), - Repository: convert.ToRepo(ctx, pull.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, pull.Issue.Repo, permission), Sender: convert.ToUser(ctx, pull.Issue.Poster, nil), }). WithPullRequest(pull). @@ -228,7 +228,7 @@ func (n *actionsNotifier) NotifyCreateRepository(ctx context.Context, doer, u *u newNotifyInput(repo, doer, webhook_module.HookEventRepository).WithPayload(&api.RepositoryPayload{ Action: api.HookRepoCreated, - Repository: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Organization: convert.ToUser(ctx, u, nil), Sender: convert.ToUser(ctx, doer, nil), }).Notify(ctx) @@ -237,13 +237,13 @@ func (n *actionsNotifier) NotifyCreateRepository(ctx context.Context, doer, u *u func (n *actionsNotifier) NotifyForkRepository(ctx context.Context, doer *user_model.User, oldRepo, repo *repo_model.Repository) { ctx = withMethod(ctx, "NotifyForkRepository") - oldMode, _ := access_model.AccessLevel(ctx, doer, oldRepo) - mode, _ := access_model.AccessLevel(ctx, doer, repo) + oldPermission, _ := access_model.GetUserRepoPermission(ctx, oldRepo, doer) + permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer) // forked webhook newNotifyInput(oldRepo, doer, webhook_module.HookEventFork).WithPayload(&api.ForkPayload{ - Forkee: convert.ToRepo(ctx, oldRepo, oldMode), - Repo: convert.ToRepo(ctx, repo, mode), + Forkee: convert.ToRepo(ctx, oldRepo, oldPermission), + Repo: convert.ToRepo(ctx, repo, permission), Sender: convert.ToUser(ctx, doer, nil), }).Notify(ctx) @@ -255,7 +255,7 @@ func (n *actionsNotifier) NotifyForkRepository(ctx context.Context, doer *user_m WithRef(oldRepo.DefaultBranch). WithPayload(&api.RepositoryPayload{ Action: api.HookRepoCreated, - Repository: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Organization: convert.ToUser(ctx, u, nil), Sender: convert.ToUser(ctx, doer, nil), }).Notify(ctx) @@ -285,9 +285,9 @@ func (n *actionsNotifier) NotifyPullRequestReview(ctx context.Context, pr *issue return } - mode, err := access_model.AccessLevel(ctx, review.Issue.Poster, review.Issue.Repo) + permission, err := access_model.GetUserRepoPermission(ctx, review.Issue.Repo, review.Issue.Poster) if err != nil { - log.Error("models.AccessLevel: %v", err) + log.Error("models.GetUserRepoPermission: %v", err) return } @@ -297,7 +297,7 @@ func (n *actionsNotifier) NotifyPullRequestReview(ctx context.Context, pr *issue Action: api.HookIssueReviewed, Index: review.Issue.Index, PullRequest: convert.ToAPIPullRequest(db.DefaultContext, pr, nil), - Repository: convert.ToRepo(ctx, review.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, review.Issue.Repo, permission), Sender: convert.ToUser(ctx, review.Reviewer, nil), Review: &api.ReviewPayload{ Type: string(reviewHookType), @@ -325,9 +325,9 @@ func (*actionsNotifier) NotifyMergePullRequest(ctx context.Context, doer *user_m return } - mode, err := access_model.AccessLevel(ctx, doer, pr.Issue.Repo) + permission, err := access_model.GetUserRepoPermission(ctx, pr.Issue.Repo, doer) if err != nil { - log.Error("models.AccessLevel: %v", err) + log.Error("models.GetUserRepoPermission: %v", err) return } @@ -335,7 +335,7 @@ func (*actionsNotifier) NotifyMergePullRequest(ctx context.Context, doer *user_m apiPullRequest := &api.PullRequestPayload{ Index: pr.Issue.Index, PullRequest: convert.ToAPIPullRequest(db.DefaultContext, pr, nil), - Repository: convert.ToRepo(ctx, pr.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, pr.Issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), Action: api.HookIssueClosed, } @@ -366,7 +366,7 @@ func (n *actionsNotifier) NotifyPushCommits(ctx context.Context, pusher *user_mo CompareURL: setting.AppURL + commits.CompareURL, Commits: apiCommits, HeadCommit: apiHeadCommit, - Repo: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repo: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Pusher: apiPusher, Sender: apiPusher, }). @@ -377,7 +377,7 @@ func (n *actionsNotifier) NotifyCreateRef(ctx context.Context, pusher *user_mode ctx = withMethod(ctx, "NotifyCreateRef") apiPusher := convert.ToUser(ctx, pusher, nil) - apiRepo := convert.ToRepo(ctx, repo, perm_model.AccessModeNone) + apiRepo := convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeNone}) newNotifyInput(repo, pusher, webhook_module.HookEventCreate). WithRef(refFullName.ShortName()). // FIXME: should we use a full ref name @@ -395,7 +395,7 @@ func (n *actionsNotifier) NotifyDeleteRef(ctx context.Context, pusher *user_mode ctx = withMethod(ctx, "NotifyDeleteRef") apiPusher := convert.ToUser(ctx, pusher, nil) - apiRepo := convert.ToRepo(ctx, repo, perm_model.AccessModeNone) + apiRepo := convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeNone}) newNotifyInput(repo, pusher, webhook_module.HookEventDelete). WithRef(refFullName.ShortName()). // FIXME: should we use a full ref name @@ -429,7 +429,7 @@ func (n *actionsNotifier) NotifySyncPushCommits(ctx context.Context, pusher *use Commits: apiCommits, TotalCommits: commits.Len, HeadCommit: apiHeadCommit, - Repo: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repo: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Pusher: apiPusher, Sender: apiPusher, }). @@ -494,7 +494,7 @@ func (n *actionsNotifier) NotifyPullRequestSynchronized(ctx context.Context, doe Action: api.HookIssueSynchronized, Index: pr.Issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, pr, nil), - Repository: convert.ToRepo(ctx, pr.Issue.Repo, perm_model.AccessModeNone), + Repository: convert.ToRepo(ctx, pr.Issue.Repo, access_model.Permission{AccessMode: perm_model.AccessModeNone}), Sender: convert.ToUser(ctx, doer, nil), }). WithPullRequest(pr). @@ -514,7 +514,7 @@ func (n *actionsNotifier) NotifyPullRequestChangeTargetBranch(ctx context.Contex return } - mode, _ := access_model.AccessLevel(ctx, pr.Issue.Poster, pr.Issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, pr.Issue.Repo, pr.Issue.Poster) newNotifyInput(pr.Issue.Repo, doer, webhook_module.HookEventPullRequest). WithPayload(&api.PullRequestPayload{ Action: api.HookIssueEdited, @@ -525,7 +525,7 @@ func (n *actionsNotifier) NotifyPullRequestChangeTargetBranch(ctx context.Contex }, }, PullRequest: convert.ToAPIPullRequest(ctx, pr, nil), - Repository: convert.ToRepo(ctx, pr.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, pr.Issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }). WithPullRequest(pr). @@ -537,7 +537,7 @@ func (n *actionsNotifier) NotifyNewWikiPage(ctx context.Context, doer *user_mode newNotifyInput(repo, doer, webhook_module.HookEventWiki).WithPayload(&api.WikiPayload{ Action: api.HookWikiCreated, - Repository: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), Page: page, Comment: comment, @@ -549,7 +549,7 @@ func (n *actionsNotifier) NotifyEditWikiPage(ctx context.Context, doer *user_mod newNotifyInput(repo, doer, webhook_module.HookEventWiki).WithPayload(&api.WikiPayload{ Action: api.HookWikiEdited, - Repository: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), Page: page, Comment: comment, @@ -561,7 +561,7 @@ func (n *actionsNotifier) NotifyDeleteWikiPage(ctx context.Context, doer *user_m newNotifyInput(repo, doer, webhook_module.HookEventWiki).WithPayload(&api.WikiPayload{ Action: api.HookWikiDeleted, - Repository: convert.ToRepo(ctx, repo, perm_model.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm_model.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), Page: page, }).Notify(ctx) diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index 5e41241d18f0..69c23656f291 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -222,14 +222,14 @@ func notifyRelease(ctx context.Context, doer *user_model.User, rel *repo_model.R return } - mode, _ := access_model.AccessLevel(ctx, doer, rel.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, rel.Repo, doer) newNotifyInput(rel.Repo, doer, webhook_module.HookEventRelease). WithRef(git.RefNameFromTag(rel.TagName).String()). WithPayload(&api.ReleasePayload{ Action: action, Release: convert.ToRelease(ctx, rel), - Repository: convert.ToRepo(ctx, rel.Repo, mode), + Repository: convert.ToRepo(ctx, rel.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }). Notify(ctx) diff --git a/services/convert/activity.go b/services/convert/activity.go index 2aaa86607b7e..71a2722a493f 100644 --- a/services/convert/activity.go +++ b/services/convert/activity.go @@ -28,7 +28,7 @@ func ToActivity(ctx context.Context, ac *activities_model.Action, doer *user_mod ActUserID: ac.ActUserID, ActUser: ToUser(ctx, ac.ActUser, doer), RepoID: ac.RepoID, - Repo: ToRepo(ctx, ac.Repo, p.AccessMode), + Repo: ToRepo(ctx, ac.Repo, p), RefName: ac.RefName, IsPrivate: ac.IsPrivate, Content: ac.Content, diff --git a/services/convert/notification.go b/services/convert/notification.go index 5d3b078a25d5..3906fa9b388a 100644 --- a/services/convert/notification.go +++ b/services/convert/notification.go @@ -9,6 +9,7 @@ import ( activities_model "code.gitea.io/gitea/models/activities" "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" api "code.gitea.io/gitea/modules/structs" ) @@ -24,7 +25,7 @@ func ToNotificationThread(n *activities_model.Notification) *api.NotificationThr // since user only get notifications when he has access to use minimal access mode if n.Repository != nil { - result.Repository = ToRepo(db.DefaultContext, n.Repository, perm.AccessModeRead) + result.Repository = ToRepo(db.DefaultContext, n.Repository, access_model.Permission{AccessMode: perm.AccessModeRead}) // This permission is not correct and we should not be reporting it for repository := result.Repository; repository != nil; repository = repository.Parent { diff --git a/services/convert/package.go b/services/convert/package.go index 7d170ccc253d..276856594bb4 100644 --- a/services/convert/package.go +++ b/services/convert/package.go @@ -22,7 +22,7 @@ func ToPackage(ctx context.Context, pd *packages.PackageDescriptor, doer *user_m } if permission.HasAccess() { - repo = ToRepo(ctx, pd.Repository, permission.AccessMode) + repo = ToRepo(ctx, pd.Repository, permission) } } diff --git a/services/convert/pull.go b/services/convert/pull.go index 1ac0f4e96f1e..e4e3097056a2 100644 --- a/services/convert/pull.go +++ b/services/convert/pull.go @@ -80,7 +80,7 @@ func ToAPIPullRequest(ctx context.Context, pr *issues_model.PullRequest, doer *u Name: pr.BaseBranch, Ref: pr.BaseBranch, RepoID: pr.BaseRepoID, - Repository: ToRepo(ctx, pr.BaseRepo, p.AccessMode), + Repository: ToRepo(ctx, pr.BaseRepo, p), }, Head: &api.PRBranchInfo{ Name: pr.HeadBranch, @@ -152,7 +152,7 @@ func ToAPIPullRequest(ctx context.Context, pr *issues_model.PullRequest, doer *u } apiPullRequest.Head.RepoID = pr.HeadRepo.ID - apiPullRequest.Head.Repository = ToRepo(ctx, pr.HeadRepo, p.AccessMode) + apiPullRequest.Head.Repository = ToRepo(ctx, pr.HeadRepo, p) headGitRepo, err := git.OpenRepository(ctx, pr.HeadRepo.RepoPath()) if err != nil { diff --git a/services/convert/pull_test.go b/services/convert/pull_test.go index 0915d096e66c..e069fa4a68bf 100644 --- a/services/convert/pull_test.go +++ b/services/convert/pull_test.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/models/db" issues_model "code.gitea.io/gitea/models/issues" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" "code.gitea.io/gitea/models/unittest" "code.gitea.io/gitea/modules/git" @@ -31,7 +32,7 @@ func TestPullRequest_APIFormat(t *testing.T) { Ref: "refs/pull/2/head", Sha: "4a357436d925b5c974181ff12a994538ddc5a269", RepoID: 1, - Repository: ToRepo(db.DefaultContext, headRepo, perm.AccessModeRead), + Repository: ToRepo(db.DefaultContext, headRepo, access_model.Permission{AccessMode: perm.AccessModeRead}), }, apiPullRequest.Head) // withOut HeadRepo diff --git a/services/convert/repository.go b/services/convert/repository.go index 54a61efe43d5..6f77b4932e4f 100644 --- a/services/convert/repository.go +++ b/services/convert/repository.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/models/perm" + access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" unit_model "code.gitea.io/gitea/models/unit" "code.gitea.io/gitea/modules/log" @@ -16,18 +17,26 @@ import ( ) // ToRepo converts a Repository to api.Repository -func ToRepo(ctx context.Context, repo *repo_model.Repository, mode perm.AccessMode) *api.Repository { - return innerToRepo(ctx, repo, mode, false) +func ToRepo(ctx context.Context, repo *repo_model.Repository, permissionInRepo access_model.Permission) *api.Repository { + return innerToRepo(ctx, repo, permissionInRepo, false) } -func innerToRepo(ctx context.Context, repo *repo_model.Repository, mode perm.AccessMode, isParent bool) *api.Repository { +func innerToRepo(ctx context.Context, repo *repo_model.Repository, permissionInRepo access_model.Permission, isParent bool) *api.Repository { var parent *api.Repository + if permissionInRepo.Units == nil && permissionInRepo.UnitsMode == nil { + // If Units and UnitsMode are both nil, it means that it's a hard coded permission, + // like access_model.Permission{AccessMode: perm.AccessModeAdmin}. + // So we need to load units for the repo, or UnitAccessMode will always return perm.AccessModeNone. + _ = repo.LoadUnits(ctx) // the error is not important, so ignore it + permissionInRepo.Units = repo.Units + } + cloneLink := repo.CloneLink() permission := &api.Permission{ - Admin: mode >= perm.AccessModeAdmin, - Push: mode >= perm.AccessModeWrite, - Pull: mode >= perm.AccessModeRead, + Admin: permissionInRepo.AccessMode >= perm.AccessModeAdmin, + Push: permissionInRepo.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeWrite, + Pull: permissionInRepo.UnitAccessMode(unit_model.TypeCode) >= perm.AccessModeRead, } if !isParent { err := repo.GetBaseRepo(ctx) @@ -35,7 +44,12 @@ func innerToRepo(ctx context.Context, repo *repo_model.Repository, mode perm.Acc return nil } if repo.BaseRepo != nil { - parent = innerToRepo(ctx, repo.BaseRepo, mode, true) + // FIXME: The permission of the parent repo is not correct. + // It's the permission of the current repo, so it's probably different from the parent repo. + // But there isn't a good way to get the permission of the parent repo, because the doer is not passed in. + // Use the permission of the current repo to keep the behavior consistent with the old API. + // Maybe the right way is setting the permission of the parent repo to nil, empty is better than wrong. + parent = innerToRepo(ctx, repo.BaseRepo, permissionInRepo, true) } } @@ -154,7 +168,7 @@ func innerToRepo(ctx context.Context, repo *repo_model.Repository, mode perm.Acc return &api.Repository{ ID: repo.ID, - Owner: ToUserWithAccessMode(ctx, repo.Owner, mode), + Owner: ToUserWithAccessMode(ctx, repo.Owner, permissionInRepo.AccessMode), Name: repo.Name, FullName: repo.FullName(), Description: repo.Description, diff --git a/services/webhook/notifier.go b/services/webhook/notifier.go index bccd477852b7..3332d5d4aa1e 100644 --- a/services/webhook/notifier.go +++ b/services/webhook/notifier.go @@ -11,7 +11,6 @@ import ( "code.gitea.io/gitea/models/perm" access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" - "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/log" @@ -50,7 +49,7 @@ func (m *webhookNotifier) NotifyIssueClearLabels(ctx context.Context, doer *user return } - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) var err error if issue.IsPull { if err = issue.LoadPullRequest(ctx); err != nil { @@ -62,7 +61,7 @@ func (m *webhookNotifier) NotifyIssueClearLabels(ctx context.Context, doer *user Action: api.HookIssueLabelCleared, Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } else { @@ -70,7 +69,7 @@ func (m *webhookNotifier) NotifyIssueClearLabels(ctx context.Context, doer *user Action: api.HookIssueLabelCleared, Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } @@ -80,13 +79,13 @@ func (m *webhookNotifier) NotifyIssueClearLabels(ctx context.Context, doer *user } func (m *webhookNotifier) NotifyForkRepository(ctx context.Context, doer *user_model.User, oldRepo, repo *repo_model.Repository) { - oldMode, _ := access_model.AccessLevel(ctx, doer, oldRepo) - mode, _ := access_model.AccessLevel(ctx, doer, repo) + oldPermission, _ := access_model.GetUserRepoPermission(ctx, oldRepo, doer) + permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer) // forked webhook if err := PrepareWebhooks(ctx, EventSource{Repository: oldRepo}, webhook_module.HookEventFork, &api.ForkPayload{ - Forkee: convert.ToRepo(ctx, oldRepo, oldMode), - Repo: convert.ToRepo(ctx, repo, mode), + Forkee: convert.ToRepo(ctx, oldRepo, oldPermission), + Repo: convert.ToRepo(ctx, repo, permission), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { log.Error("PrepareWebhooks [repo_id: %d]: %v", oldRepo.ID, err) @@ -98,7 +97,7 @@ func (m *webhookNotifier) NotifyForkRepository(ctx context.Context, doer *user_m if u.IsOrganization() { if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventRepository, &api.RepositoryPayload{ Action: api.HookRepoCreated, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Organization: convert.ToUser(ctx, u, nil), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { @@ -111,7 +110,7 @@ func (m *webhookNotifier) NotifyCreateRepository(ctx context.Context, doer, u *u // Add to hook queue for created repo after session commit. if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventRepository, &api.RepositoryPayload{ Action: api.HookRepoCreated, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Organization: convert.ToUser(ctx, u, nil), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { @@ -122,7 +121,7 @@ func (m *webhookNotifier) NotifyCreateRepository(ctx context.Context, doer, u *u func (m *webhookNotifier) NotifyDeleteRepository(ctx context.Context, doer *user_model.User, repo *repo_model.Repository) { if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventRepository, &api.RepositoryPayload{ Action: api.HookRepoDeleted, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Organization: convert.ToUser(ctx, repo.MustOwner(ctx), nil), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { @@ -134,7 +133,7 @@ func (m *webhookNotifier) NotifyMigrateRepository(ctx context.Context, doer, u * // Add to hook queue for created repo after session commit. if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventRepository, &api.RepositoryPayload{ Action: api.HookRepoCreated, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Organization: convert.ToUser(ctx, u, nil), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { @@ -144,7 +143,7 @@ func (m *webhookNotifier) NotifyMigrateRepository(ctx context.Context, doer, u * func (m *webhookNotifier) NotifyIssueChangeAssignee(ctx context.Context, doer *user_model.User, issue *issues_model.Issue, assignee *user_model.User, removed bool, comment *issues_model.Comment) { if issue.IsPull { - mode, _ := access_model.AccessLevelUnit(ctx, doer, issue.Repo, unit.TypePullRequests) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer) if err := issue.LoadPullRequest(ctx); err != nil { log.Error("LoadPullRequest failed: %v", err) @@ -153,7 +152,7 @@ func (m *webhookNotifier) NotifyIssueChangeAssignee(ctx context.Context, doer *u apiPullRequest := &api.PullRequestPayload{ Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), } if removed { @@ -167,11 +166,11 @@ func (m *webhookNotifier) NotifyIssueChangeAssignee(ctx context.Context, doer *u return } } else { - mode, _ := access_model.AccessLevelUnit(ctx, doer, issue.Repo, unit.TypeIssues) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer) apiIssue := &api.IssuePayload{ Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), } if removed { @@ -188,7 +187,7 @@ func (m *webhookNotifier) NotifyIssueChangeAssignee(ctx context.Context, doer *u } func (m *webhookNotifier) NotifyIssueChangeTitle(ctx context.Context, doer *user_model.User, issue *issues_model.Issue, oldTitle string) { - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) var err error if issue.IsPull { if err = issue.LoadPullRequest(ctx); err != nil { @@ -204,7 +203,7 @@ func (m *webhookNotifier) NotifyIssueChangeTitle(ctx context.Context, doer *user }, }, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } else { @@ -217,7 +216,7 @@ func (m *webhookNotifier) NotifyIssueChangeTitle(ctx context.Context, doer *user }, }, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } @@ -228,7 +227,7 @@ func (m *webhookNotifier) NotifyIssueChangeTitle(ctx context.Context, doer *user } func (m *webhookNotifier) NotifyIssueChangeStatus(ctx context.Context, doer *user_model.User, commitID string, issue *issues_model.Issue, actionComment *issues_model.Comment, isClosed bool) { - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) var err error if issue.IsPull { if err = issue.LoadPullRequest(ctx); err != nil { @@ -239,7 +238,7 @@ func (m *webhookNotifier) NotifyIssueChangeStatus(ctx context.Context, doer *use apiPullRequest := &api.PullRequestPayload{ Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), CommitID: commitID, } @@ -253,7 +252,7 @@ func (m *webhookNotifier) NotifyIssueChangeStatus(ctx context.Context, doer *use apiIssue := &api.IssuePayload{ Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), CommitID: commitID, } @@ -279,12 +278,12 @@ func (m *webhookNotifier) NotifyNewIssue(ctx context.Context, issue *issues_mode return } - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) if err := PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, webhook_module.HookEventIssues, &api.IssuePayload{ Action: api.HookIssueOpened, Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, issue.Poster, nil), }); err != nil { log.Error("PrepareWebhooks: %v", err) @@ -305,12 +304,12 @@ func (m *webhookNotifier) NotifyNewPullRequest(ctx context.Context, pull *issues return } - mode, _ := access_model.AccessLevel(ctx, pull.Issue.Poster, pull.Issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, pull.Issue.Repo, pull.Issue.Poster) if err := PrepareWebhooks(ctx, EventSource{Repository: pull.Issue.Repo}, webhook_module.HookEventPullRequest, &api.PullRequestPayload{ Action: api.HookIssueOpened, Index: pull.Issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, pull, nil), - Repository: convert.ToRepo(ctx, pull.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, pull.Issue.Repo, permission), Sender: convert.ToUser(ctx, pull.Issue.Poster, nil), }); err != nil { log.Error("PrepareWebhooks: %v", err) @@ -323,7 +322,7 @@ func (m *webhookNotifier) NotifyIssueChangeContent(ctx context.Context, doer *us return } - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) var err error if issue.IsPull { if err := issue.LoadPullRequest(ctx); err != nil { @@ -339,7 +338,7 @@ func (m *webhookNotifier) NotifyIssueChangeContent(ctx context.Context, doer *us }, }, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } else { @@ -352,7 +351,7 @@ func (m *webhookNotifier) NotifyIssueChangeContent(ctx context.Context, doer *us }, }, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } @@ -383,7 +382,7 @@ func (m *webhookNotifier) NotifyUpdateComment(ctx context.Context, doer *user_mo eventType = webhook_module.HookEventIssueComment } - mode, _ := access_model.AccessLevel(ctx, doer, c.Issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, c.Issue.Repo, doer) if err := PrepareWebhooks(ctx, EventSource{Repository: c.Issue.Repo}, eventType, &api.IssueCommentPayload{ Action: api.HookIssueCommentEdited, Issue: convert.ToAPIIssue(ctx, c.Issue), @@ -393,7 +392,7 @@ func (m *webhookNotifier) NotifyUpdateComment(ctx context.Context, doer *user_mo From: oldContent, }, }, - Repository: convert.ToRepo(ctx, c.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, c.Issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), IsPull: c.Issue.IsPull, }); err != nil { @@ -411,12 +410,12 @@ func (m *webhookNotifier) NotifyCreateIssueComment(ctx context.Context, doer *us eventType = webhook_module.HookEventIssueComment } - mode, _ := access_model.AccessLevel(ctx, doer, repo) + permission, _ := access_model.GetUserRepoPermission(ctx, repo, doer) if err := PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, eventType, &api.IssueCommentPayload{ Action: api.HookIssueCommentCreated, Issue: convert.ToAPIIssue(ctx, issue), Comment: convert.ToComment(ctx, comment), - Repository: convert.ToRepo(ctx, repo, mode), + Repository: convert.ToRepo(ctx, repo, permission), Sender: convert.ToUser(ctx, doer, nil), IsPull: issue.IsPull, }); err != nil { @@ -448,12 +447,12 @@ func (m *webhookNotifier) NotifyDeleteComment(ctx context.Context, doer *user_mo eventType = webhook_module.HookEventIssueComment } - mode, _ := access_model.AccessLevel(ctx, doer, comment.Issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, comment.Issue.Repo, doer) if err := PrepareWebhooks(ctx, EventSource{Repository: comment.Issue.Repo}, eventType, &api.IssueCommentPayload{ Action: api.HookIssueCommentDeleted, Issue: convert.ToAPIIssue(ctx, comment.Issue), Comment: convert.ToComment(ctx, comment), - Repository: convert.ToRepo(ctx, comment.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, comment.Issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), IsPull: comment.Issue.IsPull, }); err != nil { @@ -465,7 +464,7 @@ func (m *webhookNotifier) NotifyNewWikiPage(ctx context.Context, doer *user_mode // Add to hook queue for created wiki page. if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventWiki, &api.WikiPayload{ Action: api.HookWikiCreated, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), Page: page, Comment: comment, @@ -478,7 +477,7 @@ func (m *webhookNotifier) NotifyEditWikiPage(ctx context.Context, doer *user_mod // Add to hook queue for edit wiki page. if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventWiki, &api.WikiPayload{ Action: api.HookWikiEdited, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), Page: page, Comment: comment, @@ -491,7 +490,7 @@ func (m *webhookNotifier) NotifyDeleteWikiPage(ctx context.Context, doer *user_m // Add to hook queue for edit wiki page. if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventWiki, &api.WikiPayload{ Action: api.HookWikiDeleted, - Repository: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repository: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), Page: page, }); err != nil { @@ -514,7 +513,7 @@ func (m *webhookNotifier) NotifyIssueChangeLabels(ctx context.Context, doer *use return } - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) if issue.IsPull { if err = issue.LoadPullRequest(ctx); err != nil { log.Error("loadPullRequest: %v", err) @@ -528,7 +527,7 @@ func (m *webhookNotifier) NotifyIssueChangeLabels(ctx context.Context, doer *use Action: api.HookIssueLabelUpdated, Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, perm.AccessModeNone), + Repository: convert.ToRepo(ctx, issue.Repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), }) } else { @@ -536,7 +535,7 @@ func (m *webhookNotifier) NotifyIssueChangeLabels(ctx context.Context, doer *use Action: api.HookIssueLabelUpdated, Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } @@ -559,7 +558,7 @@ func (m *webhookNotifier) NotifyIssueChangeMilestone(ctx context.Context, doer * return } - mode, _ := access_model.AccessLevel(ctx, doer, issue.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer) if issue.IsPull { err = issue.PullRequest.LoadIssue(ctx) if err != nil { @@ -570,7 +569,7 @@ func (m *webhookNotifier) NotifyIssueChangeMilestone(ctx context.Context, doer * Action: hookAction, Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } else { @@ -578,7 +577,7 @@ func (m *webhookNotifier) NotifyIssueChangeMilestone(ctx context.Context, doer * Action: hookAction, Index: issue.Index, Issue: convert.ToAPIIssue(ctx, issue), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }) } @@ -603,7 +602,7 @@ func (m *webhookNotifier) NotifyPushCommits(ctx context.Context, pusher *user_mo Commits: apiCommits, TotalCommits: commits.Len, HeadCommit: apiHeadCommit, - Repo: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repo: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Pusher: apiPusher, Sender: apiPusher, }); err != nil { @@ -633,9 +632,9 @@ func (*webhookNotifier) NotifyMergePullRequest(ctx context.Context, doer *user_m return } - mode, err := access_model.AccessLevel(ctx, doer, pr.Issue.Repo) + permission, err := access_model.GetUserRepoPermission(ctx, pr.Issue.Repo, doer) if err != nil { - log.Error("models.AccessLevel: %v", err) + log.Error("models.GetUserRepoPermission: %v", err) return } @@ -643,7 +642,7 @@ func (*webhookNotifier) NotifyMergePullRequest(ctx context.Context, doer *user_m apiPullRequest := &api.PullRequestPayload{ Index: pr.Issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, pr, nil), - Repository: convert.ToRepo(ctx, pr.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, pr.Issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), Action: api.HookIssueClosed, } @@ -661,7 +660,7 @@ func (m *webhookNotifier) NotifyPullRequestChangeTargetBranch(ctx context.Contex issue := pr.Issue - mode, _ := access_model.AccessLevel(ctx, issue.Poster, issue.Repo) + mode, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, issue.Poster) if err := PrepareWebhooks(ctx, EventSource{Repository: issue.Repo}, webhook_module.HookEventPullRequest, &api.PullRequestPayload{ Action: api.HookIssueEdited, Index: issue.Index, @@ -699,16 +698,16 @@ func (m *webhookNotifier) NotifyPullRequestReview(ctx context.Context, pr *issue return } - mode, err := access_model.AccessLevel(ctx, review.Issue.Poster, review.Issue.Repo) + permission, err := access_model.GetUserRepoPermission(ctx, review.Issue.Repo, review.Issue.Poster) if err != nil { - log.Error("models.AccessLevel: %v", err) + log.Error("models.GetUserRepoPermission: %v", err) return } if err := PrepareWebhooks(ctx, EventSource{Repository: review.Issue.Repo}, reviewHookType, &api.PullRequestPayload{ Action: api.HookIssueReviewed, Index: review.Issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, pr, nil), - Repository: convert.ToRepo(ctx, review.Issue.Repo, mode), + Repository: convert.ToRepo(ctx, review.Issue.Repo, permission), Sender: convert.ToUser(ctx, review.Reviewer, nil), Review: &api.ReviewPayload{ Type: string(reviewHookType), @@ -724,7 +723,7 @@ func (m *webhookNotifier) NotifyPullRequestReviewRequest(ctx context.Context, do log.Warn("NotifyPullRequestReviewRequest: issue is not a pull request: %v", issue.ID) return } - mode, _ := access_model.AccessLevelUnit(ctx, doer, issue.Repo, unit.TypePullRequests) + permission, _ := access_model.GetUserRepoPermission(ctx, issue.Repo, doer) if err := issue.LoadPullRequest(ctx); err != nil { log.Error("LoadPullRequest failed: %v", err) return @@ -733,7 +732,7 @@ func (m *webhookNotifier) NotifyPullRequestReviewRequest(ctx context.Context, do Index: issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, issue.PullRequest, nil), RequestedReviewer: convert.ToUser(ctx, reviewer, nil), - Repository: convert.ToRepo(ctx, issue.Repo, mode), + Repository: convert.ToRepo(ctx, issue.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), } if isRequest { @@ -749,7 +748,7 @@ func (m *webhookNotifier) NotifyPullRequestReviewRequest(ctx context.Context, do func (m *webhookNotifier) NotifyCreateRef(ctx context.Context, pusher *user_model.User, repo *repo_model.Repository, refFullName git.RefName, refID string) { apiPusher := convert.ToUser(ctx, pusher, nil) - apiRepo := convert.ToRepo(ctx, repo, perm.AccessModeNone) + apiRepo := convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeNone}) refName := refFullName.ShortName() if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventCreate, &api.CreatePayload{ @@ -777,7 +776,7 @@ func (m *webhookNotifier) NotifyPullRequestSynchronized(ctx context.Context, doe Action: api.HookIssueSynchronized, Index: pr.Issue.Index, PullRequest: convert.ToAPIPullRequest(ctx, pr, nil), - Repository: convert.ToRepo(ctx, pr.Issue.Repo, perm.AccessModeNone), + Repository: convert.ToRepo(ctx, pr.Issue.Repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { log.Error("PrepareWebhooks [pull_id: %v]: %v", pr.ID, err) @@ -786,7 +785,7 @@ func (m *webhookNotifier) NotifyPullRequestSynchronized(ctx context.Context, doe func (m *webhookNotifier) NotifyDeleteRef(ctx context.Context, pusher *user_model.User, repo *repo_model.Repository, refFullName git.RefName) { apiPusher := convert.ToUser(ctx, pusher, nil) - apiRepo := convert.ToRepo(ctx, repo, perm.AccessModeNone) + apiRepo := convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}) refName := refFullName.ShortName() if err := PrepareWebhooks(ctx, EventSource{Repository: repo}, webhook_module.HookEventDelete, &api.DeletePayload{ @@ -806,11 +805,11 @@ func sendReleaseHook(ctx context.Context, doer *user_model.User, rel *repo_model return } - mode, _ := access_model.AccessLevel(ctx, doer, rel.Repo) + permission, _ := access_model.GetUserRepoPermission(ctx, rel.Repo, doer) if err := PrepareWebhooks(ctx, EventSource{Repository: rel.Repo}, webhook_module.HookEventRelease, &api.ReleasePayload{ Action: action, Release: convert.ToRelease(ctx, rel), - Repository: convert.ToRepo(ctx, rel.Repo, mode), + Repository: convert.ToRepo(ctx, rel.Repo, permission), Sender: convert.ToUser(ctx, doer, nil), }); err != nil { log.Error("PrepareWebhooks: %v", err) @@ -845,7 +844,7 @@ func (m *webhookNotifier) NotifySyncPushCommits(ctx context.Context, pusher *use Commits: apiCommits, TotalCommits: commits.Len, HeadCommit: apiHeadCommit, - Repo: convert.ToRepo(ctx, repo, perm.AccessModeOwner), + Repo: convert.ToRepo(ctx, repo, access_model.Permission{AccessMode: perm.AccessModeOwner}), Pusher: apiPusher, Sender: apiPusher, }); err != nil {