osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
Watch 15
Star 7
Wiki 捐赠
本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 4f0cac5ea6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f0cac5ea6'
${ noResults }
com/models/repo_permission.go

387 lines
10KB
Raw Blame History 

  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package models

  6. 

  7. import (

  8. 	"fmt"

  9. 

  10. 	"code.gitea.io/gitea/modules/log"

  11. )

  12. 

  13. // Permission contains all the permissions related variables to a repository for a user

  14. type Permission struct {

  15. 	AccessMode AccessMode

  16. 	Units      []*RepoUnit

  17. 	UnitsMode  map[UnitType]AccessMode

  18. }

  19. 

  20. // IsOwner returns true if current user is the owner of repository.

  21. func (p *Permission) IsOwner() bool {

  22. 	return p.AccessMode >= AccessModeOwner

  23. }

  24. 

  25. // IsAdmin returns true if current user has admin or higher access of repository.

  26. func (p *Permission) IsAdmin() bool {

  27. 	return p.AccessMode >= AccessModeAdmin

  28. }

  29. 

  30. // HasAccess returns true if the current user has at least read access to any unit of this repository

  31. func (p *Permission) HasAccess() bool {

  32. 	if p.UnitsMode == nil {

  33. 		return p.AccessMode >= AccessModeRead

  34. 	}

  35. 	return len(p.UnitsMode) > 0

  36. }

  37. 

  38. // UnitAccessMode returns current user accessmode to the specify unit of the repository

  39. func (p *Permission) UnitAccessMode(unitType UnitType) AccessMode {

  40. 	if p.UnitsMode == nil {

  41. 		for _, u := range p.Units {

  42. 			if u.Type == unitType {

  43. 				return p.AccessMode

  44. 			}

  45. 		}

  46. 		return AccessModeNone

  47. 	}

  48. 	return p.UnitsMode[unitType]

  49. }

  50. 

  51. // CanAccess returns true if user has mode access to the unit of the repository

  52. func (p *Permission) CanAccess(mode AccessMode, unitType UnitType) bool {

  53. 	return p.UnitAccessMode(unitType) >= mode

  54. }

  55. 

  56. // CanAccessAny returns true if user has mode access to any of the units of the repository

  57. func (p *Permission) CanAccessAny(mode AccessMode, unitTypes ...UnitType) bool {

  58. 	for _, u := range unitTypes {

  59. 		if p.CanAccess(mode, u) {

  60. 			return true

  61. 		}

  62. 	}

  63. 	return false

  64. }

  65. 

  66. // CanRead returns true if user could read to this unit

  67. func (p *Permission) CanRead(unitType UnitType) bool {

  68. 	return p.CanAccess(AccessModeRead, unitType)

  69. }

  70. 

  71. // CanReadAny returns true if user has read access to any of the units of the repository

  72. func (p *Permission) CanReadAny(unitTypes ...UnitType) bool {

  73. 	return p.CanAccessAny(AccessModeRead, unitTypes...)

  74. }

  75. 

  76. // CanReadIssuesOrPulls returns true if isPull is true and user could read pull requests and

  77. // returns true if isPull is false and user could read to issues

  78. func (p *Permission) CanReadIssuesOrPulls(isPull bool) bool {

  79. 	if isPull {

  80. 		return p.CanRead(UnitTypePullRequests)

  81. 	}

  82. 	return p.CanRead(UnitTypeIssues)

  83. }

  84. 

  85. // CanWrite returns true if user could write to this unit

  86. func (p *Permission) CanWrite(unitType UnitType) bool {

  87. 	return p.CanAccess(AccessModeWrite, unitType)

  88. }

  89. 

  90. // CanWriteIssuesOrPulls returns true if isPull is true and user could write to pull requests and

  91. // returns true if isPull is false and user could write to issues

  92. func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {

  93. 	if isPull {

  94. 		return p.CanWrite(UnitTypePullRequests)

  95. 	}

  96. 	return p.CanWrite(UnitTypeIssues)

  97. }

  98. 

  99. // ColorFormat writes a colored string for these Permissions

  100. func (p *Permission) ColorFormat(s fmt.State) {

  101. 	noColor := log.ColorBytes(log.Reset)

  102. 

  103. 	format := "AccessMode: %-v, %d Units, %d UnitsMode(s): [ "

  104. 	args := []interface{}{

  105. 		p.AccessMode,

  106. 		log.NewColoredValueBytes(len(p.Units), &noColor),

  107. 		log.NewColoredValueBytes(len(p.UnitsMode), &noColor),

  108. 	}

  109. 	if s.Flag('+') {

  110. 		for i, unit := range p.Units {

  111. 			config := ""

  112. 			if unit.Config != nil {

  113. 				configBytes, err := unit.Config.ToDB()

  114. 				config = string(configBytes)

  115. 				if err != nil {

  116. 					config = err.Error()

  117. 				}

  118. 			}

  119. 			format += "\nUnits[%d]: ID: %d RepoID: %d Type: %-v Config: %s"

  120. 			args = append(args,

  121. 				log.NewColoredValueBytes(i, &noColor),

  122. 				log.NewColoredIDValue(unit.ID),

  123. 				log.NewColoredIDValue(unit.RepoID),

  124. 				unit.Type,

  125. 				config)

  126. 		}

  127. 		for key, value := range p.UnitsMode {

  128. 			format += "\nUnitMode[%-v]: %-v"

  129. 			args = append(args,

  130. 				key,

  131. 				value)

  132. 		}

  133. 	} else {

  134. 		format += "..."

  135. 	}

  136. 	format += " ]"

  137. 	log.ColorFprintf(s, format, args...)

  138. }

  139. 

  140. // GetUserRepoPermission returns the user permissions to the repository

  141. func GetUserRepoPermission(repo *Repository, user *User) (Permission, error) {

  142. 	return getUserRepoPermission(x, repo, user)

  143. }

  144. 

  145. func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permission, err error) {

  146. 	if log.IsTrace() {

  147. 		defer func() {

  148. 			if user == nil {

  149. 				log.Trace("Permission Loaded for anonymous user in %-v:\nPermissions: %-+v",

  150. 					repo,

  151. 					perm)

  152. 				return

  153. 			}

  154. 			log.Trace("Permission Loaded for %-v in %-v:\nPermissions: %-+v",

  155. 				user,

  156. 				repo,

  157. 				perm)

  158. 		}()

  159. 	}

  160. 	// anonymous user visit private repo.

  161. 	// TODO: anonymous user visit public unit of private repo???

  162. 	if user == nil && repo.IsPrivate {

  163. 		perm.AccessMode = AccessModeRead

  164. 		//return

  165. 	}

  166. 

  167. 	if repo.Owner == nil {

  168. 		repo.mustOwner(e)

  169. 	}

  170. 

  171. 	var isCollaborator bool

  172. 	if user != nil {

  173. 		isCollaborator, err = repo.isCollaborator(e, user.ID)

  174. 		if err != nil {

  175. 			return perm, err

  176. 		}

  177. 	}

  178. 

  179. 	// Prevent strangers from checking out public repo of private orginization

  180. 	// Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself

  181. 	if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator {

  182. 		perm.AccessMode = AccessModeNone

  183. 		return

  184. 	}

  185. 

  186. 	if err = repo.getUnits(e); err != nil {

  187. 		return

  188. 	}

  189. 

  190. 	perm.Units = repo.Units

  191. 

  192. 	perm.UnitsMode = make(map[UnitType]AccessMode)

  193. 

  194. 	// anonymous visit all repo

  195. 	if user == nil {

  196. 		perm.AccessMode = AccessModeRead

  197. 		//匿名用户开放wiki只读权限

  198. 		perm.UnitsMode[UnitTypeWiki] = perm.AccessMode

  199. 		return

  200. 	}

  201. 

  202. 	// Admin or the owner has super access to the repository

  203. 	if user.IsAdmin || user.ID == repo.OwnerID {

  204. 		perm.AccessMode = AccessModeOwner

  205. 		//owner库code、issue、PRs等赋予默认owner权限

  206. 		for _, u := range repo.Units {

  207. 			perm.UnitsMode[u.Type] = perm.AccessMode

  208. 		}

  209. 		return

  210. 	}

  211. 

  212. 	// plain user

  213. 	perm.AccessMode, err = accessLevel(e, user.ID, repo)

  214. 	if err != nil {

  215. 		return

  216. 	}

  217. 	//私有库公开wik权限

  218. 	if repo.IsPrivate {

  219. 		perm.UnitsMode[UnitTypeWiki] = perm.AccessMode

  220. 	}else{

  221. 		//公开库code、issue、PRs等赋予默认只读权限

  222. 		for _, u := range repo.Units {

  223. 			perm.UnitsMode[u.Type] = perm.AccessMode

  224. 		}

  225. 	}

  226. 

  227. 	if err = repo.getOwner(e); err != nil {

  228. 		return

  229. 	}

  230. 	// Collaborators on organization

  231. 	if isCollaborator {

  232. 		for _, u := range repo.Units {

  233. 			perm.UnitsMode[u.Type] = perm.AccessMode

  234. 		}

  235. 	}

  236. 

  237. 	if !repo.Owner.IsOrganization() {

  238. 		return

  239. 	}

  240. 

  241. 	// get units mode from teams

  242. 	teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)

  243. 	if err != nil {

  244. 		return

  245. 	}

  246. 

  247. 	// if user in an owner team

  248. 	for _, team := range teams {

  249. 		if team.Authorize >= AccessModeOwner {

  250. 			perm.AccessMode = AccessModeOwner

  251. 			perm.UnitsMode = nil

  252. 			return

  253. 		}

  254. 	}

  255. 

  256. 	for _, u := range repo.Units {

  257. 		var found bool

  258. 		for _, team := range teams {

  259. 			if team.unitEnabled(e, u.Type) {

  260. 				m := perm.UnitsMode[u.Type]

  261. 				if m < team.Authorize {

  262. 					perm.UnitsMode[u.Type] = team.Authorize

  263. 				}

  264. 				found = true

  265. 			}

  266. 		}

  267. 

  268. 		// for a public repo on an organization, user have read permission on non-team defined units.

  269. 		if !found && !repo.IsPrivate {

  270. 			if _, ok := perm.UnitsMode[u.Type]; !ok {

  271. 				perm.UnitsMode[u.Type] = AccessModeRead

  272. 			}

  273. 		}

  274. 	}

  275. 

  276. 	// remove no permission units

  277. 	perm.Units = make([]*RepoUnit, 0, len(repo.Units))

  278. 	for t := range perm.UnitsMode {

  279. 		for _, u := range repo.Units {

  280. 			if u.Type == t {

  281. 				perm.Units = append(perm.Units, u)

  282. 			}

  283. 		}

  284. 	}

  285. 

  286. 	return

  287. }

  288. 

  289. // IsUserRepoAdmin return ture if user has admin right of a repo

  290. func IsUserRepoAdmin(repo *Repository, user *User) (bool, error) {

  291. 	return isUserRepoAdmin(x, repo, user)

  292. }

  293. 

  294. func isUserRepoAdmin(e Engine, repo *Repository, user *User) (bool, error) {

  295. 	if user == nil || repo == nil {

  296. 		return false, nil

  297. 	}

  298. 	if user.IsAdmin {

  299. 		return true, nil

  300. 	}

  301. 

  302. 	mode, err := accessLevel(e, user.ID, repo)

  303. 	if err != nil {

  304. 		return false, err

  305. 	}

  306. 	if mode >= AccessModeAdmin {

  307. 		return true, nil

  308. 	}

  309. 

  310. 	teams, err := getUserRepoTeams(e, repo.OwnerID, user.ID, repo.ID)

  311. 	if err != nil {

  312. 		return false, err

  313. 	}

  314. 

  315. 	for _, team := range teams {

  316. 		if team.Authorize >= AccessModeAdmin {

  317. 			return true, nil

  318. 		}

  319. 	}

  320. 	return false, nil

  321. }

  322. 

  323. // AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the

  324. // user does not have access.

  325. func AccessLevel(user *User, repo *Repository) (AccessMode, error) {

  326. 	return accessLevelUnit(x, user, repo, UnitTypeCode)

  327. }

  328. 

  329. // AccessLevelUnit returns the Access a user has to a repository's. Will return NoneAccess if the

  330. // user does not have access.

  331. func AccessLevelUnit(user *User, repo *Repository, unitType UnitType) (AccessMode, error) {

  332. 	return accessLevelUnit(x, user, repo, unitType)

  333. }

  334. 

  335. func accessLevelUnit(e Engine, user *User, repo *Repository, unitType UnitType) (AccessMode, error) {

  336. 	perm, err := getUserRepoPermission(e, repo, user)

  337. 	if err != nil {

  338. 		return AccessModeNone, err

  339. 	}

  340. 	return perm.UnitAccessMode(unitType), nil

  341. }

  342. 

  343. func hasAccessUnit(e Engine, user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {

  344. 	mode, err := accessLevelUnit(e, user, repo, unitType)

  345. 	return testMode <= mode, err

  346. }

  347. 

  348. // HasAccessUnit returns ture if user has testMode to the unit of the repository

  349. func HasAccessUnit(user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {

  350. 	return hasAccessUnit(x, user, repo, unitType, testMode)

  351. }

  352. 

  353. // CanBeAssigned return true if user can be assigned to issue or pull requests in repo

  354. // Currently any write access (code, issues or pr's) is assignable, to match assignee list in user interface.

  355. // FIXME: user could send PullRequest also could be assigned???

  356. func CanBeAssigned(user *User, repo *Repository, isPull bool) (bool, error) {

  357. 	if user.IsOrganization() {

  358. 		return false, fmt.Errorf("Organization can't be added as assignee [user_id: %d, repo_id: %d]", user.ID, repo.ID)

  359. 	}

  360. 	perm, err := GetUserRepoPermission(repo, user)

  361. 	if err != nil {

  362. 		return false, err

  363. 	}

  364. 	return perm.CanAccessAny(AccessModeWrite, UnitTypeCode, UnitTypeIssues, UnitTypePullRequests), nil

  365. }

  366. 

  367. func hasAccess(e Engine, userID int64, repo *Repository) (bool, error) {

  368. 	var user *User

  369. 	var err error

  370. 	if userID > 0 {

  371. 		user, err = getUserByID(e, userID)

  372. 		if err != nil {

  373. 			return false, err

  374. 		}

  375. 	}

  376. 	perm, err := getUserRepoPermission(e, repo, user)

  377. 	if err != nil {

  378. 		return false, err

  379. 	}

  380. 	return perm.HasAccess(), nil

  381. }

  382. 

  383. // HasAccess returns true if user has access to repo

  384. func HasAccess(userID int64, repo *Repository) (bool, error) {

  385. 	return hasAccess(x, userID, repo)

  386. }
上海开阖软件有限公司 沪ICP备12045867号-1