From a846bfefd84fac9088c6497a21dc77412d6d2835 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Thu, 28 Jul 2022 15:04:03 +0200 Subject: [PATCH] Extended permission checks. (#20517) --- modules/context/package.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/context/package.go b/modules/context/package.go index 4c52907dc5..92a97831dd 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -11,6 +11,7 @@ import ( "code.gitea.io/gitea/models/organization" packages_model "code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/perm" + "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/structs" ) @@ -52,14 +53,30 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) { } if ctx.Package.Owner.IsOrganization() { + org := organization.OrgFromUser(ctx.Package.Owner) + // 1. Get user max authorize level for the org (may be none, if user is not member of the org) if ctx.Doer != nil { var err error - ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID) + ctx.Package.AccessMode, err = org.GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID) if err != nil { errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err) return } + // If access mode is less than write check every team for more permissions + if ctx.Package.AccessMode < perm.AccessModeWrite { + teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID) + if err != nil { + errCb(http.StatusInternalServerError, "GetUserOrgTeams", err) + return + } + for _, t := range teams { + perm := t.UnitAccessModeCtx(ctx, unit.TypePackages) + if ctx.Package.AccessMode < perm { + ctx.Package.AccessMode = perm + } + } + } } // 2. If authorize level is none, check if org is visible to user if ctx.Package.AccessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {