meissa
/
forgejo
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix org package owner permissions (#19742)

Browse Source 
Old code did not respect owner visibility and the organization access calculation was wrong if the user was not a member.
forgejo
KN4CK3R 2 years ago committed by GitHub
parent 3e5ea9a978
commit ce52514762
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File

34
modules/context/package.go
Unescape Escape View File

@ -12,6 +12,7 @@ import (
packages_model "code.gitea.io/gitea/models/packages" packages_model "code.gitea.io/gitea/models/packages"
"code.gitea.io/gitea/models/perm" "code.gitea.io/gitea/models/perm"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/structs"
) )
// Package contains owner, access mode and optional the package descriptor // Package contains owner, access mode and optional the package descriptor
@ -50,22 +51,29 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
Owner: ctx.ContextUser, Owner: ctx.ContextUser,
} }
if ctx.Doer != nil && ctx.Doer.ID == ctx.ContextUser.ID { if ctx.Package.Owner.IsOrganization() {
ctx.Package.AccessMode = perm.AccessModeOwner // 1. Get user max authorize level for the org (may be none, if user is not member of the org)
if ctx.Doer != nil {
var err error
ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
if err != nil {
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err)
return
}
}
// 2. If authorize level is none, check if org is visible to user
if ctx.Package.AccessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
ctx.Package.AccessMode = perm.AccessModeRead
}
} else { } else {
if ctx.Package.Owner.IsOrganization() { if ctx.Doer != nil && !ctx.Doer.IsGhost() {
if organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) { // 1. Check if user is package owner
if ctx.Doer.ID == ctx.Package.Owner.ID {
ctx.Package.AccessMode = perm.AccessModeOwner
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic || ctx.Package.Owner.Visibility == structs.VisibleTypeLimited { // 2. Check if package owner is public or limited
ctx.Package.AccessMode = perm.AccessModeRead ctx.Package.AccessMode = perm.AccessModeRead
if ctx.Doer != nil {
var err error
ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
if err != nil {
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err)
return
}
}
} }
} else { } else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic { // 3. Check if package owner is public
ctx.Package.AccessMode = perm.AccessModeRead ctx.Package.AccessMode = perm.AccessModeRead
} }
} }

Write Preview
Loading…
Cancel
Save