forgejo/modules/convert/notification.go
zeripath a9af93cb21
Nuke the incorrect permission report on /api/v1/notifications (#19761)
The permissions created in convertRepo use a minimal perm.AccessModeRead instead of
correctly computing the permission for the repository. This incorrect permission is
then reported to the user.

I do not believe that reporting the permissions is helpful and therefore I propose
we simply null these out. The user can check their permissions using a different
endpoint.

Fix #19759

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-05-20 18:57:49 +02:00

96 lines
3.1 KiB
Go

// Copyright 2020 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package convert
import (
"net/url"
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/models/perm"
api "code.gitea.io/gitea/modules/structs"
)
// ToNotificationThread convert a Notification to api.NotificationThread
func ToNotificationThread(n *models.Notification) *api.NotificationThread {
result := &api.NotificationThread{
ID: n.ID,
Unread: !(n.Status == models.NotificationStatusRead || n.Status == models.NotificationStatusPinned),
Pinned: n.Status == models.NotificationStatusPinned,
UpdatedAt: n.UpdatedUnix.AsTime(),
URL: n.APIURL(),
}
// since user only get notifications when he has access to use minimal access mode
if n.Repository != nil {
result.Repository = ToRepo(n.Repository, perm.AccessModeRead)
// This permission is not correct and we should not be reporting it
for repository := result.Repository; repository != nil; repository = repository.Parent {
repository.Permissions = nil
}
}
// handle Subject
switch n.Source {
case models.NotificationSourceIssue:
result.Subject = &api.NotificationSubject{Type: api.NotifySubjectIssue}
if n.Issue != nil {
result.Subject.Title = n.Issue.Title
result.Subject.URL = n.Issue.APIURL()
result.Subject.HTMLURL = n.Issue.HTMLURL()
result.Subject.State = n.Issue.State()
comment, err := n.Issue.GetLastComment()
if err == nil && comment != nil {
result.Subject.LatestCommentURL = comment.APIURL()
result.Subject.LatestCommentHTMLURL = comment.HTMLURL()
}
}
case models.NotificationSourcePullRequest:
result.Subject = &api.NotificationSubject{Type: api.NotifySubjectPull}
if n.Issue != nil {
result.Subject.Title = n.Issue.Title
result.Subject.URL = n.Issue.APIURL()
result.Subject.HTMLURL = n.Issue.HTMLURL()
result.Subject.State = n.Issue.State()
comment, err := n.Issue.GetLastComment()
if err == nil && comment != nil {
result.Subject.LatestCommentURL = comment.APIURL()
result.Subject.LatestCommentHTMLURL = comment.HTMLURL()
}
pr, _ := n.Issue.GetPullRequest()
if pr != nil && pr.HasMerged {
result.Subject.State = "merged"
}
}
case models.NotificationSourceCommit:
url := n.Repository.HTMLURL() + "/commit/" + url.PathEscape(n.CommitID)
result.Subject = &api.NotificationSubject{
Type: api.NotifySubjectCommit,
Title: n.CommitID,
URL: url,
HTMLURL: url,
}
case models.NotificationSourceRepository:
result.Subject = &api.NotificationSubject{
Type: api.NotifySubjectRepository,
Title: n.Repository.FullName(),
// FIXME: this is a relative URL, rather useless and inconsistent, but keeping for backwards compat
URL: n.Repository.Link(),
HTMLURL: n.Repository.HTMLURL(),
}
}
return result
}
// ToNotifications convert list of Notification to api.NotificationThread list
func ToNotifications(nl models.NotificationList) []*api.NotificationThread {
result := make([]*api.NotificationThread, 0, len(nl))
for _, n := range nl {
result = append(result, ToNotificationThread(n))
}
return result
}