Skip to content

Fix org package owner permissions #19742

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 19, 2022
Merged

Fix org package owner permissions #19742

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
39ccd79
Fix org package owner permissions.
KN4CK3R May 18, 2022
d7e6472
Merge branch 'main' into fix-19583-2
6543 May 18, 2022
1ee5c4e
Merge branch 'main' into fix-19583-2
6543 May 18, 2022
f9abdd1
Merge branch 'main' into fix-19583-2
6543 May 19, 2022
eea6003
Merge branch 'main' into fix-19583-2
6543 May 19, 2022
f9ff654
Merge branch 'main' into fix-19583-2
6543 May 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 21 additions & 13 deletions modules/context/package.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
packages_model "code.gitea.io/gitea/models/packages"
"code.gitea.io/gitea/models/perm"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/structs"
)

// Package contains owner, access mode and optional the package descriptor
Expand Down Expand Up @@ -50,22 +51,29 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
Owner: ctx.ContextUser,
}

if ctx.Doer != nil && ctx.Doer.ID == ctx.ContextUser.ID {
ctx.Package.AccessMode = perm.AccessModeOwner
if ctx.Package.Owner.IsOrganization() {
// 1. Get user max authorize level for the org (may be none, if user is not member of the org)
if ctx.Doer != nil {
var err error
ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
if err != nil {
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err)
return
}
}
// 2. If authorize level is none, check if org is visible to user
if ctx.Package.AccessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
ctx.Package.AccessMode = perm.AccessModeRead
}
} else {
if ctx.Package.Owner.IsOrganization() {
if organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
if ctx.Doer != nil && !ctx.Doer.IsGhost() {
// 1. Check if user is package owner
if ctx.Doer.ID == ctx.Package.Owner.ID {
ctx.Package.AccessMode = perm.AccessModeOwner
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic || ctx.Package.Owner.Visibility == structs.VisibleTypeLimited { // 2. Check if package owner is public or limited
ctx.Package.AccessMode = perm.AccessModeRead
if ctx.Doer != nil {
var err error
ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
if err != nil {
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err)
return
}
}
}
} else {
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic { // 3. Check if package owner is public
ctx.Package.AccessMode = perm.AccessModeRead
}
}
Expand Down