Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow everyone to read or write a wiki by a repo unit setting #30495

Merged
merged 25 commits into from
Apr 17, 2024
Merged

Allow everyone to read or write a wiki by a repo unit setting #30495

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
9a58412
fix
wxiaoguang Apr 15, 2024
8ba2d63
fix test
wxiaoguang Apr 15, 2024
69396b5
always check map length instead of nil
wxiaoguang Apr 15, 2024
6664f3c
more tests
wxiaoguang Apr 15, 2024
5a4b286
u.EveryoneAccessMode >= perm_model.AccessModeRead
wxiaoguang Apr 15, 2024
34650ad
fix permission check
wxiaoguang Apr 15, 2024
96d435c
no need to introduce "unset"
wxiaoguang Apr 15, 2024
cbd2e24
fix permission check in convert function
wxiaoguang Apr 15, 2024
756bb79
fine tune
wxiaoguang Apr 15, 2024
e8dda7e
fix model default
wxiaoguang Apr 15, 2024
903c8c9
fix test
wxiaoguang Apr 15, 2024
4aab4ee
Update options/locale/locale_en-US.ini
wxiaoguang Apr 16, 2024
7f9b95e
address reviews
wxiaoguang Apr 16, 2024
e7548e5
refactor unit mode
wxiaoguang Apr 16, 2024
d662a0c
Merge branch 'main' into allow-everyone-wiki
wxiaoguang Apr 17, 2024
e95faa5
fix merge
wxiaoguang Apr 17, 2024
2016049
Update templates/repo/settings/options.tmpl
wxiaoguang Apr 17, 2024
2a26cee
hide the struct internal fields
wxiaoguang Apr 17, 2024
90dcf3c
fix repo setting ui
wxiaoguang Apr 17, 2024
06ce401
fix repo setting ui
wxiaoguang Apr 17, 2024
cbbd321
more tests
wxiaoguang Apr 17, 2024
0f4dfe3
use better text for "not set" permission
wxiaoguang Apr 17, 2024
16ebe02
Merge branch 'main' into allow-everyone-wiki
GiteaBot Apr 17, 2024
fb21973
only apply everyone access mode if there is no error
wxiaoguang Apr 17, 2024
1b85718
Merge branch 'main' into allow-everyone-wiki
GiteaBot Apr 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions models/migrations/migrations.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -582,6 +582,8 @@ var migrations = []Migration{
NewMigration("Add commit status summary table", v1_23.AddCommitStatusSummary),
// v296 -> v297
NewMigration("Add missing field of commit status summary table", v1_23.AddCommitStatusSummary2),
// v297 -> v298
NewMigration("Add everyone_access_mode for repo_unit", v1_23.AddRepoUnitEveryoneAccessMode),
}

// GetCurrentDBVersion returns the current db version
Expand Down
2 changes: 1 addition & 1 deletion models/migrations/v1_11/v111.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ func AddBranchProtectionCanPushAndEnableWhitelist(x *xorm.Engine) error {
if err != nil {
return false, err
}
if perm.UnitsMode == nil {
if len(perm.UnitsMode) == 0 {
for _, u := range perm.Units {
if u.Type == UnitTypeCode {
return AccessModeWrite <= perm.AccessMode, nil
Expand Down
17 changes: 17 additions & 0 deletions models/migrations/v1_23/v297.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package v1_23 //nolint

import (
"code.gitea.io/gitea/models/perm"

"xorm.io/xorm"
)

func AddRepoUnitEveryoneAccessMode(x *xorm.Engine) error {
type RepoUnit struct { //revive:disable-line:exported
EveryoneAccessMode perm.AccessMode `xorm:"NOT NULL DEFAULT 0"`
}
return x.Sync(&RepoUnit{})
wxiaoguang marked this conversation as resolved.
Show resolved Hide resolved
}
4 changes: 2 additions & 2 deletions models/organization/team.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,11 +130,11 @@ func (t *Team) GetUnitsMap() map[string]string {
m := make(map[string]string)
if t.AccessMode >= perm.AccessModeAdmin {
for _, u := range unit.Units {
m[u.NameKey] = t.AccessMode.String()
m[u.NameKey] = t.AccessMode.ToString()
}
} else {
for _, u := range t.Units {
m[u.Unit().NameKey] = u.AccessMode.String()
m[u.Unit().NameKey] = u.AccessMode.ToString()
}
}
return m
Expand Down
79 changes: 37 additions & 42 deletions models/perm/access/repo_permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"code.gitea.io/gitea/models/unit"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/util"
)

// Permission contains all the permissions related variables to a repository for a user
Expand All @@ -33,25 +34,24 @@ func (p *Permission) IsAdmin() bool {
return p.AccessMode >= perm_model.AccessModeAdmin
}

// HasAccess returns true if the current user has at least read access to any unit of this repository
// HasAccess returns true if the current user might have at least read access to any unit of this repository
func (p *Permission) HasAccess() bool {
if p.UnitsMode == nil {
return p.AccessMode >= perm_model.AccessModeRead
}
return len(p.UnitsMode) > 0
return len(p.UnitsMode) > 0 || p.AccessMode >= perm_model.AccessModeRead
}

// UnitAccessMode returns current user accessmode to the specify unit of the repository
// UnitAccessMode returns current user access mode to the specify unit of the repository
func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {
if p.UnitsMode == nil {
for _, u := range p.Units {
if u.Type == unitType {
return p.AccessMode
}
// if the units map contains the access mode, use it, but admin/owner mode could override it
if m, ok := p.UnitsMode[unitType]; ok {
return util.Iif(p.AccessMode >= perm_model.AccessModeAdmin, p.AccessMode, m)
}
// if the units map does not contain the access mode, return the default access mode if the unit exists
for _, u := range p.Units {
if u.Type == unitType {
return p.AccessMode
}
return perm_model.AccessModeNone
}
return p.UnitsMode[unitType]
return perm_model.AccessModeNone
}

// CanAccess returns true if user has mode access to the unit of the repository
Expand Down Expand Up @@ -104,7 +104,7 @@ func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {

func (p *Permission) LogString() string {
format := "<Permission AccessMode=%s, %d Units, %d UnitsMode(s): [ "
args := []any{p.AccessMode.String(), len(p.Units), len(p.UnitsMode)}
args := []any{p.AccessMode.ToString(), len(p.Units), len(p.UnitsMode)}

for i, unit := range p.Units {
config := ""
Expand All @@ -126,23 +126,30 @@ func (p *Permission) LogString() string {
return fmt.Sprintf(format, args...)
}

// GetUserRepoPermission returns the user permissions to the repository
func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (Permission, error) {
var perm Permission
if log.IsTrace() {
defer func() {
if user == nil {
log.Trace("Permission Loaded for anonymous user in %-v:\nPermissions: %-+v",
repo,
perm)
return
func applyDefaultUserRepoPermission(user *user_model.User, perm *Permission) {
if user != nil && user.ID > 0 {
for _, u := range perm.Units {
if u.EveryoneAccessMode >= perm_model.AccessModeRead && u.EveryoneAccessMode > perm.UnitsMode[u.Type] {
perm.UnitsMode[u.Type] = u.EveryoneAccessMode
}
log.Trace("Permission Loaded for %-v in %-v:\nPermissions: %-+v",
user,
repo,
perm)
}()
}
}
}

// GetUserRepoPermission returns the user permissions to the repository
func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (perm Permission, err error) {
defer func() {
applyDefaultUserRepoPermission(user, &perm)
if log.IsTrace() {
log.Trace("Permission Loaded for user %-v in repo %-v, permissions: %-+v", user, repo, perm)
}
}()

perm.UnitsMode = make(map[unit.Type]perm_model.AccessMode) // always initialize UnitsMode to avoid nil panic
if err = repo.LoadUnits(ctx); err != nil {
return perm, err
}
perm.Units = repo.Units

// anonymous user visit private repo.
// TODO: anonymous user visit public unit of private repo???
Expand All @@ -152,15 +159,14 @@ func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
}

var isCollaborator bool
var err error
if user != nil {
isCollaborator, err = repo_model.IsCollaborator(ctx, repo.ID, user.ID)
if err != nil {
return perm, err
}
}

if err := repo.LoadOwner(ctx); err != nil {
if err = repo.LoadOwner(ctx); err != nil {
return perm, err
}

Expand All @@ -171,12 +177,6 @@ func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
return perm, nil
}

if err := repo.LoadUnits(ctx); err != nil {
lunny marked this conversation as resolved.
Show resolved Hide resolved
return perm, err
}

perm.Units = repo.Units

// anonymous visit public repo
if user == nil {
perm.AccessMode = perm_model.AccessModeRead
Expand All @@ -195,15 +195,10 @@ func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
return perm, err
}

if err := repo.LoadOwner(ctx); err != nil {
return perm, err
}
if !repo.Owner.IsOrganization() {
return perm, nil
}

perm.UnitsMode = make(map[unit.Type]perm_model.AccessMode)

// Collaborators on organization
if isCollaborator {
for _, u := range repo.Units {
Expand Down
80 changes: 80 additions & 0 deletions models/perm/access/repo_permission_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package access

import (
"testing"

perm_model "code.gitea.io/gitea/models/perm"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unit"
user_model "code.gitea.io/gitea/models/user"

"github.com/stretchr/testify/assert"
)

func TestApplyDefaultUserRepoPermission(t *testing.T) {
perm := Permission{
AccessMode: perm_model.AccessModeNone,
UnitsMode: map[unit.Type]perm_model.AccessMode{},
Units: []*repo_model.RepoUnit{
{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeNone},
},
}
applyDefaultUserRepoPermission(nil, &perm)
assert.False(t, perm.CanRead(unit.TypeWiki))

perm = Permission{
AccessMode: perm_model.AccessModeNone,
UnitsMode: map[unit.Type]perm_model.AccessMode{},
Units: []*repo_model.RepoUnit{
{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},
},
}
applyDefaultUserRepoPermission(&user_model.User{ID: 1}, &perm)
assert.True(t, perm.CanRead(unit.TypeWiki))
}

func TestUnitAccessMode(t *testing.T) {
perm := Permission{
AccessMode: perm_model.AccessModeNone,
}
assert.Equal(t, perm_model.AccessModeNone, perm.UnitAccessMode(unit.TypeWiki), "no unit or map, use AccessMode")

perm = Permission{
AccessMode: perm_model.AccessModeOwner,
Units: []*repo_model.RepoUnit{
{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},
},
UnitsMode: map[unit.Type]perm_model.AccessMode{},
}
assert.Equal(t, perm_model.AccessModeOwner, perm.UnitAccessMode(unit.TypeWiki), "only unit no map, use AccessMode")

perm = Permission{
AccessMode: perm_model.AccessModeAdmin,
UnitsMode: map[unit.Type]perm_model.AccessMode{
unit.TypeWiki: perm_model.AccessModeRead,
},
}
assert.Equal(t, perm_model.AccessModeAdmin, perm.UnitAccessMode(unit.TypeWiki), "no unit only map, admin overrides map")

perm = Permission{
AccessMode: perm_model.AccessModeNone,
UnitsMode: map[unit.Type]perm_model.AccessMode{
unit.TypeWiki: perm_model.AccessModeRead,
},
}
assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeWiki), "no unit only map, use map")

perm = Permission{
AccessMode: perm_model.AccessModeNone,
Units: []*repo_model.RepoUnit{
{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeWrite},
},
UnitsMode: map[unit.Type]perm_model.AccessMode{
unit.TypeWiki: perm_model.AccessModeRead,
},
}
assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeWiki), "has unit and map, use map")
}
39 changes: 22 additions & 17 deletions models/perm/access_mode.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,25 @@ package perm

import (
"fmt"
"slices"

"code.gitea.io/gitea/modules/util"
)

// AccessMode specifies the users access mode
type AccessMode int

const (
// AccessModeNone no access
AccessModeNone AccessMode = iota // 0
// AccessModeRead read access
AccessModeRead // 1
// AccessModeWrite write access
AccessModeWrite // 2
// AccessModeAdmin admin access
AccessModeAdmin // 3
// AccessModeOwner owner access
AccessModeOwner // 4
AccessModeNone AccessMode = iota // 0: no access

AccessModeRead // 1: read access
AccessModeWrite // 2: write access
AccessModeAdmin // 3: admin access
AccessModeOwner // 4: owner access
)

func (mode AccessMode) String() string {
// ToString returns the string representation of the access mode, do not make it a Stringer, otherwise it's difficult to render in templates
func (mode AccessMode) ToString() string {
switch mode {
case AccessModeRead:
return "read"
Expand All @@ -39,19 +39,24 @@ func (mode AccessMode) String() string {
}

func (mode AccessMode) LogString() string {
return fmt.Sprintf("<AccessMode:%d:%s>", mode, mode.String())
return fmt.Sprintf("<AccessMode:%d:%s>", mode, mode.ToString())
}

// ParseAccessMode returns corresponding access mode to given permission string.
func ParseAccessMode(permission string) AccessMode {
func ParseAccessMode(permission string, allowed ...AccessMode) AccessMode {
m := AccessModeNone
switch permission {
case "read":
return AccessModeRead
m = AccessModeRead
case "write":
return AccessModeWrite
m = AccessModeWrite
case "admin":
return AccessModeAdmin
m = AccessModeAdmin
default:
return AccessModeNone
// the "owner" access is not really used for user input, it's mainly for checking access level in code, so don't parse it
}
if len(allowed) == 0 {
return m
}
return util.Iif(slices.Contains(allowed, m), m, AccessModeNone)
}
22 changes: 22 additions & 0 deletions models/perm/access_mode_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package perm

import (
"testing"

"github.com/stretchr/testify/assert"
)

func TestAccessMode(t *testing.T) {
names := []string{"none", "read", "write", "admin"}
for i, name := range names {
m := ParseAccessMode(name)
assert.Equal(t, AccessMode(i), m)
}
assert.Equal(t, AccessMode(4), AccessModeOwner)
assert.Equal(t, "owner", AccessModeOwner.ToString())
assert.Equal(t, AccessModeNone, ParseAccessMode("owner"))
assert.Equal(t, AccessModeNone, ParseAccessMode("invalid"))
}
12 changes: 7 additions & 5 deletions models/repo/repo_unit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"strings"

"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/models/perm"
"code.gitea.io/gitea/models/unit"
"code.gitea.io/gitea/modules/json"
"code.gitea.io/gitea/modules/setting"
Expand Down Expand Up @@ -41,11 +42,12 @@ func (err ErrUnitTypeNotExist) Unwrap() error {

// RepoUnit describes all units of a repository
type RepoUnit struct { //revive:disable-line:exported
ID int64
RepoID int64 `xorm:"INDEX(s)"`
Type unit.Type `xorm:"INDEX(s)"`
Config convert.Conversion `xorm:"TEXT"`
CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
ID int64
RepoID int64 `xorm:"INDEX(s)"`
Type unit.Type `xorm:"INDEX(s)"`
Config convert.Conversion `xorm:"TEXT"`
CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED"`
EveryoneAccessMode perm.AccessMode `xorm:"NOT NULL DEFAULT 0"`
}

func init() {
Expand Down
Loading