[PR #5314] [MERGED] Restrict permission check on repositories and fix some problems #17754

New Issue

GiteaMirror · 2025-11-02T15:31:12-06:00

GiteaMirror commented

2025-11-02 15:31:12 -06:00

📋 Pull Request Information

Original PR: https://github.com/go-gitea/gitea/pull/5314
Author: @lunny
Created: 11/11/2018
Status: ✅ Merged
Merged: 11/28/2018
Merged by: @lunny

Base: master ← Head: lunny/fix_units_permissions

📝 Commits (10+)

0bf41c2 fix units permission problems
15f80b9 fix some bugs and merge LoadUnits to repoAssignment
40d552c refactor permission struct and add some copyright heads
d80fea2 remove unused codes
fb4a2cb fix routes units check
a21bfde improve permission check
422ba40 add unit tests for permission
dae595b fix typo
6bed0d4 fix tests
d5ba3a0 fix some routes

📊 Changes

80 files changed (+1351 additions, -765 deletions)

View changed files

📝 cmd/serv.go (+2 -12)
📝 integrations/api_repo_test.go (+1 -1)
📝 models/access.go (+0 -16)
📝 models/access_test.go (+18 -23)
📝 models/branches.go (+9 -3)
📝 models/fixtures/repo_unit.yml (+113 -1)
📝 models/fixtures/repository.yml (+1 -1)
📝 models/fixtures/team.yml (+27 -0)
📝 models/fixtures/team_repo.yml (+18 -0)
📝 models/fixtures/team_unit.yml (+15 -0)
📝 models/fixtures/team_user.yml (+18 -0)
📝 models/fixtures/user.yml (+2 -2)
📝 models/issue.go (+20 -12)
📝 models/issue_assignees.go (+5 -2)
📝 models/issue_comment.go (+3 -3)
📝 models/issue_milestone.go (+1 -1)
📝 models/lfs_lock.go (+3 -2)
📝 models/org_team.go (+3 -3)
📝 models/org_team_test.go (+1 -1)
📝 models/org_test.go (+2 -1)

...and 60 more files

📄 Description

This PR will refactor permission check of repositories, especially units permission check. It will restrict permission check on organization repositories and fix some bugs. It creates a new struct Permission and a function to retrieve permission from User and Repository.

You can know all the permission information from Permission and it has been saved on context.Context when middleware repoAssignment was called. After this PR, we removed some functions like IsRepositoryWriter because we don't know that if the repo is on an organization and there are some teams give permission to the user. Instead it provides CanAccess(unit) and CanWrite(unit) to determine if the User could read or write to code, issues, releases or other units.

This also give a break change about a private repository on an organization. When a user on a team has write permission to a repository but he also is a collaborator with read right to that repository. Before this PR, the team settings will be ignored, but in this PR, the higher permission will be given to the user. Don't know it's a bug or a break change. I added the breaking label.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-gitea/gitea/pull/5314 **Author:** [@lunny](https://github.com/lunny) **Created:** 11/11/2018 **Status:** ✅ Merged **Merged:** 11/28/2018 **Merged by:** [@lunny](https://github.com/lunny) **Base:** `master` ← **Head:** `lunny/fix_units_permissions` --- ### 📝 Commits (10+) - [`0bf41c2`](https://github.com/go-gitea/gitea/commit/0bf41c2d5042b4d91259321876c61fb060f228e5) fix units permission problems - [`15f80b9`](https://github.com/go-gitea/gitea/commit/15f80b9ed6a70f2fb0a1bf2b2f4f8655cfdd3f56) fix some bugs and merge LoadUnits to repoAssignment - [`40d552c`](https://github.com/go-gitea/gitea/commit/40d552c1373ba12c22913408dd8f1d8bb4f34447) refactor permission struct and add some copyright heads - [`d80fea2`](https://github.com/go-gitea/gitea/commit/d80fea2c74df1f326c573bbe7d1505070bbca906) remove unused codes - [`fb4a2cb`](https://github.com/go-gitea/gitea/commit/fb4a2cbd43f18fc21209e8ad9772dbfccbbd0ef1) fix routes units check - [`a21bfde`](https://github.com/go-gitea/gitea/commit/a21bfde663bf1452e55d7ce41aaef57bbcddb1ca) improve permission check - [`422ba40`](https://github.com/go-gitea/gitea/commit/422ba40b5dcd9cd24f58d931e27480907250555b) add unit tests for permission - [`dae595b`](https://github.com/go-gitea/gitea/commit/dae595b0f6dbc7e6a057eafb5ff8560c4cbdbf19) fix typo - [`6bed0d4`](https://github.com/go-gitea/gitea/commit/6bed0d4422273d49996054a4cfc082e6d8d19ce8) fix tests - [`d5ba3a0`](https://github.com/go-gitea/gitea/commit/d5ba3a040ca8c70ff0442cfe4b6924f13f02d9bd) fix some routes ### 📊 Changes **80 files changed** (+1351 additions, -765 deletions) <details> <summary>View changed files</summary> 📝 `cmd/serv.go` (+2 -12) 📝 `integrations/api_repo_test.go` (+1 -1) 📝 `models/access.go` (+0 -16) 📝 `models/access_test.go` (+18 -23) 📝 `models/branches.go` (+9 -3) 📝 `models/fixtures/repo_unit.yml` (+113 -1) 📝 `models/fixtures/repository.yml` (+1 -1) 📝 `models/fixtures/team.yml` (+27 -0) 📝 `models/fixtures/team_repo.yml` (+18 -0) 📝 `models/fixtures/team_unit.yml` (+15 -0) 📝 `models/fixtures/team_user.yml` (+18 -0) 📝 `models/fixtures/user.yml` (+2 -2) 📝 `models/issue.go` (+20 -12) 📝 `models/issue_assignees.go` (+5 -2) 📝 `models/issue_comment.go` (+3 -3) 📝 `models/issue_milestone.go` (+1 -1) 📝 `models/lfs_lock.go` (+3 -2) 📝 `models/org_team.go` (+3 -3) 📝 `models/org_team_test.go` (+1 -1) 📝 `models/org_test.go` (+2 -1) _...and 60 more files_ </details> ### 📄 Description This PR will refactor permission check of repositories, especially units permission check. It will restrict permission check on organization repositories and fix some bugs. It creates a new struct `Permission` and a function to retrieve permission from `User` and `Repository`. You can know all the permission information from `Permission` and it has been saved on `context.Context` when middleware `repoAssignment` was called. After this PR, we removed some functions like `IsRepositoryWriter` because we don't know that if the repo is on an organization and there are some teams give permission to the user. Instead it provides `CanAccess(unit)` and `CanWrite(unit)` to determine if the `User` could read or write to `code`, `issues`, `releases` or other units. This also give a break change about a private repository on an organization. When a user on a team has write permission to a repository but he also is a collaborator with read right to that repository. Before this PR, the team settings will be ignored, but in this PR, the higher permission will be given to the user. Don't know it's a bug or a break change. I added the breaking label. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-02 15:31:12 -06:00

GiteaMirror closed this issue

2025-11-02 15:31:13 -06:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#17754