9 files changed, 85 insertions, 55 deletions
diff --git a/internal/route/api/v1/repo/repo.go b/internal/route/api/v1/repo/repo.go
index e26cc5bd..81341627 100644
--- a/internal/route/api/v1/repo/repo.go
+++ b/internal/route/api/v1/repo/repo.go
@@ -352,11 +352,24 @@ func ListForks(c *context.APIContext) {
 			c.Error(err, "get owner")
 			return
 		}
-		apiForks[i] = forks[i].APIFormatLegacy(&api.Permission{
-			Admin: c.User.IsAdminOfRepo(forks[i]),
-			Push:  c.User.IsWriterOfRepo(forks[i]),
-			Pull:  true,
-		})
+
+		accessMode := db.Perms.AccessMode(
+			c.Req.Context(),
+			c.User.ID,
+			forks[i].ID,
+			db.AccessModeOptions{
+				OwnerID: forks[i].OwnerID,
+				Private: forks[i].IsPrivate,
+			},
+		)
+
+		apiForks[i] = forks[i].APIFormatLegacy(
+			&api.Permission{
+				Admin: accessMode >= db.AccessModeAdmin,
+				Push:  accessMode >= db.AccessModeWrite,
+				Pull:  true,
+			},
+		)
 	}
 
 	c.JSONSuccess(&apiForks)
diff --git a/internal/route/lfs/mocks_test.go b/internal/route/lfs/mocks_test.go
index 4f443f9f..e929b4ae 100644
--- a/internal/route/lfs/mocks_test.go
+++ b/internal/route/lfs/mocks_test.go
@@ -1898,9 +1898,9 @@ type MockTwoFactorsStore struct {
 	// GetByUserIDFunc is an instance of a mock function object controlling
 	// the behavior of the method GetByUserID.
 	GetByUserIDFunc *TwoFactorsStoreGetByUserIDFunc
-	// IsUserEnabledFunc is an instance of a mock function object
-	// controlling the behavior of the method IsUserEnabled.
-	IsUserEnabledFunc *TwoFactorsStoreIsUserEnabledFunc
+	// IsEnabledFunc is an instance of a mock function object controlling
+	// the behavior of the method IsEnabled.
+	IsEnabledFunc *TwoFactorsStoreIsEnabledFunc
 }
 
 // NewMockTwoFactorsStore creates a new mock of the TwoFactorsStore
@@ -1918,7 +1918,7 @@ func NewMockTwoFactorsStore() *MockTwoFactorsStore {
 				return
 			},
 		},
-		IsUserEnabledFunc: &TwoFactorsStoreIsUserEnabledFunc{
+		IsEnabledFunc: &TwoFactorsStoreIsEnabledFunc{
 			defaultHook: func(context.Context, int64) (r0 bool) {
 				return
 			},
@@ -1940,9 +1940,9 @@ func NewStrictMockTwoFactorsStore() *MockTwoFactorsStore {
 				panic("unexpected invocation of MockTwoFactorsStore.GetByUserID")
 			},
 		},
-		IsUserEnabledFunc: &TwoFactorsStoreIsUserEnabledFunc{
+		IsEnabledFunc: &TwoFactorsStoreIsEnabledFunc{
 			defaultHook: func(context.Context, int64) bool {
-				panic("unexpected invocation of MockTwoFactorsStore.IsUserEnabled")
+				panic("unexpected invocation of MockTwoFactorsStore.IsEnabled")
 			},
 		},
 	}
@@ -1959,8 +1959,8 @@ func NewMockTwoFactorsStoreFrom(i db.TwoFactorsStore) *MockTwoFactorsStore {
 		GetByUserIDFunc: &TwoFactorsStoreGetByUserIDFunc{
 			defaultHook: i.GetByUserID,
 		},
-		IsUserEnabledFunc: &TwoFactorsStoreIsUserEnabledFunc{
-			defaultHook: i.IsUserEnabled,
+		IsEnabledFunc: &TwoFactorsStoreIsEnabledFunc{
+			defaultHook: i.IsEnabled,
 		},
 	}
 }
@@ -2184,36 +2184,35 @@ func (c TwoFactorsStoreGetByUserIDFuncCall) Results() []interface{} {
 	return []interface{}{c.Result0, c.Result1}
 }
 
-// TwoFactorsStoreIsUserEnabledFunc describes the behavior when the
-// IsUserEnabled method of the parent MockTwoFactorsStore instance is
-// invoked.
-type TwoFactorsStoreIsUserEnabledFunc struct {
+// TwoFactorsStoreIsEnabledFunc describes the behavior when the IsEnabled
+// method of the parent MockTwoFactorsStore instance is invoked.
+type TwoFactorsStoreIsEnabledFunc struct {
 	defaultHook func(context.Context, int64) bool
 	hooks       []func(context.Context, int64) bool
-	history     []TwoFactorsStoreIsUserEnabledFuncCall
+	history     []TwoFactorsStoreIsEnabledFuncCall
 	mutex       sync.Mutex
 }
 
-// IsUserEnabled delegates to the next hook function in the queue and stores
-// the parameter and result values of this invocation.
-func (m *MockTwoFactorsStore) IsUserEnabled(v0 context.Context, v1 int64) bool {
-	r0 := m.IsUserEnabledFunc.nextHook()(v0, v1)
-	m.IsUserEnabledFunc.appendCall(TwoFactorsStoreIsUserEnabledFuncCall{v0, v1, r0})
+// IsEnabled delegates to the next hook function in the queue and stores the
+// parameter and result values of this invocation.
+func (m *MockTwoFactorsStore) IsEnabled(v0 context.Context, v1 int64) bool {
+	r0 := m.IsEnabledFunc.nextHook()(v0, v1)
+	m.IsEnabledFunc.appendCall(TwoFactorsStoreIsEnabledFuncCall{v0, v1, r0})
 	return r0
 }
 
-// SetDefaultHook sets function that is called when the IsUserEnabled method
-// of the parent MockTwoFactorsStore instance is invoked and the hook queue
-// is empty.
-func (f *TwoFactorsStoreIsUserEnabledFunc) SetDefaultHook(hook func(context.Context, int64) bool) {
+// SetDefaultHook sets function that is called when the IsEnabled method of
+// the parent MockTwoFactorsStore instance is invoked and the hook queue is
+// empty.
+func (f *TwoFactorsStoreIsEnabledFunc) SetDefaultHook(hook func(context.Context, int64) bool) {
 	f.defaultHook = hook
 }
 
 // PushHook adds a function to the end of hook queue. Each invocation of the
-// IsUserEnabled method of the parent MockTwoFactorsStore instance invokes
-// the hook at the front of the queue and discards it. After the queue is
-// empty, the default hook function is invoked for any future action.
-func (f *TwoFactorsStoreIsUserEnabledFunc) PushHook(hook func(context.Context, int64) bool) {
+// IsEnabled method of the parent MockTwoFactorsStore instance invokes the
+// hook at the front of the queue and discards it. After the queue is empty,
+// the default hook function is invoked for any future action.
+func (f *TwoFactorsStoreIsEnabledFunc) PushHook(hook func(context.Context, int64) bool) {
 	f.mutex.Lock()
 	f.hooks = append(f.hooks, hook)
 	f.mutex.Unlock()
@@ -2221,20 +2220,20 @@ func (f *TwoFactorsStoreIsUserEnabledFunc) PushHook(hook func(context.Context, i
 
 // SetDefaultReturn calls SetDefaultHook with a function that returns the
 // given values.
-func (f *TwoFactorsStoreIsUserEnabledFunc) SetDefaultReturn(r0 bool) {
+func (f *TwoFactorsStoreIsEnabledFunc) SetDefaultReturn(r0 bool) {
 	f.SetDefaultHook(func(context.Context, int64) bool {
 		return r0
 	})
 }
 
 // PushReturn calls PushHook with a function that returns the given values.
-func (f *TwoFactorsStoreIsUserEnabledFunc) PushReturn(r0 bool) {
+func (f *TwoFactorsStoreIsEnabledFunc) PushReturn(r0 bool) {
 	f.PushHook(func(context.Context, int64) bool {
 		return r0
 	})
 }
 
-func (f *TwoFactorsStoreIsUserEnabledFunc) nextHook() func(context.Context, int64) bool {
+func (f *TwoFactorsStoreIsEnabledFunc) nextHook() func(context.Context, int64) bool {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()
 
@@ -2247,26 +2246,26 @@ func (f *TwoFactorsStoreIsUserEnabledFunc) nextHook() func(context.Context, int6
 	return hook
 }
 
-func (f *TwoFactorsStoreIsUserEnabledFunc) appendCall(r0 TwoFactorsStoreIsUserEnabledFuncCall) {
+func (f *TwoFactorsStoreIsEnabledFunc) appendCall(r0 TwoFactorsStoreIsEnabledFuncCall) {
 	f.mutex.Lock()
 	f.history = append(f.history, r0)
 	f.mutex.Unlock()
 }
 
-// History returns a sequence of TwoFactorsStoreIsUserEnabledFuncCall
-// objects describing the invocations of this function.
-func (f *TwoFactorsStoreIsUserEnabledFunc) History() []TwoFactorsStoreIsUserEnabledFuncCall {
+// History returns a sequence of TwoFactorsStoreIsEnabledFuncCall objects
+// describing the invocations of this function.
+func (f *TwoFactorsStoreIsEnabledFunc) History() []TwoFactorsStoreIsEnabledFuncCall {
 	f.mutex.Lock()
-	history := make([]TwoFactorsStoreIsUserEnabledFuncCall, len(f.history))
+	history := make([]TwoFactorsStoreIsEnabledFuncCall, len(f.history))
 	copy(history, f.history)
 	f.mutex.Unlock()
 
 	return history
 }
 
-// TwoFactorsStoreIsUserEnabledFuncCall is an object that describes an
-// invocation of method IsUserEnabled on an instance of MockTwoFactorsStore.
-type TwoFactorsStoreIsUserEnabledFuncCall struct {
+// TwoFactorsStoreIsEnabledFuncCall is an object that describes an
+// invocation of method IsEnabled on an instance of MockTwoFactorsStore.
+type TwoFactorsStoreIsEnabledFuncCall struct {
 	// Arg0 is the value of the 1st argument passed to this method
 	// invocation.
 	Arg0 context.Context
@@ -2280,13 +2279,13 @@ type TwoFactorsStoreIsUserEnabledFuncCall struct {
 
 // Args returns an interface slice containing the arguments of this
 // invocation.
-func (c TwoFactorsStoreIsUserEnabledFuncCall) Args() []interface{} {
+func (c TwoFactorsStoreIsEnabledFuncCall) Args() []interface{} {
 	return []interface{}{c.Arg0, c.Arg1}
 }
 
 // Results returns an interface slice containing the results of this
 // invocation.
-func (c TwoFactorsStoreIsUserEnabledFuncCall) Results() []interface{} {
+func (c TwoFactorsStoreIsEnabledFuncCall) Results() []interface{} {
 	return []interface{}{c.Result0}
 }
 
diff --git a/internal/route/lfs/route.go b/internal/route/lfs/route.go
index bdacc6da..b2ab2b0c 100644
--- a/internal/route/lfs/route.go
+++ b/internal/route/lfs/route.go
@@ -67,7 +67,7 @@ func authenticate() macaron.Handler {
 			return
 		}
 
-		if err == nil && user.IsEnabledTwoFactor() {
+		if err == nil && db.TwoFactors.IsEnabled(c.Req.Context(), user.ID) {
 			c.Error(http.StatusBadRequest, "Users with 2FA enabled are not allowed to authenticate via username and password.")
 			return
 		}
diff --git a/internal/route/lfs/route_test.go b/internal/route/lfs/route_test.go
index a29f8b8c..9ce07846 100644
--- a/internal/route/lfs/route_test.go
+++ b/internal/route/lfs/route_test.go
@@ -58,7 +58,7 @@ func Test_authenticate(t *testing.T) {
 			},
 			mockTwoFactorsStore: func() db.TwoFactorsStore {
 				mock := NewMockTwoFactorsStore()
-				mock.IsUserEnabledFunc.SetDefaultReturn(true)
+				mock.IsEnabledFunc.SetDefaultReturn(true)
 				return mock
 			},
 			expStatusCode: http.StatusBadRequest,
@@ -100,7 +100,7 @@ func Test_authenticate(t *testing.T) {
 			},
 			mockTwoFactorsStore: func() db.TwoFactorsStore {
 				mock := NewMockTwoFactorsStore()
-				mock.IsUserEnabledFunc.SetDefaultReturn(false)
+				mock.IsEnabledFunc.SetDefaultReturn(false)
 				return mock
 			},
 			expStatusCode: http.StatusOK,
diff --git a/internal/route/repo/http.go b/internal/route/repo/http.go
index 89c7fa24..e8e1ac15 100644
--- a/internal/route/repo/http.go
+++ b/internal/route/repo/http.go
@@ -153,7 +153,7 @@ func HTTPContexter() macaron.Handler {
 					return
 				}
 			}
-		} else if authUser.IsEnabledTwoFactor() {
+		} else if db.TwoFactors.IsEnabled(c.Req.Context(), authUser.ID) {
 			askCredentials(c, http.StatusUnauthorized, `User with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password
 Please create and use personal access token on user settings page`)
 			return
diff --git a/internal/route/repo/issue.go b/internal/route/repo/issue.go
index cf59856e..f6a0d1b5 100644
--- a/internal/route/repo/issue.go
+++ b/internal/route/repo/issue.go
@@ -612,7 +612,16 @@ func viewIssue(c *context.Context, isPullList bool) {
 			if repo.IsOwnedBy(comment.PosterID) ||
 				(repo.Owner.IsOrganization() && repo.Owner.IsOwnedBy(comment.PosterID)) {
 				comment.ShowTag = db.COMMENT_TAG_OWNER
-			} else if comment.Poster.IsWriterOfRepo(repo) {
+			} else if db.Perms.Authorize(
+				c.Req.Context(),
+				comment.PosterID,
+				repo.ID,
+				db.AccessModeWrite,
+				db.AccessModeOptions{
+					OwnerID: repo.OwnerID,
+					Private: repo.IsPrivate,
+				},
+			) {
 				comment.ShowTag = db.COMMENT_TAG_WRITER
 			} else if comment.PosterID == issue.PosterID {
 				comment.ShowTag = db.COMMENT_TAG_POSTER
diff --git a/internal/route/repo/pull.go b/internal/route/repo/pull.go
index d65b1e10..2745c336 100644
--- a/internal/route/repo/pull.go
+++ b/internal/route/repo/pull.go
@@ -510,7 +510,16 @@ func ParseCompareInfo(c *context.Context) (*db.User, *db.Repository, *git.Reposi
 		headGitRepo = c.Repo.GitRepo
 	}
 
-	if !c.User.IsWriterOfRepo(headRepo) && !c.User.IsAdmin {
+	if !db.Perms.Authorize(
+		c.Req.Context(),
+		c.User.ID,
+		headRepo.ID,
+		db.AccessModeWrite,
+		db.AccessModeOptions{
+			OwnerID: headRepo.OwnerID,
+			Private: headRepo.IsPrivate,
+		},
+	) && !c.User.IsAdmin {
 		log.Trace("ParseCompareInfo [base_repo_id: %d]: does not have write access or site admin", baseRepo.ID)
 		c.NotFound()
 		return nil, nil, nil, nil, "", ""
diff --git a/internal/route/user/auth.go b/internal/route/user/auth.go
index d06a7488..a893f8b5 100644
--- a/internal/route/user/auth.go
+++ b/internal/route/user/auth.go
@@ -184,7 +184,7 @@ func LoginPost(c *context.Context, f form.SignIn) {
 		return
 	}
 
-	if !u.IsEnabledTwoFactor() {
+	if !db.TwoFactors.IsEnabled(c.Req.Context(), u.ID) {
 		afterLogin(c, u, f.Remember)
 		return
 	}
diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go
index 3ea1c33e..f29ffb36 100644
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@@ -386,7 +386,7 @@ func SettingsSecurity(c *context.Context) {
 }
 
 func SettingsTwoFactorEnable(c *context.Context) {
-	if c.User.IsEnabledTwoFactor() {
+	if db.TwoFactors.IsEnabled(c.Req.Context(), c.User.ID) {
 		c.NotFound()
 		return
 	}
@@ -456,7 +456,7 @@ func SettingsTwoFactorEnablePost(c *context.Context) {
 }
 
 func SettingsTwoFactorRecoveryCodes(c *context.Context) {
-	if !c.User.IsEnabledTwoFactor() {
+	if !db.TwoFactors.IsEnabled(c.Req.Context(), c.User.ID) {
 		c.NotFound()
 		return
 	}
@@ -475,7 +475,7 @@ func SettingsTwoFactorRecoveryCodes(c *context.Context) {
 }
 
 func SettingsTwoFactorRecoveryCodesPost(c *context.Context) {
-	if !c.User.IsEnabledTwoFactor() {
+	if !db.TwoFactors.IsEnabled(c.Req.Context(), c.User.ID) {
 		c.NotFound()
 		return
 	}
@@ -490,7 +490,7 @@ func SettingsTwoFactorRecoveryCodesPost(c *context.Context) {
 }
 
 func SettingsTwoFactorDisable(c *context.Context) {
-	if !c.User.IsEnabledTwoFactor() {
+	if !db.TwoFactors.IsEnabled(c.Req.Context(), c.User.ID) {
 		c.NotFound()
 		return
 	}