From 5eafe2b17eb9a1cf1068e7a3ed7a57a2730f04b0 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Sun, 31 Jan 2016 10:46:04 +0000 Subject: Only show repositories the user has access to, on the organization home --- models/org.go | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) (limited to 'models') diff --git a/models/org.go b/models/org.go index b8836c34..c9d8f119 100644 --- a/models/org.go +++ b/models/org.go @@ -9,6 +9,7 @@ import ( "fmt" "os" "strings" + "strconv" "github.com/go-xorm/xorm" ) @@ -1028,3 +1029,39 @@ func removeOrgRepo(e Engine, orgID, repoID int64) error { func RemoveOrgRepo(orgID, repoID int64) error { return removeOrgRepo(x, orgID, repoID) } + +func (org *User) getUserRepositories(userID int64) (err error) { + teams := make([]*Team, 0, 10) + if err := x.Cols("`team`.id"). + Where("`team_user`.org_id=?", org.Id). + And("`team_user`.uid=?", userID). + Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). + Find(&teams); err != nil { + return fmt.Errorf("get team: %v", err) + } + + var teamIDs []string + for _, team := range teams { + s := strconv.FormatInt(team.ID, 32) + teamIDs = append(teamIDs, s) + } + + // The "in" clause it not vulnerable to SQL injection because we + // convert it from int64 a few lines above. Sadly, xorm does not support + // "in" clauses as a function, so we have to build our own (for now). + if err := x.Cols("`repository`.*"). + Where("`team_repo`.team_id in (" + strings.Join(teamIDs, ",") + ")"). + Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id"). + GroupBy("`repository`.id"). + Find(&org.Repos); err != nil { + return fmt.Errorf("get repositories: %v", err) + } + + return +} + +// GetUserRepositories gets all repositories of an organization, +// that the user with the given userID has access to. +func (org *User) GetUserRepositories(userID int64) (err error) { + return org.getUserRepositories(userID) +} -- cgit v1.2.3 From e35791b2b2888979ba53b8a9a58e1cb132026914 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Sun, 31 Jan 2016 13:28:42 +0000 Subject: Only show teams the user has access to --- cmd/web.go | 5 +++- models/org.go | 39 ++++++++++++++++++++-------- modules/middleware/context.go | 1 + modules/middleware/org.go | 60 +++++++++++++++++++++++++++++++------------ routers/org/teams.go | 5 +--- routers/user/home.go | 9 +++---- 6 files changed, 81 insertions(+), 38 deletions(-) (limited to 'models') diff --git a/cmd/web.go b/cmd/web.go index cf47d5c5..39495954 100644 --- a/cmd/web.go +++ b/cmd/web.go @@ -350,11 +350,14 @@ func runWeb(ctx *cli.Context) { m.Get("/members/action/:action", org.MembersAction) m.Get("/teams", org.Teams) + }, middleware.OrgAssignment(true)) + + m.Group("/:org", func() { m.Get("/teams/:team", org.TeamMembers) m.Get("/teams/:team/repositories", org.TeamRepositories) m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction) m.Route("/teams/:team/action/repo/:action", "GET,POST", org.TeamsRepoAction) - }, middleware.OrgAssignment(true)) + }, middleware.OrgAssignment(true, false, true)) m.Group("/:org", func() { m.Get("/teams/new", org.NewTeam) diff --git a/models/org.go b/models/org.go index c9d8f119..839d2674 100644 --- a/models/org.go +++ b/models/org.go @@ -9,7 +9,6 @@ import ( "fmt" "os" "strings" - "strconv" "github.com/go-xorm/xorm" ) @@ -1037,31 +1036,49 @@ func (org *User) getUserRepositories(userID int64) (err error) { And("`team_user`.uid=?", userID). Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). Find(&teams); err != nil { - return fmt.Errorf("get team: %v", err) + return fmt.Errorf("getUserRepositories: get teams: %v", err) } - var teamIDs []string + var teamIDs []int64 for _, team := range teams { - s := strconv.FormatInt(team.ID, 32) - teamIDs = append(teamIDs, s) + teamIDs = append(teamIDs, team.ID) } - // The "in" clause it not vulnerable to SQL injection because we - // convert it from int64 a few lines above. Sadly, xorm does not support - // "in" clauses as a function, so we have to build our own (for now). if err := x.Cols("`repository`.*"). - Where("`team_repo`.team_id in (" + strings.Join(teamIDs, ",") + ")"). + In("`team_repo`.team_id", teamIDs). Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id"). GroupBy("`repository`.id"). Find(&org.Repos); err != nil { - return fmt.Errorf("get repositories: %v", err) + return fmt.Errorf("getUserRepositories: get repositories: %v", err) } + org.NumRepos = len(org.Repos) + return } // GetUserRepositories gets all repositories of an organization, // that the user with the given userID has access to. -func (org *User) GetUserRepositories(userID int64) (err error) { +func (org *User) GetUserRepositories(userID int64) error { return org.getUserRepositories(userID) } + +func (org *User) getUserTeams(userID int64) (err error) { + if err := x.Cols("`team`.*"). + Where("`team_user`.org_id=?", org.Id). + And("`team_user`.uid=?", userID). + Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). + Find(&org.Teams); err != nil { + return fmt.Errorf("getUserTeams: %v", err) + } + + org.NumTeams = len(org.Teams) + + return +} + +// GetTeams returns all teams that belong to organization, +// and that the user has joined. +func (org *User) GetUserTeams(userID int64) error { + return org.getUserTeams(userID) +} diff --git a/modules/middleware/context.go b/modules/middleware/context.go index d58967b8..59e95aad 100644 --- a/modules/middleware/context.go +++ b/modules/middleware/context.go @@ -65,6 +65,7 @@ type Context struct { Org struct { IsOwner bool IsMember bool + IsTeamMember bool // Is member of team. IsAdminTeam bool // In owner team or team that has admin permission level. Organization *models.User OrgLink string diff --git a/modules/middleware/org.go b/modules/middleware/org.go index 37ba4deb..34ec90dc 100644 --- a/modules/middleware/org.go +++ b/modules/middleware/org.go @@ -5,6 +5,8 @@ package middleware import ( + "strings" + "gopkg.in/macaron.v1" "github.com/gogits/gogs/models" @@ -13,9 +15,10 @@ import ( func HandleOrgAssignment(ctx *Context, args ...bool) { var ( - requireMember bool - requireOwner bool - requireAdminTeam bool + requireMember bool + requireOwner bool + requireTeamMember bool + requireAdminTeam bool ) if len(args) >= 1 { requireMember = args[0] @@ -24,7 +27,10 @@ func HandleOrgAssignment(ctx *Context, args ...bool) { requireOwner = args[1] } if len(args) >= 3 { - requireAdminTeam = args[2] + requireTeamMember = args[2] + } + if len(args) >= 4 { + requireAdminTeam = args[3] } orgName := ctx.Params(":org") @@ -52,11 +58,13 @@ func HandleOrgAssignment(ctx *Context, args ...bool) { if ctx.IsSigned && ctx.User.IsAdmin { ctx.Org.IsOwner = true ctx.Org.IsMember = true + ctx.Org.IsTeamMember = true ctx.Org.IsAdminTeam = true } else if ctx.IsSigned { ctx.Org.IsOwner = org.IsOwnedBy(ctx.User.Id) if ctx.Org.IsOwner { ctx.Org.IsMember = true + ctx.Org.IsTeamMember = true ctx.Org.IsAdminTeam = true } else { if org.IsOrgMember(ctx.User.Id) { @@ -79,25 +87,45 @@ func HandleOrgAssignment(ctx *Context, args ...bool) { ctx.Data["OrgLink"] = ctx.Org.OrgLink // Team. + if ctx.Org.IsMember { + if err := org.GetUserTeams(ctx.User.Id); err != nil { + ctx.Handle(500, "GetUserTeams", err) + return + } + } + teamName := ctx.Params(":team") if len(teamName) > 0 { - ctx.Org.Team, err = org.GetTeam(teamName) - if err != nil { - if err == models.ErrTeamNotExist { - ctx.Handle(404, "GetTeam", err) - } else { - ctx.Handle(500, "GetTeam", err) + teamExists := false + for _, team := range org.Teams { + if strings.ToLower(team.Name) == strings.ToLower(teamName) { + teamExists = true + ctx.Org.Team = team + ctx.Org.IsTeamMember = true + ctx.Data["Team"] = ctx.Org.Team + break } + } + + if !teamExists { + ctx.Handle(404, "OrgAssignment", err) + return + } + + ctx.Data["IsTeamMember"] = ctx.Org.IsTeamMember + if requireTeamMember && !ctx.Org.IsTeamMember { + ctx.Handle(404, "OrgAssignment", err) return } - ctx.Data["Team"] = ctx.Org.Team + ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.ACCESS_MODE_ADMIN + ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam + if requireAdminTeam && !ctx.Org.IsAdminTeam { + ctx.Handle(404, "OrgAssignment", err) + return + } } - ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam - if requireAdminTeam && !ctx.Org.IsAdminTeam { - ctx.Handle(404, "OrgAssignment", err) - return - } + } func OrgAssignment(args ...bool) macaron.Handler { diff --git a/routers/org/teams.go b/routers/org/teams.go index b2128baa..63618b98 100644 --- a/routers/org/teams.go +++ b/routers/org/teams.go @@ -28,10 +28,7 @@ func Teams(ctx *middleware.Context) { ctx.Data["Title"] = org.FullName ctx.Data["PageIsOrgTeams"] = true - if err := org.GetTeams(); err != nil { - ctx.Handle(500, "GetTeams", err) - return - } + // org.Teams is already loaded by middleware for _, t := range org.Teams { if err := t.GetMembers(); err != nil { ctx.Handle(500, "GetMembers", err) diff --git a/routers/user/home.go b/routers/user/home.go index b198e801..fabe7b1f 100644 --- a/routers/user/home.go +++ b/routers/user/home.go @@ -312,9 +312,10 @@ func showOrgProfile(ctx *middleware.Context) { } org := ctx.Org.Organization + userId := ctx.User.Id ctx.Data["Title"] = org.FullName - if err := org.GetUserRepositories(ctx.User.Id); err != nil { + if err := org.GetUserRepositories(userId); err != nil { ctx.Handle(500, "GetUserRepositories", err) return } @@ -326,11 +327,7 @@ func showOrgProfile(ctx *middleware.Context) { } ctx.Data["Members"] = org.Members - if err := org.GetTeams(); err != nil { - ctx.Handle(500, "GetTeams", err) - return - } - ctx.Data["Teams"] = org.Teams + ctx.Data["Teams"] = org.Teams // already loaded by middleware ctx.HTML(200, ORG_HOME) } -- cgit v1.2.3 From bba1847a8eb08dfc5a3302a23ee210b21e0e71d3 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Sun, 31 Jan 2016 18:13:39 +0000 Subject: Everyone can see public repos --- models/org.go | 17 ++++++++++++++--- routers/user/home.go | 18 +++++++++++++----- 2 files changed, 27 insertions(+), 8 deletions(-) (limited to 'models') diff --git a/models/org.go b/models/org.go index 839d2674..8edb63bb 100644 --- a/models/org.go +++ b/models/org.go @@ -9,6 +9,7 @@ import ( "fmt" "os" "strings" + "strconv" "github.com/go-xorm/xorm" ) @@ -1039,14 +1040,24 @@ func (org *User) getUserRepositories(userID int64) (err error) { return fmt.Errorf("getUserRepositories: get teams: %v", err) } - var teamIDs []int64 + var teamIDs []string for _, team := range teams { - teamIDs = append(teamIDs, team.ID) + teamIDs = append(teamIDs, strconv.FormatInt(team.ID, 10)) } + if len(teamIDs) == 0 { + // user has no team but "IN ()" is invalid SQL + teamIDs = append(teamIDs, "0") // there is no repo with id=0 + } + + // Due to a bug in xorm using IN() together with OR() is impossible. + // As a workaround, we have to build the IN statement on our own, until this is fixed. + // https://github.com/go-xorm/xorm/issues/342 if err := x.Cols("`repository`.*"). - In("`team_repo`.team_id", teamIDs). Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id"). + Where("`repository`.owner_id=?", org.Id). + And("`repository`.is_private=?", false). + Or("`team_repo`.team_id=(?)", strings.Join(teamIDs, ",")). GroupBy("`repository`.id"). Find(&org.Repos); err != nil { return fmt.Errorf("getUserRepositories: get repositories: %v", err) diff --git a/routers/user/home.go b/routers/user/home.go index fabe7b1f..6e2135dc 100644 --- a/routers/user/home.go +++ b/routers/user/home.go @@ -312,14 +312,22 @@ func showOrgProfile(ctx *middleware.Context) { } org := ctx.Org.Organization - userId := ctx.User.Id ctx.Data["Title"] = org.FullName - if err := org.GetUserRepositories(userId); err != nil { - ctx.Handle(500, "GetUserRepositories", err) - return + if ctx.IsSigned { + if err := org.GetUserRepositories(ctx.User.Id); err != nil { + ctx.Handle(500, "GetUserRepositories", err) + return + } + ctx.Data["Repos"] = org.Repos + } else { + if repos, err := models.GetRepositories(org.Id, false); err != nil { + ctx.Handle(500, "GetRepositories", err) + return + } else { + ctx.Data["Repos"] = repos + } } - ctx.Data["Repos"] = org.Repos if err := org.GetMembers(); err != nil { ctx.Handle(500, "GetMembers", err) -- cgit v1.2.3 From 90780a0d90d19eb7e022603dfd2bf24148818d19 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Sun, 31 Jan 2016 19:16:40 +0000 Subject: Use invalid value (-1) instead of 0 to prevent bug if auto increment starts with 0 --- models/org.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'models') diff --git a/models/org.go b/models/org.go index 8edb63bb..9254709a 100644 --- a/models/org.go +++ b/models/org.go @@ -1046,7 +1046,7 @@ func (org *User) getUserRepositories(userID int64) (err error) { } if len(teamIDs) == 0 { // user has no team but "IN ()" is invalid SQL - teamIDs = append(teamIDs, "0") // there is no repo with id=0 + teamIDs = append(teamIDs, "-1") // there is no repo with id=-1 } // Due to a bug in xorm using IN() together with OR() is impossible. -- cgit v1.2.3 From fb1708e1afefa86b11ef9464796896bcc8dbc7e8 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Thu, 4 Feb 2016 17:08:25 +0000 Subject: Remove unnecessary private functions --- models/org.go | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) (limited to 'models') diff --git a/models/org.go b/models/org.go index 9254709a..91a47e31 100644 --- a/models/org.go +++ b/models/org.go @@ -1030,7 +1030,9 @@ func RemoveOrgRepo(orgID, repoID int64) error { return removeOrgRepo(x, orgID, repoID) } -func (org *User) getUserRepositories(userID int64) (err error) { +// GetUserRepositories gets all repositories of an organization, +// that the user with the given userID has access to. +func (org *User) GetUserRepositories(userID int64) (err error) { teams := make([]*Team, 0, 10) if err := x.Cols("`team`.id"). Where("`team_user`.org_id=?", org.Id). @@ -1068,13 +1070,9 @@ func (org *User) getUserRepositories(userID int64) (err error) { return } -// GetUserRepositories gets all repositories of an organization, -// that the user with the given userID has access to. -func (org *User) GetUserRepositories(userID int64) error { - return org.getUserRepositories(userID) -} - -func (org *User) getUserTeams(userID int64) (err error) { +// GetTeams returns all teams that belong to organization, +// and that the user has joined. +func (org *User) GetUserTeams(userID int64) (err error) { if err := x.Cols("`team`.*"). Where("`team_user`.org_id=?", org.Id). And("`team_user`.uid=?", userID). @@ -1087,9 +1085,3 @@ func (org *User) getUserTeams(userID int64) (err error) { return } - -// GetTeams returns all teams that belong to organization, -// and that the user has joined. -func (org *User) GetUserTeams(userID int64) error { - return org.getUserTeams(userID) -} -- cgit v1.2.3