From 4e79adf6b5bf7ec7bc3b2b47469baafd1cb0b774 Mon Sep 17 00:00:00 2001 From: Peter Smit Date: Thu, 5 Feb 2015 15:29:08 +0200 Subject: Refactoring of the Access Table This commit does a lot of the work of refactoring the access table in a table with id's instead of strings. The result does compile, but has not been tested. It may eat your kittens. --- modules/middleware/org.go | 2 +- modules/middleware/repo.go | 155 +++++++++++---------------------------------- 2 files changed, 38 insertions(+), 119 deletions(-) (limited to 'modules') diff --git a/modules/middleware/org.go b/modules/middleware/org.go index e6872586..cbce5486 100644 --- a/modules/middleware/org.go +++ b/modules/middleware/org.go @@ -87,7 +87,7 @@ func OrgAssignment(redirect bool, args ...bool) macaron.Handler { return } ctx.Data["Team"] = ctx.Org.Team - ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize == models.ORG_ADMIN + ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.AdminAccess } ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam if requireAdminTeam && !ctx.Org.IsAdminTeam { diff --git a/modules/middleware/repo.go b/modules/middleware/repo.go index d143d8a8..66e6f3a5 100644 --- a/modules/middleware/repo.go +++ b/modules/middleware/repo.go @@ -5,7 +5,6 @@ package middleware import ( - "errors" "fmt" "net/url" "strings" @@ -29,17 +28,10 @@ func ApiRepoAssignment() macaron.Handler { err error ) - // Collaborators who have write access can be seen as owners. - if ctx.IsSigned { - ctx.Repo.IsOwner, err = models.HasAccess(ctx.User.Name, userName+"/"+repoName, models.WRITABLE) - if err != nil { - ctx.JSON(500, &base.ApiJsonErr{"HasAccess: " + err.Error(), base.DOC_URL}) - return - } - ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName) - } - - if !ctx.Repo.IsTrueOwner { + // Check if the user is the same as the repository owner + if ctx.IsSigned && u.LowerName == strings.ToLower(userName) { + u = ctx.User + } else { u, err = models.GetUserByName(userName) if err != nil { if err == models.ErrUserNotExist { @@ -49,64 +41,38 @@ func ApiRepoAssignment() macaron.Handler { } return } - } else { - u = ctx.User } ctx.Repo.Owner = u - // Organization owner team members are true owners as well. - if ctx.IsSigned && ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOwnedBy(ctx.User.Id) { - ctx.Repo.IsTrueOwner = true - } - // Get repository. repo, err := models.GetRepositoryByName(u.Id, repoName) if err != nil { if err == models.ErrRepoNotExist { ctx.Error(404) - return + } else { + ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL}) } - ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL}) return } else if err = repo.GetOwner(); err != nil { ctx.JSON(500, &base.ApiJsonErr{"GetOwner: " + err.Error(), base.DOC_URL}) return } - // Check if the mirror repository owner(mirror repository doesn't have access). - if ctx.IsSigned && !ctx.Repo.IsOwner { - if repo.OwnerId == ctx.User.Id { - ctx.Repo.IsOwner = true - } - // Check if current user has admin permission to repository. - if u.IsOrganization() { - auth, err := models.GetHighestAuthorize(u.Id, ctx.User.Id, repo.Id, 0) - if err != nil { - ctx.JSON(500, &base.ApiJsonErr{"GetHighestAuthorize: " + err.Error(), base.DOC_URL}) - return - } - if auth == models.ORG_ADMIN { - ctx.Repo.IsOwner = true - ctx.Repo.IsAdmin = true - } + if ctx.IsSigned { + mode, err := models.AccessLevel(ctx.User, repo) + if err != nil { + ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL}) + return } + ctx.Repo.IsOwner = mode >= models.WriteAccess + ctx.Repo.IsAdmin = mode >= models.ReadAccess + ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess } // Check access. if repo.IsPrivate && !ctx.Repo.IsOwner { - if ctx.User == nil { - ctx.Error(404) - return - } - - hasAccess, err := models.HasAccess(ctx.User.Name, ctx.Repo.Owner.Name+"/"+repo.Name, models.READABLE) - if err != nil { - ctx.JSON(500, &base.ApiJsonErr{"HasAccess: " + err.Error(), base.DOC_URL}) - return - } else if !hasAccess { - ctx.Error(404) - return - } + ctx.Error(404) + return } ctx.Repo.HasAccess = true @@ -242,101 +208,54 @@ func RepoAssignment(redirect bool, args ...bool) macaron.Handler { refName = ctx.Params(":path") } - // Collaborators who have write access can be seen as owners. - if ctx.IsSigned { - ctx.Repo.IsOwner, err = models.HasAccess(ctx.User.Name, userName+"/"+repoName, models.WRITABLE) - if err != nil { - ctx.Handle(500, "HasAccess", err) - return - } - ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName) - } - - if !ctx.Repo.IsTrueOwner { + // Check if the user is the same as the repository owner + if ctx.IsSigned && u.LowerName == strings.ToLower(userName) { + u = ctx.User + } else { u, err = models.GetUserByName(userName) if err != nil { if err == models.ErrUserNotExist { - ctx.Handle(404, "GetUserByName", err) - } else if redirect { - log.Error(4, "GetUserByName", err) - ctx.Redirect(setting.AppSubUrl + "/") + ctx.Error(404) } else { - ctx.Handle(500, "GetUserByName", err) + ctx.JSON(500, &base.ApiJsonErr{"GetUserByName: " + err.Error(), base.DOC_URL}) } return } - } else { - u = ctx.User - } - - if u == nil { - if redirect { - ctx.Redirect(setting.AppSubUrl + "/") - return - } - ctx.Handle(404, "RepoAssignment", errors.New("invliad user account for single repository")) - return } ctx.Repo.Owner = u - // Organization owner team members are true owners as well. - if ctx.IsSigned && ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOwnedBy(ctx.User.Id) { - ctx.Repo.IsTrueOwner = true - } - // Get repository. repo, err := models.GetRepositoryByName(u.Id, repoName) if err != nil { if err == models.ErrRepoNotExist { - ctx.Handle(404, "GetRepositoryByName", err) - return - } else if redirect { - ctx.Redirect(setting.AppSubUrl + "/") - return + ctx.Error(404) + } else { + ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL}) } - ctx.Handle(500, "GetRepositoryByName", err) return } else if err = repo.GetOwner(); err != nil { - ctx.Handle(500, "GetOwner", err) + ctx.JSON(500, &base.ApiJsonErr{"GetOwner: " + err.Error(), base.DOC_URL}) return } - // Check if the mirror repository owner(mirror repository doesn't have access). - if ctx.IsSigned && !ctx.Repo.IsOwner { - if repo.OwnerId == ctx.User.Id { - ctx.Repo.IsOwner = true - } - // Check if current user has admin permission to repository. - if u.IsOrganization() { - auth, err := models.GetHighestAuthorize(u.Id, ctx.User.Id, repo.Id, 0) - if err != nil { - ctx.Handle(500, "GetHighestAuthorize", err) - return - } - if auth == models.ORG_ADMIN { - ctx.Repo.IsOwner = true - ctx.Repo.IsAdmin = true - } + if ctx.IsSigned { + mode, err := models.AccessLevel(ctx.User, repo) + if err != nil { + ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL}) + return } + ctx.Repo.IsOwner = mode >= models.WriteAccess + ctx.Repo.IsAdmin = mode >= models.ReadAccess + ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess } // Check access. if repo.IsPrivate && !ctx.Repo.IsOwner { - if ctx.User == nil { - ctx.Handle(404, "HasAccess", nil) - return - } - - hasAccess, err := models.HasAccess(ctx.User.Name, ctx.Repo.Owner.Name+"/"+repo.Name, models.READABLE) - if err != nil { - ctx.Handle(500, "HasAccess", err) - return - } else if !hasAccess { - ctx.Handle(404, "HasAccess", nil) - return - } + ctx.Error(404) + return } ctx.Repo.HasAccess = true + ctx.Data["HasAccess"] = true if repo.IsMirror { -- cgit v1.2.3 From 0d158e569b0c19614b5e946849e8b7a8e4a75015 Mon Sep 17 00:00:00 2001 From: Peter Smit Date: Mon, 9 Feb 2015 13:36:33 +0200 Subject: Change constants to UPPERCASE_WITH_UNDERSCORE style --- cmd/serve.go | 14 +++++++------- models/access.go | 24 ++++++++++++------------ models/org.go | 2 +- modules/middleware/org.go | 2 +- modules/middleware/repo.go | 12 ++++++------ routers/api/v1/repo.go | 2 +- routers/org/teams.go | 12 ++++++------ routers/repo/http.go | 12 ++++++------ routers/user/home.go | 4 ++-- 9 files changed, 42 insertions(+), 42 deletions(-) (limited to 'modules') diff --git a/cmd/serve.go b/cmd/serve.go index d9d1a06b..90e1045c 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -59,14 +59,14 @@ func parseCmd(cmd string) (string, string) { var ( COMMANDS_READONLY = map[string]models.AccessMode{ - "git-upload-pack": models.WriteAccess, - "git upload-pack": models.WriteAccess, - "git-upload-archive": models.WriteAccess, + "git-upload-pack": models.ACCESS_MODE_WRITE, + "git upload-pack": models.ACCESS_MODE_WRITE, + "git-upload-archive": models.ACCESS_MODE_WRITE, } COMMANDS_WRITE = map[string]models.AccessMode{ - "git-receive-pack": models.ReadAccess, - "git receive-pack": models.ReadAccess, + "git-receive-pack": models.ACCESS_MODE_READ, + "git receive-pack": models.ACCESS_MODE_READ, } ) @@ -141,7 +141,7 @@ func runServ(k *cli.Context) { switch { case isWrite: - has, err := models.HasAccess(user, repo, models.WriteAccess) + has, err := models.HasAccess(user, repo, models.ACCESS_MODE_WRITE) if err != nil { println("Gogs: internal error:", err.Error()) log.GitLogger.Fatal(2, "Fail to check write access:", err) @@ -154,7 +154,7 @@ func runServ(k *cli.Context) { break } - has, err := models.HasAccess(user, repo, models.ReadAccess) + has, err := models.HasAccess(user, repo, models.ACCESS_MODE_READ) if err != nil { println("Gogs: internal error:", err.Error()) log.GitLogger.Fatal(2, "Fail to check read access:", err) diff --git a/models/access.go b/models/access.go index ee678a07..916711f7 100644 --- a/models/access.go +++ b/models/access.go @@ -11,15 +11,15 @@ package models type AccessMode int const ( - NoAccess AccessMode = iota - ReadAccess - WriteAccess - AdminAccess - OwnerAccess + ACCESS_MODE_NONE AccessMode = iota + ACCESS_MODE_READ + ACCESS_MODE_WRITE + ACCESS_MODE_ADMIN + ACCESS_MODE_OWNER ) func maxAccessMode(modes ...AccessMode) AccessMode { - max := NoAccess + max := ACCESS_MODE_NONE for _, mode := range modes { if mode > max { max = mode @@ -47,14 +47,14 @@ func HasAccess(u *User, r *Repository, testMode AccessMode) (bool, error) { // Return the Access a user has to a repository. Will return NoneAccess if the // user does not have access. User can be nil! func AccessLevel(u *User, r *Repository) (AccessMode, error) { - mode := NoAccess + mode := ACCESS_MODE_NONE if !r.IsPrivate { - mode = ReadAccess + mode = ACCESS_MODE_READ } if u != nil { if u.Id == r.OwnerId { - return OwnerAccess, nil + return ACCESS_MODE_OWNER, nil } a := &Access{UserID: u.Id, RepoID: r.Id} @@ -101,7 +101,7 @@ func (r *Repository) RecalcAccessSess() error { return err } for _, c := range collaborators { - accessMap[c.Id] = WriteAccess + accessMap[c.Id] = ACCESS_MODE_WRITE } if err := r.GetOwner(); err != nil { @@ -126,9 +126,9 @@ func (r *Repository) RecalcAccessSess() error { } } - minMode := ReadAccess + minMode := ACCESS_MODE_READ if !r.IsPrivate { - minMode = WriteAccess + minMode = ACCESS_MODE_WRITE } newAccesses := make([]Access, 0, len(accessMap)) diff --git a/models/org.go b/models/org.go index 5e3bb0e0..f6d472a6 100644 --- a/models/org.go +++ b/models/org.go @@ -135,7 +135,7 @@ func CreateOrganization(org, owner *User) (*User, error) { OrgId: org.Id, LowerName: strings.ToLower(OWNER_TEAM), Name: OWNER_TEAM, - Authorize: OwnerAccess, + Authorize: ACCESS_MODE_OWNER, NumMembers: 1, } if _, err = sess.Insert(t); err != nil { diff --git a/modules/middleware/org.go b/modules/middleware/org.go index cbce5486..0e544fe4 100644 --- a/modules/middleware/org.go +++ b/modules/middleware/org.go @@ -87,7 +87,7 @@ func OrgAssignment(redirect bool, args ...bool) macaron.Handler { return } ctx.Data["Team"] = ctx.Org.Team - ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.AdminAccess + ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.ACCESS_MODE_ADMIN } ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam if requireAdminTeam && !ctx.Org.IsAdminTeam { diff --git a/modules/middleware/repo.go b/modules/middleware/repo.go index 66e6f3a5..bc1d1f96 100644 --- a/modules/middleware/repo.go +++ b/modules/middleware/repo.go @@ -64,9 +64,9 @@ func ApiRepoAssignment() macaron.Handler { ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL}) return } - ctx.Repo.IsOwner = mode >= models.WriteAccess - ctx.Repo.IsAdmin = mode >= models.ReadAccess - ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess + ctx.Repo.IsOwner = mode >= models.ACCESS_MODE_WRITE + ctx.Repo.IsAdmin = mode >= models.ACCESS_MODE_READ + ctx.Repo.IsTrueOwner = mode >= models.ACCESS_MODE_OWNER } // Check access. @@ -244,9 +244,9 @@ func RepoAssignment(redirect bool, args ...bool) macaron.Handler { ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL}) return } - ctx.Repo.IsOwner = mode >= models.WriteAccess - ctx.Repo.IsAdmin = mode >= models.ReadAccess - ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess + ctx.Repo.IsOwner = mode >= models.ACCESS_MODE_WRITE + ctx.Repo.IsAdmin = mode >= models.ACCESS_MODE_READ + ctx.Repo.IsTrueOwner = mode >= models.ACCESS_MODE_OWNER } // Check access. diff --git a/routers/api/v1/repo.go b/routers/api/v1/repo.go index 78c9f9a6..f5128e47 100644 --- a/routers/api/v1/repo.go +++ b/routers/api/v1/repo.go @@ -255,7 +255,7 @@ func ListMyRepos(ctx *middleware.Context) { return } - repos[i] = ToApiRepository(repo.Owner, repo, api.Permission{false, access >= models.WriteAccess, true}) + repos[i] = ToApiRepository(repo.Owner, repo, api.Permission{false, access >= models.ACCESS_MODE_WRITE, true}) // FIXME: cache result to reduce DB query? if repo.Owner.IsOrganization() && repo.Owner.IsOwnedBy(ctx.User.Id) { diff --git a/routers/org/teams.go b/routers/org/teams.go index 4fef02c9..a315abe0 100644 --- a/routers/org/teams.go +++ b/routers/org/teams.go @@ -171,11 +171,11 @@ func NewTeamPost(ctx *middleware.Context, form auth.CreateTeamForm) { var auth models.AccessMode switch form.Permission { case "read": - auth = models.ReadAccess + auth = models.ACCESS_MODE_READ case "write": - auth = models.WriteAccess + auth = models.ACCESS_MODE_WRITE case "admin": - auth = models.AdminAccess + auth = models.ACCESS_MODE_ADMIN default: ctx.Error(401) return @@ -252,11 +252,11 @@ func EditTeamPost(ctx *middleware.Context, form auth.CreateTeamForm) { var auth models.AccessMode switch form.Permission { case "read": - auth = models.ReadAccess + auth = models.ACCESS_MODE_READ case "write": - auth = models.WriteAccess + auth = models.ACCESS_MODE_WRITE case "admin": - auth = models.AdminAccess + auth = models.ACCESS_MODE_ADMIN default: ctx.Error(401) return diff --git a/routers/repo/http.go b/routers/repo/http.go index 716c7127..4173c7a9 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -115,9 +115,9 @@ func Http(ctx *middleware.Context) { } if !isPublicPull { - var tp = models.WriteAccess + var tp = models.ACCESS_MODE_WRITE if isPull { - tp = models.ReadAccess + tp = models.ACCESS_MODE_READ } has, err := models.HasAccess(authUser, repo, tp) @@ -125,8 +125,8 @@ func Http(ctx *middleware.Context) { ctx.Handle(401, "no basic auth and digit auth", nil) return } else if !has { - if tp == models.ReadAccess { - has, err = models.HasAccess(authUser, repo, models.WriteAccess) + if tp == models.ACCESS_MODE_READ { + has, err = models.HasAccess(authUser, repo, models.ACCESS_MODE_WRITE) if err != nil || !has { ctx.Handle(401, "no basic auth and digit auth", nil) return @@ -268,7 +268,7 @@ func serviceRpc(rpc string, hr handler) { access := hasAccess(r, hr.Config, dir, rpc, true) if access == false { - renderNoAccess(w) + renderACCESS_MODE_NONE(w) return } @@ -495,7 +495,7 @@ func renderNotFound(w http.ResponseWriter) { w.Write([]byte("Not Found")) } -func renderNoAccess(w http.ResponseWriter) { +func renderACCESS_MODE_NONE(w http.ResponseWriter) { w.WriteHeader(http.StatusForbidden) w.Write([]byte("Forbidden")) } diff --git a/routers/user/home.go b/routers/user/home.go index 82325cb7..ce82ae77 100644 --- a/routers/user/home.go +++ b/routers/user/home.go @@ -103,7 +103,7 @@ func Dashboard(ctx *middleware.Context) { feeds := make([]*models.Action, 0, len(actions)) for _, act := range actions { if act.IsPrivate { - if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true}, models.ReadAccess); !has { + if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true}, models.ACCESS_MODE_READ); !has { continue } } @@ -211,7 +211,7 @@ func Profile(ctx *middleware.Context) { continue } if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true}, - models.ReadAccess); !has { + models.ACCESS_MODE_READ); !has { continue } } -- cgit v1.2.3