Restrict permission check on repositories and fix some problems (#5314)

* fix units permission problems * fix some bugs and merge LoadUnits to repoAssignment * refactor permission struct and add some copyright heads * remove unused codes * fix routes units check * improve permission check * add unit tests for permission * fix typo * fix tests * fix some routes * fix api permission check * improve permission check * fix some permission check * fix tests * fix tests * improve some permission check * fix some permission check * refactor AccessLevel * fix bug * fix tests * fix tests * fix tests * fix AccessLevel * rename CanAccess * fix tests * fix comment * fix bug * add missing unit for test repos * fix bug * rename some functions * fix routes check
2025-11-04 16:40:24 +08:00 · 2018-11-28 19:26:14 +08:00
parent 0222623be9
commit eabbddcd98
80 changed files with 1360 additions and 774 deletions
--- a/modules/context/permission.go
+++ b/modules/context/permission.go
@@ -0,0 +1,64 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package context
+
+import (
+	"code.gitea.io/gitea/models"
+	macaron "gopkg.in/macaron.v1"
+)
+
+// RequireRepoAdmin returns a macaron middleware for requiring repository admin permission
+func RequireRepoAdmin() macaron.Handler {
+	return func(ctx *Context) {
+		if !ctx.IsSigned || !ctx.Repo.IsAdmin() {
+			ctx.NotFound(ctx.Req.RequestURI, nil)
+			return
+		}
+	}
+}
+
+// RequireRepoWriter returns a macaron middleware for requiring repository write to the specify unitType
+func RequireRepoWriter(unitType models.UnitType) macaron.Handler {
+	return func(ctx *Context) {
+		if !ctx.Repo.CanWrite(unitType) {
+			ctx.NotFound(ctx.Req.RequestURI, nil)
+			return
+		}
+	}
+}
+
+// RequireRepoWriterOr returns a macaron middleware for requiring repository write to one of the unit permission
+func RequireRepoWriterOr(unitTypes ...models.UnitType) macaron.Handler {
+	return func(ctx *Context) {
+		for _, unitType := range unitTypes {
+			if ctx.Repo.CanWrite(unitType) {
+				return
+			}
+		}
+		ctx.NotFound(ctx.Req.RequestURI, nil)
+	}
+}
+
+// RequireRepoReader returns a macaron middleware for requiring repository read to the specify unitType
+func RequireRepoReader(unitType models.UnitType) macaron.Handler {
+	return func(ctx *Context) {
+		if !ctx.Repo.CanRead(unitType) {
+			ctx.NotFound(ctx.Req.RequestURI, nil)
+			return
+		}
+	}
+}
+
+// RequireRepoReaderOr returns a macaron middleware for requiring repository write to one of the unit permission
+func RequireRepoReaderOr(unitTypes ...models.UnitType) macaron.Handler {
+	return func(ctx *Context) {
+		for _, unitType := range unitTypes {
+			if ctx.Repo.CanRead(unitType) {
+				return
+			}
+		}
+		ctx.NotFound(ctx.Req.RequestURI, nil)
+	}
+}