Only show teams the user has access to

This commit is contained in:
Florian Kaiser 2016-01-31 13:28:42 +00:00
parent 5eafe2b17e
commit e35791b2b2
6 changed files with 84 additions and 41 deletions

View File

@ -350,11 +350,14 @@ func runWeb(ctx *cli.Context) {
m.Get("/members/action/:action", org.MembersAction) m.Get("/members/action/:action", org.MembersAction)
m.Get("/teams", org.Teams) m.Get("/teams", org.Teams)
}, middleware.OrgAssignment(true))
m.Group("/:org", func() {
m.Get("/teams/:team", org.TeamMembers) m.Get("/teams/:team", org.TeamMembers)
m.Get("/teams/:team/repositories", org.TeamRepositories) m.Get("/teams/:team/repositories", org.TeamRepositories)
m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction) m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction)
m.Route("/teams/:team/action/repo/:action", "GET,POST", org.TeamsRepoAction) m.Route("/teams/:team/action/repo/:action", "GET,POST", org.TeamsRepoAction)
}, middleware.OrgAssignment(true)) }, middleware.OrgAssignment(true, false, true))
m.Group("/:org", func() { m.Group("/:org", func() {
m.Get("/teams/new", org.NewTeam) m.Get("/teams/new", org.NewTeam)

View File

@ -9,7 +9,6 @@ import (
"fmt" "fmt"
"os" "os"
"strings" "strings"
"strconv"
"github.com/go-xorm/xorm" "github.com/go-xorm/xorm"
) )
@ -1037,31 +1036,49 @@ func (org *User) getUserRepositories(userID int64) (err error) {
And("`team_user`.uid=?", userID). And("`team_user`.uid=?", userID).
Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id").
Find(&teams); err != nil { Find(&teams); err != nil {
return fmt.Errorf("get team: %v", err) return fmt.Errorf("getUserRepositories: get teams: %v", err)
} }
var teamIDs []string var teamIDs []int64
for _, team := range teams { for _, team := range teams {
s := strconv.FormatInt(team.ID, 32) teamIDs = append(teamIDs, team.ID)
teamIDs = append(teamIDs, s)
} }
// The "in" clause it not vulnerable to SQL injection because we
// convert it from int64 a few lines above. Sadly, xorm does not support
// "in" clauses as a function, so we have to build our own (for now).
if err := x.Cols("`repository`.*"). if err := x.Cols("`repository`.*").
Where("`team_repo`.team_id in (" + strings.Join(teamIDs, ",") + ")"). In("`team_repo`.team_id", teamIDs).
Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id"). Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id").
GroupBy("`repository`.id"). GroupBy("`repository`.id").
Find(&org.Repos); err != nil { Find(&org.Repos); err != nil {
return fmt.Errorf("get repositories: %v", err) return fmt.Errorf("getUserRepositories: get repositories: %v", err)
} }
org.NumRepos = len(org.Repos)
return return
} }
// GetUserRepositories gets all repositories of an organization, // GetUserRepositories gets all repositories of an organization,
// that the user with the given userID has access to. // that the user with the given userID has access to.
func (org *User) GetUserRepositories(userID int64) (err error) { func (org *User) GetUserRepositories(userID int64) error {
return org.getUserRepositories(userID) return org.getUserRepositories(userID)
} }
func (org *User) getUserTeams(userID int64) (err error) {
if err := x.Cols("`team`.*").
Where("`team_user`.org_id=?", org.Id).
And("`team_user`.uid=?", userID).
Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id").
Find(&org.Teams); err != nil {
return fmt.Errorf("getUserTeams: %v", err)
}
org.NumTeams = len(org.Teams)
return
}
// GetTeams returns all teams that belong to organization,
// and that the user has joined.
func (org *User) GetUserTeams(userID int64) error {
return org.getUserTeams(userID)
}

View File

@ -65,6 +65,7 @@ type Context struct {
Org struct { Org struct {
IsOwner bool IsOwner bool
IsMember bool IsMember bool
IsTeamMember bool // Is member of team.
IsAdminTeam bool // In owner team or team that has admin permission level. IsAdminTeam bool // In owner team or team that has admin permission level.
Organization *models.User Organization *models.User
OrgLink string OrgLink string

View File

@ -5,6 +5,8 @@
package middleware package middleware
import ( import (
"strings"
"gopkg.in/macaron.v1" "gopkg.in/macaron.v1"
"github.com/gogits/gogs/models" "github.com/gogits/gogs/models"
@ -15,6 +17,7 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
var ( var (
requireMember bool requireMember bool
requireOwner bool requireOwner bool
requireTeamMember bool
requireAdminTeam bool requireAdminTeam bool
) )
if len(args) >= 1 { if len(args) >= 1 {
@ -24,7 +27,10 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
requireOwner = args[1] requireOwner = args[1]
} }
if len(args) >= 3 { if len(args) >= 3 {
requireAdminTeam = args[2] requireTeamMember = args[2]
}
if len(args) >= 4 {
requireAdminTeam = args[3]
} }
orgName := ctx.Params(":org") orgName := ctx.Params(":org")
@ -52,11 +58,13 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
if ctx.IsSigned && ctx.User.IsAdmin { if ctx.IsSigned && ctx.User.IsAdmin {
ctx.Org.IsOwner = true ctx.Org.IsOwner = true
ctx.Org.IsMember = true ctx.Org.IsMember = true
ctx.Org.IsTeamMember = true
ctx.Org.IsAdminTeam = true ctx.Org.IsAdminTeam = true
} else if ctx.IsSigned { } else if ctx.IsSigned {
ctx.Org.IsOwner = org.IsOwnedBy(ctx.User.Id) ctx.Org.IsOwner = org.IsOwnedBy(ctx.User.Id)
if ctx.Org.IsOwner { if ctx.Org.IsOwner {
ctx.Org.IsMember = true ctx.Org.IsMember = true
ctx.Org.IsTeamMember = true
ctx.Org.IsAdminTeam = true ctx.Org.IsAdminTeam = true
} else { } else {
if org.IsOrgMember(ctx.User.Id) { if org.IsOrgMember(ctx.User.Id) {
@ -79,25 +87,45 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
ctx.Data["OrgLink"] = ctx.Org.OrgLink ctx.Data["OrgLink"] = ctx.Org.OrgLink
// Team. // Team.
teamName := ctx.Params(":team") if ctx.Org.IsMember {
if len(teamName) > 0 { if err := org.GetUserTeams(ctx.User.Id); err != nil {
ctx.Org.Team, err = org.GetTeam(teamName) ctx.Handle(500, "GetUserTeams", err)
if err != nil {
if err == models.ErrTeamNotExist {
ctx.Handle(404, "GetTeam", err)
} else {
ctx.Handle(500, "GetTeam", err)
}
return return
} }
ctx.Data["Team"] = ctx.Org.Team
ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.ACCESS_MODE_ADMIN
} }
teamName := ctx.Params(":team")
if len(teamName) > 0 {
teamExists := false
for _, team := range org.Teams {
if strings.ToLower(team.Name) == strings.ToLower(teamName) {
teamExists = true
ctx.Org.Team = team
ctx.Org.IsTeamMember = true
ctx.Data["Team"] = ctx.Org.Team
break
}
}
if !teamExists {
ctx.Handle(404, "OrgAssignment", err)
return
}
ctx.Data["IsTeamMember"] = ctx.Org.IsTeamMember
if requireTeamMember && !ctx.Org.IsTeamMember {
ctx.Handle(404, "OrgAssignment", err)
return
}
ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.ACCESS_MODE_ADMIN
ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam
if requireAdminTeam && !ctx.Org.IsAdminTeam { if requireAdminTeam && !ctx.Org.IsAdminTeam {
ctx.Handle(404, "OrgAssignment", err) ctx.Handle(404, "OrgAssignment", err)
return return
} }
}
} }
func OrgAssignment(args ...bool) macaron.Handler { func OrgAssignment(args ...bool) macaron.Handler {

View File

@ -28,10 +28,7 @@ func Teams(ctx *middleware.Context) {
ctx.Data["Title"] = org.FullName ctx.Data["Title"] = org.FullName
ctx.Data["PageIsOrgTeams"] = true ctx.Data["PageIsOrgTeams"] = true
if err := org.GetTeams(); err != nil { // org.Teams is already loaded by middleware
ctx.Handle(500, "GetTeams", err)
return
}
for _, t := range org.Teams { for _, t := range org.Teams {
if err := t.GetMembers(); err != nil { if err := t.GetMembers(); err != nil {
ctx.Handle(500, "GetMembers", err) ctx.Handle(500, "GetMembers", err)

View File

@ -312,9 +312,10 @@ func showOrgProfile(ctx *middleware.Context) {
} }
org := ctx.Org.Organization org := ctx.Org.Organization
userId := ctx.User.Id
ctx.Data["Title"] = org.FullName ctx.Data["Title"] = org.FullName
if err := org.GetUserRepositories(ctx.User.Id); err != nil { if err := org.GetUserRepositories(userId); err != nil {
ctx.Handle(500, "GetUserRepositories", err) ctx.Handle(500, "GetUserRepositories", err)
return return
} }
@ -326,11 +327,7 @@ func showOrgProfile(ctx *middleware.Context) {
} }
ctx.Data["Members"] = org.Members ctx.Data["Members"] = org.Members
if err := org.GetTeams(); err != nil { ctx.Data["Teams"] = org.Teams // already loaded by middleware
ctx.Handle(500, "GetTeams", err)
return
}
ctx.Data["Teams"] = org.Teams
ctx.HTML(200, ORG_HOME) ctx.HTML(200, ORG_HOME)
} }