Merge pull request #339 from keboola/upstream/department-ownership

Fix repository ownership model for organization imports

Author: 239573049

src/OpenDeepWiki.EFCore/MasterDbContext.cs

@@ -108,7 +108,7 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
             .HasForeignKey(department => department.ParentId);
 
         modelBuilder.Entity<Repository>()
-            .HasIndex(repository => new { repository.OwnerUserId, repository.OrgName, repository.RepoName })
+            .HasIndex(repository => new { repository.OrgName, repository.RepoName })
             .IsUnique();
 
         modelBuilder.Entity<RepositoryBranch>()

src/OpenDeepWiki.Entities/Repositories/Repository.cs

@@ -111,6 +111,12 @@ public class Repository : AggregateRoot<string>
     /// </summary>
     public DateTime? LastUpdateCheckAt { get; set; }
 
+    /// <summary>
+    /// Whether this repository is owned by a department (org import) rather than an individual user.
+    /// When true, the repo appears in Organization view only, not in the importing user's "My Repos".
+    /// </summary>
+    public bool IsDepartmentOwned { get; set; } = false;
+
     /// <summary>
     /// 所属用户导航属性
     /// </summary>

src/OpenDeepWiki/Services/Admin/AdminGitHubImportService.cs

@@ -250,7 +250,8 @@ public async Task<BatchImportResult> BatchImportAsync(
                 Status = RepositoryStatus.Pending,
                 PrimaryLanguage = repo.Language,
                 StarCount = repo.StargazersCount,
-                ForkCount = repo.ForksCount
+                ForkCount = repo.ForksCount,
+                IsDepartmentOwned = true
             };
 
             _context.Repositories.Add(repoEntity);

src/OpenDeepWiki/Services/GitHub/UserGitHubImportService.cs

@@ -154,6 +154,9 @@ public async Task<BatchImportResult> ImportAsync(
             }
 
             // Create Repository entity
+            // When importing into a department, mark as department-owned so it appears
+            // in Organization view only, not in the importing user's "My Repos".
+            var isDeptImport = !string.IsNullOrEmpty(request.DepartmentId);
             var repoEntity = new Repository
             {
                 Id = Guid.NewGuid().ToString(),
@@ -165,7 +168,8 @@ public async Task<BatchImportResult> ImportAsync(
                 Status = RepositoryStatus.Pending,
                 PrimaryLanguage = repo.Language,
                 StarCount = repo.StargazersCount,
-                ForkCount = repo.ForksCount
+                ForkCount = repo.ForksCount,
+                IsDepartmentOwned = isDeptImport
             };
 
             _context.Repositories.Add(repoEntity);

src/OpenDeepWiki/Services/Repositories/RepositoryService.cs

@@ -1,15 +1,18 @@
+using System.Security.Claims;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using OpenDeepWiki.EFCore;
 using OpenDeepWiki.Entities;
 using OpenDeepWiki.Models;
 using OpenDeepWiki.Services.Auth;
+using OpenDeepWiki.Services.GitHub;
+using OpenDeepWiki.Services.Organizations;
 
 namespace OpenDeepWiki.Services.Repositories;
 
 [MiniApi(Route = "/api/v1/repositories")]
 [Tags("仓库")]
-public class RepositoryService(IContext context, IGitPlatformService gitPlatformService, IUserContext userContext)
+public class RepositoryService(IContext context, IGitPlatformService gitPlatformService, IUserContext userContext, IGitHubAppService gitHubAppService, IOrganizationService organizationService)
 {
     [HttpPost("/submit")]
     public async Task<Repository> SubmitAsync([FromBody] RepositorySubmitRequest request)
@@ -147,7 +150,7 @@ public async Task<RepositoryListResponse> GetListAsync(
 
         if (!string.IsNullOrWhiteSpace(ownerId))
         {
-            query = query.Where(r => r.OwnerUserId == ownerId);
+            query = query.Where(r => r.OwnerUserId == ownerId && !r.IsDepartmentOwned);
         }
 
         if (status.HasValue)
@@ -263,13 +266,31 @@ public async Task<IResult> UpdateVisibilityAsync([FromBody] UpdateVisibilityRequ
             // 验证所有权
             if (repository.OwnerUserId != currentUserId)
             {
-                return Results.Json(new UpdateVisibilityResponse
+                // Allow admin to manage department-owned repos in their departments
+                var allowed = false;
+                if (repository.IsDepartmentOwned)
                 {
-                    Id = request.RepositoryId,
-                    IsPublic = repository.IsPublic,
-                    Success = false,
-                    ErrorMessage = "无权限修改此仓库"
-                }, statusCode: StatusCodes.Status403Forbidden);
+                    var isAdmin = userContext.User?.IsInRole("Admin") == true;
+                    if (isAdmin)
+                    {
+                        var deptRepos = await organizationService.GetDepartmentRepositoriesAsync(currentUserId, includeRestricted: true);
+                        if (deptRepos.Any(r => r.RepositoryId == repository.Id))
+                        {
+                            allowed = true;
+                        }
+                    }
+                }
+
+                if (!allowed)
+                {
+                    return Results.Json(new UpdateVisibilityResponse
+                    {
+                        Id = request.RepositoryId,
+                        IsPublic = repository.IsPublic,
+                        Success = false,
+                        ErrorMessage = "无权限修改此仓库"
+                    }, statusCode: StatusCodes.Status403Forbidden);
+                }
             }
 
             // 无密码仓库不能设为私有
@@ -356,11 +377,29 @@ public async Task<RegenerateResponse> RegenerateAsync([FromBody] RegenerateReque
         // 验证所有权
         if (repository.OwnerUserId != currentUserId)
         {
-            return new RegenerateResponse
+            // Allow admin to manage department-owned repos in their departments
+            var allowed = false;
+            if (repository.IsDepartmentOwned)
             {
-                Success = false,
-                ErrorMessage = "无权限操作此仓库"
-            };
+                var isAdmin = userContext.User?.IsInRole("Admin") == true;
+                if (isAdmin)
+                {
+                    var deptRepos = await organizationService.GetDepartmentRepositoriesAsync(currentUserId, includeRestricted: true);
+                    if (deptRepos.Any(r => r.RepositoryId == repository.Id))
+                    {
+                        allowed = true;
+                    }
+                }
+            }
+
+            if (!allowed)
+            {
+                return new RegenerateResponse
+                {
+                    Success = false,
+                    ErrorMessage = "无权限操作此仓库"
+                };
+            }
         }
 
         // 只有失败或完成状态才能重新生成

web/app/(main)/private/github-import/page.tsx

@@ -135,9 +135,17 @@ export default function UserGitHubImportPage() {
               <GitHubRepoBrowser
                 installation={selectedInstallation}
                 fetchRepos={getUserInstallationRepos}
-                departments={departments.map(d => ({ id: d.id, name: d.name }))}
+                departments={
+                  // When installation is linked to a department, only offer that department
+                  // (org imports always go to the org, no "Personal only" option)
+                  selectedInstallation.departmentId
+                    ? departments
+                        .filter(d => d.id === selectedInstallation.departmentId)
+                        .map(d => ({ id: d.id, name: d.name }))
+                    : departments.map(d => ({ id: d.id, name: d.name }))
+                }
                 onImport={handleImport}
-                showPersonalOption={true}
+                showPersonalOption={!selectedInstallation.departmentId}
               />
             )}