From 587ac0f1533ced870612bef3be918218229f1c4c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 11:57:36 +0800
Subject: [PATCH 01/60] Team permission allow different unit has different
 permission

---
 models/migrations/migrations.go |  2 ++
 models/migrations/v205.go       | 30 +++++++++++++++++++
 models/org_team.go              | 22 +++++++++++---
 models/repo_permission.go       |  7 +++--
 templates/org/team/new.tmpl     | 51 ++++++++++++++++++++++++---------
 5 files changed, 91 insertions(+), 21 deletions(-)
 create mode 100644 models/migrations/v205.go

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index cc72ba99abf41..aed9fc7131a4c 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -363,6 +363,8 @@ var migrations = []Migration{
 	NewMigration("Add Sorting to ProjectIssue table", addProjectIssueSorting),
 	// v204 -> v205
 	NewMigration("Add key is verified to ssh key", addSSHKeyIsVerified),
+	// v205 -> v206
+	NewMigration("Add column authorize column for team_unit table", addAuthorizeColForTeamUnit),
 }
 
 // GetCurrentDBVersion returns the current db version
diff --git a/models/migrations/v205.go b/models/migrations/v205.go
new file mode 100644
index 0000000000000..3449bebbdf475
--- /dev/null
+++ b/models/migrations/v205.go
@@ -0,0 +1,30 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"xorm.io/xorm"
+)
+
+func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
+	type TeamUnit struct {
+		ID        int64 `xorm:"pk autoincr"`
+		OrgID     int64 `xorm:"INDEX"`
+		TeamID    int64 `xorm:"UNIQUE(s)"`
+		Type      int   `xorm:"UNIQUE(s)"`
+		Authorize int
+	}
+
+	if err := x.Sync2(new(TeamUnit)); err != nil {
+		return fmt.Errorf("sync2: %v", err)
+	}
+
+	// migrate old permission
+	_, err := x.Exec("UPDATE team_unit SET authorize = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
+	return err
+
+}
diff --git a/models/org_team.go b/models/org_team.go
index 7eac0f7bc52fe..ce270ca19942b 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -454,6 +454,19 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 	return t.unitEnabled(db.GetEngine(db.DefaultContext), tp)
 }
 
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+	if err := t.getUnits(e); err != nil {
+		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
+	}
+
+	for _, unit := range t.Units {
+		if unit.Type == tp {
+			return unit.Authorize
+		}
+	}
+	return AccessModeNone
+}
+
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
@@ -1033,10 +1046,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea
 
 // TeamUnit describes all units of a repository
 type TeamUnit struct {
-	ID     int64     `xorm:"pk autoincr"`
-	OrgID  int64     `xorm:"INDEX"`
-	TeamID int64     `xorm:"UNIQUE(s)"`
-	Type   unit.Type `xorm:"UNIQUE(s)"`
+	ID        int64     `xorm:"pk autoincr"`
+	OrgID     int64     `xorm:"INDEX"`
+	TeamID    int64     `xorm:"UNIQUE(s)"`
+	Type      unit.Type `xorm:"UNIQUE(s)"`
+	Authorize AccessMode
 }
 
 // Unit returns Unit
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 40b63aa804313..5bef6139913b6 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -249,10 +249,11 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 	for _, u := range repo.Units {
 		var found bool
 		for _, team := range teams {
-			if team.unitEnabled(e, u.Type) {
+			teamMode := team.unitAccessMode(e, u.Type)
+			if teamMode > AccessModeNone {
 				m := perm.UnitsMode[u.Type]
-				if m < team.Authorize {
-					perm.UnitsMode[u.Type] = team.Authorize
+				if m < teamMode {
+					perm.UnitsMode[u.Type] = teamMode
 				}
 				found = true
 			}
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 783e025ebdc08..000befe88cef9 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -81,21 +81,44 @@
 							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<br>
-								{{range $t, $unit := $.Units}}
-								{{if $unit.Type.UnitGlobalDisabled}}
-								<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-								{{else}}
-								<div class="field">
-								{{end}}
-									<div class="ui toggle checkbox">
-										<input type="checkbox" class="hidden" name="units" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-										<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-										<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
-									</div>
-								</div>
-								{{end}}
+								<table class="ui celled table">
+									<thead>
+										<tr><th>Unit</th><th>{{.i18n.Tr "org.teams.none_access"}}</th><th>{{.i18n.Tr "org.teams.read_access"}}</th><th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+									</thead>
+									<tbody>
+										{{range $t, $unit := $.Units}}
+										<tr><td>
+										{{if $unit.Type.UnitGlobalDisabled}}
+										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+										{{else}}
+										<div class="field">
+										{{end}}
+											<div class="ui">
+												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											</div>
+										</div>
+										</td>
+										<td>
+
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										<td>
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										<td>
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										{{end}}
+									</tbody>
+								</table>
 							</div>
-							<div class="ui divider"></div>
 						{{end}}
 
 						<div class="field">

From eb8237f923880a231c9415ff7a55b3bae3d38e53 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 17:18:02 +0800
Subject: [PATCH 02/60] Finish the interface and the logic

---
 models/org_team.go              | 17 +++++---
 options/locale/locale_en-US.ini |  5 +++
 routers/web/org/teams.go        | 47 ++++++++++++++++-----
 services/forms/org.go           |  2 -
 templates/org/team/new.tmpl     | 74 ++++++++++++++++-----------------
 5 files changed, 87 insertions(+), 58 deletions(-)

diff --git a/models/org_team.go b/models/org_team.go
index ce270ca19942b..4ced8ba65168f 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -454,30 +454,35 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 	return t.unitEnabled(db.GetEngine(db.DefaultContext), tp)
 }
 
-func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
 
 	for _, unit := range t.Units {
 		if unit.Type == tp {
-			return unit.Authorize
+			return true
 		}
 	}
-	return AccessModeNone
+	return false
 }
 
-func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
+// UnitAccessMode returns if the team has the given unit type enabled
+func (t *Team) UnitAccessMode(tp unit.Type) AccessMode {
+	return t.unitAccessMode(db.GetEngine(db.DefaultContext), tp)
+}
+
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
 
 	for _, unit := range t.Units {
 		if unit.Type == tp {
-			return true
+			return unit.Authorize
 		}
 	}
-	return false
+	return AccessModeNone
 }
 
 // IsUsableTeamName tests if a name could be as team name
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 9164d5ffdceda..4b12b8e980e82 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2261,6 +2261,10 @@ teams.leave = Leave
 teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
+teams.none_access = None
+teams.none_access_helper = Members can view or do any other action on this unit.
+teams.general_access = General Access
+teams.general_access_helper = Members permissions will be decided by below permission table.
 teams.read_access = Read Access
 teams.read_access_helper = Members can view and clone team repositories.
 teams.write_access = Write Access
@@ -2892,5 +2896,6 @@ error.probable_bad_signature = "WARNING! Although there is a key with this ID in
 error.probable_bad_default_signature = "WARNING! Although the default key has this ID it does not verify this commit! This commit is SUSPICIOUS."
 
 [units]
+unit = Unit
 error.no_unit_allowed_repo = You are not allowed to access any section of this repository.
 error.unit_not_allowed = You are not allowed to access this repository section.
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 40fba5cd09a4f..9cf2d85633395 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -9,11 +9,13 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@@ -232,6 +234,16 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["PageIsOrgTeamsNew"] = true
 	ctx.Data["Units"] = unit_model.Units
 	var includesAllRepositories = form.RepoAccess == "all"
+	var unitPerms = make(map[unit.Type]models.AccessMode)
+	for k, v := range ctx.Req.Form {
+		if strings.HasPrefix(k, "unit_") {
+			t, _ := strconv.Atoi(k[5:])
+			if t > 0 {
+				vv, _ := strconv.Atoi(v[0])
+				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+			}
+		}
+	}
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
@@ -243,11 +255,12 @@ func NewTeamPost(ctx *context.Context) {
 	}
 
 	if t.Authorize < perm.AccessModeOwner {
-		var units = make([]*models.TeamUnit, 0, len(form.Units))
-		for _, tp := range form.Units {
+		var units = make([]*models.TeamUnit, 0, len(unitPerms))
+		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
-				OrgID: ctx.Org.Organization.ID,
-				Type:  tp,
+				OrgID:     ctx.Org.Organization.ID,
+				Type:      tp,
+				Authorize: perm,
 			})
 		}
 		t.Units = units
@@ -260,7 +273,7 @@ func NewTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
+	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
@@ -322,6 +335,17 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
+	var unitPerms = make(map[unit.Type]models.AccessMode)
+	for k, v := range ctx.Req.Form {
+		if strings.HasPrefix(k, "unit_") {
+			t, _ := strconv.Atoi(k[5:])
+			if t > 0 {
+				vv, _ := strconv.Atoi(v[0])
+				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+			}
+		}
+	}
+
 	isAuthChanged := false
 	isIncludeAllChanged := false
 	var includesAllRepositories = form.RepoAccess == "all"
@@ -342,12 +366,13 @@ func EditTeamPost(ctx *context.Context) {
 	}
 	t.Description = form.Description
 	if t.Authorize < perm.AccessModeOwner {
-		var units = make([]models.TeamUnit, 0, len(form.Units))
-		for _, tp := range form.Units {
+		var units = make([]models.TeamUnit, 0, len(unitPerms))
+		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
-				OrgID:  t.OrgID,
-				TeamID: t.ID,
-				Type:   tp,
+				OrgID:     t.OrgID,
+				TeamID:    t.ID,
+				Type:      tp,
+				Authorize: perm,
 			})
 		}
 		err := models.UpdateTeamUnits(t, units)
@@ -363,7 +388,7 @@ func EditTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
+	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
diff --git a/services/forms/org.go b/services/forms/org.go
index 7c8f17f95ee60..dec2dbfa6555a 100644
--- a/services/forms/org.go
+++ b/services/forms/org.go
@@ -8,7 +8,6 @@ package forms
 import (
 	"net/http"
 
-	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/web/middleware"
@@ -66,7 +65,6 @@ type CreateTeamForm struct {
 	TeamName         string `binding:"Required;AlphaDashDot;MaxSize(30)"`
 	Description      string `binding:"MaxSize(255)"`
 	Permission       string
-	Units            []unit.Type
 	RepoAccess       string
 	CanCreateOrgRepo bool
 }
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 000befe88cef9..559ff7f3596a6 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -56,16 +56,9 @@
 								<br>
 								<div class="field">
 									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="read" {{if or .PageIsOrgTeamsNew (eq .Team.Authorize 1)}}checked{{end}}>
-										<label>{{.i18n.Tr "org.teams.read_access"}}</label>
-										<span class="help">{{.i18n.Tr "org.teams.read_access_helper"}}</span>
-									</div>
-								</div>
-								<div class="field">
-									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="write" {{if eq .Team.Authorize 2}}checked{{end}}>
-										<label>{{.i18n.Tr "org.teams.write_access"}}</label>
-										<span class="help">{{.i18n.Tr "org.teams.write_access_helper"}}</span>
+										<input type="radio" name="permission" value="{{if .PageIsOrgTeamsNew}}read{{else}}{{.Team.Authorize}}{{end}}" {{if or .PageIsOrgTeamsNew (eq .Team.Authorize 1) (eq .Team.Authorize 2)}}checked{{end}}>
+										<label>{{.i18n.Tr "org.teams.general_access"}}</label>
+										<span class="help">{{.i18n.Tr "org.teams.general_access_helper"}}</span>
 									</div>
 								</div>
 								<div class="field">
@@ -80,41 +73,44 @@
 
 							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
-								<br>
 								<table class="ui celled table">
 									<thead>
-										<tr><th>Unit</th><th>{{.i18n.Tr "org.teams.none_access"}}</th><th>{{.i18n.Tr "org.teams.read_access"}}</th><th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+										<tr><th>{{.i18n.Tr "units.unit"}}</th>
+										<th><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
+										<th>{{.i18n.Tr "org.teams.read_access"}}</th>
+										<th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
-										<tr><td>
-										{{if $unit.Type.UnitGlobalDisabled}}
-										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-										{{else}}
-										<div class="field">
-										{{end}}
-											<div class="ui">
-												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
-											</div>
-										</div>
-										</td>
-										<td>
-
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-											</div>
-										</td>
-										<td>
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-											</div>
-										</td>
-										<td>
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+										<tr>
+											<td>
+											{{if $unit.Type.UnitGlobalDisabled}}
+											<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+											{{else}}
+											<div class="field">
+											{{end}}
+												<div class="ui">
+													<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+													<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+												</div>
 											</div>
-										</td>
+											</td>
+											<td>
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+												</div>
+											</td>
+											<td>
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
+												</div>
+											</td>
+											<td>
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+												</div>
+											</td>
+										</tr>
 										{{end}}
 									</tbody>
 								</table>

From 35ae85a743f84a7b70a9f83b36f7bbe8f50a37df Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:08:20 +0800
Subject: [PATCH 03/60] Fix lint

---
 routers/web/org/teams.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 9cf2d85633395..d9a686d5c7621 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -15,7 +15,6 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
-	"code.gitea.io/gitea/models/unit"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@@ -234,13 +233,13 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["PageIsOrgTeamsNew"] = true
 	ctx.Data["Units"] = unit_model.Units
 	var includesAllRepositories = form.RepoAccess == "all"
-	var unitPerms = make(map[unit.Type]models.AccessMode)
+	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
 	for k, v := range ctx.Req.Form {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
 			if t > 0 {
 				vv, _ := strconv.Atoi(v[0])
-				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
 			}
 		}
 	}
@@ -335,13 +334,13 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
-	var unitPerms = make(map[unit.Type]models.AccessMode)
+	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
 	for k, v := range ctx.Req.Form {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
 			if t > 0 {
 				vv, _ := strconv.Atoi(v[0])
-				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
 			}
 		}
 	}

From b4ea024f58ca522b1df562f01013b330438b7bf0 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:09:28 +0800
Subject: [PATCH 04/60] Fix translation

---
 options/locale/locale_en-US.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 4b12b8e980e82..499d8a46caceb 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2261,7 +2261,7 @@ teams.leave = Leave
 teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
-teams.none_access = None
+teams.none_access = None Access
 teams.none_access_helper = Members can view or do any other action on this unit.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.

From fbcb9d57a9eea745c3bc37df8553754e05ab79a2 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:21:28 +0800
Subject: [PATCH 05/60] align center for table cell content

---
 templates/org/team/new.tmpl | 70 ++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 559ff7f3596a6..d9dbb7f8d5ec5 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -71,19 +71,19 @@
 							</div>
 							<div class="ui divider"></div>
 
-							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
-								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
-								<table class="ui celled table">
-									<thead>
-										<tr><th>{{.i18n.Tr "units.unit"}}</th>
-										<th><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
-										<th>{{.i18n.Tr "org.teams.read_access"}}</th>
-										<th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
-									</thead>
-									<tbody>
-										{{range $t, $unit := $.Units}}
-										<tr>
-											<td>
+						<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
+							<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
+							<table class="ui celled table">
+								<thead>
+									<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
+									<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
+									<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
+									<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+								</thead>
+								<tbody>
+									{{range $t, $unit := $.Units}}
+									<tr>
+										<td>
 											{{if $unit.Type.UnitGlobalDisabled}}
 											<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
 											{{else}}
@@ -94,28 +94,28 @@
 													<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
 												</div>
 											</div>
-											</td>
-											<td>
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-												</div>
-											</td>
-											<td>
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
-												</div>
-											</td>
-											<td>
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
-												</div>
-											</td>
-										</tr>
-										{{end}}
-									</tbody>
-								</table>
-							</div>
-						{{end}}
+										</td>
+										<td class="center aligned">
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+											</div>
+										</td>
+										<td class="center aligned">
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
+											</div>
+										</td>
+										<td class="center aligned">
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+											</div>
+										</td>
+									</tr>
+									{{end}}
+								</tbody>
+							</table>
+						</div>
+					{{end}}
 
 						<div class="field">
 							{{if .PageIsOrgTeamsNew}}

From deb19013ec7c7385253bfeff454249fc82d57f9d Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:24:59 +0800
Subject: [PATCH 06/60] Fix fixture

---
 models/fixtures/team_unit.yml | 47 ++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/models/fixtures/team_unit.yml b/models/fixtures/team_unit.yml
index 943745c000f9b..1d7be8d5d5935 100644
--- a/models/fixtures/team_unit.yml
+++ b/models/fixtures/team_unit.yml
@@ -2,223 +2,268 @@
   id: 1
   team_id: 1
   type: 1
+  authorize: 4
 
 -
   id: 2
   team_id: 1
   type: 2
+  authorize: 4
 
 -
   id: 3
   team_id: 1
   type: 3
+  authorize: 4
 
 -
   id: 4
   team_id: 1
   type: 4
+  authorize: 4
 
 -
   id: 5
   team_id: 1
   type: 5
+  authorize: 4
 
 -
   id: 6
   team_id: 1
   type: 6
+  authorize: 4
 
 -
   id: 7
   team_id: 1
   type: 7
+  authorize: 4
 
 -
   id: 8
   team_id: 2
   type: 1
+  authorize: 2
 
 -
   id: 9
   team_id: 2
   type: 2
+  authorize: 2
 
 -
   id: 10
   team_id: 2
   type: 3
+  authorize: 2
 
 -
   id: 11
   team_id: 2
   type: 4
+  authorize: 2
 
 -
   id: 12
   team_id: 2
   type: 5
+  authorize: 2
 
 -
   id: 13
   team_id: 2
   type: 6
+  authorize: 2
 
 -
   id: 14
   team_id: 2
   type: 7
+  authorize: 2
 
 -
   id: 15
   team_id: 3
   type: 1
+  authorize: 4
 
 -
   id: 16
   team_id: 3
   type: 2
+  authorize: 4
 
 -
   id: 17
   team_id: 3
   type: 3
+  authorize: 4
 
 -
   id: 18
   team_id: 3
   type: 4
+  authorize: 4
 
 -
   id: 19
   team_id: 3
   type: 5
+  authorize: 4
 
 -
   id: 20
   team_id: 3
   type: 6
+  authorize: 4
 
 -
   id: 21
   team_id: 3
   type: 7
+  authorize: 4
 
 -
   id: 22
   team_id: 4
   type: 1
+  authorize: 4
 
 -
   id: 23
   team_id: 4
   type: 2
+  authorize: 4
 
 -
   id: 24
   team_id: 4
   type: 3
+  authorize: 4
 
 -
   id: 25
   team_id: 4
   type: 4
+  authorize: 4
 
 -
   id: 26
   team_id: 4
   type: 5
+  authorize: 4
 
 -
   id: 27
   team_id: 4
   type: 6
+  authorize: 4
 
 -
   id: 28
   team_id: 4
   type: 7
+  authorize: 4
 
 -
   id: 29
   team_id: 5
   type: 1
+  authorize: 4
 
 -
   id: 30
   team_id: 5
   type: 2
+  authorize: 4
 
 -
   id: 31
   team_id: 5
   type: 3
+  authorize: 4
 
 -
   id: 32
   team_id: 5
   type: 4
+  authorize: 4
 
 -
   id: 33
   team_id: 5
   type: 5
+  authorize: 4
 
 -
   id: 34
   team_id: 5
   type: 6
+  authorize: 4
 
 -
   id: 35
   team_id: 5
   type: 7
+  authorize: 4
 
 -
   id: 36
   team_id: 6
   type: 1
+  authorize: 4
 
 -
   id: 37
   team_id: 6
   type: 2
+  authorize: 4
 
 -
   id: 38
   team_id: 6
   type: 3
+  authorize: 4
 
 -
   id: 39
   team_id: 6
   type: 4
+  authorize: 4
 
 -
   id: 40
   team_id: 6
   type: 5
+  authorize: 4
 
 -
   id: 41
   team_id: 6
   type: 6
+  authorize: 4
 
 -
   id: 42
   team_id: 6
   type: 7
+  authorize: 4
 
 -
   id: 43
   team_id: 7
   type: 2 # issues
+  authorize: 2
 
 -
   id: 44
   team_id: 8
   type: 2 # issues
+  authorize: 2
 
 -
   id: 45
   team_id: 9
-  type: 1 # code
\ No newline at end of file
+  type: 1 # code
+  authorize: 1
\ No newline at end of file

From 1819e25b651a6e77344c733b6a2e20c8e29dbe88 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 22:45:06 +0800
Subject: [PATCH 07/60] merge

---
 templates/org/team/new.tmpl | 88 ++++++++++++++++++-------------------
 1 file changed, 44 insertions(+), 44 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index d9dbb7f8d5ec5..dd682cb09001c 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -71,51 +71,51 @@
 							</div>
 							<div class="ui divider"></div>
 
-						<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
-							<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
-							<table class="ui celled table">
-								<thead>
-									<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
-									<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
-									<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
-									<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
-								</thead>
-								<tbody>
-									{{range $t, $unit := $.Units}}
-									<tr>
-										<td>
-											{{if $unit.Type.UnitGlobalDisabled}}
-											<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-											{{else}}
-											<div class="field">
-											{{end}}
-												<div class="ui">
-													<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-													<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
+								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
+								<table class="ui celled table">
+									<thead>
+										<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
+										<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
+										<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
+										<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+									</thead>
+									<tbody>
+										{{range $t, $unit := $.Units}}
+										<tr>
+											<td>
+												{{if $unit.Type.UnitGlobalDisabled}}
+												<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+												{{else}}
+												<div class="field">
+												{{end}}
+													<div class="ui">
+														<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+														<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+													</div>
 												</div>
-											</div>
-										</td>
-										<td class="center aligned">
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-											</div>
-										</td>
-										<td class="center aligned">
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
-											</div>
-										</td>
-										<td class="center aligned">
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
-											</div>
-										</td>
-									</tr>
-									{{end}}
-								</tbody>
-							</table>
-						</div>
-					{{end}}
+											</td>
+											<td class="center aligned">
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+												</div>
+											</td>
+											<td class="center aligned">
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
+												</div>
+											</td>
+											<td class="center aligned">
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+												</div>
+											</td>
+										</tr>
+										{{end}}
+									</tbody>
+								</table>
+							</div>
+						{{end}}
 
 						<div class="field">
 							{{if .PageIsOrgTeamsNew}}

From 89197aa8140341b5f541ee590b2c346b9971fcb8 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 27 Nov 2021 12:10:57 +0800
Subject: [PATCH 08/60] Fix test

---
 models/migrations/migrations.go |  2 +-
 models/unit/unit.go             | 34 +++++++++++++++------
 modules/structs/org_team.go     | 18 +++++++----
 options/locale/locale_en-US.ini |  4 +--
 routers/api/v1/org/team.go      | 54 +++++++++++++++++++++------------
 routers/web/org/teams.go        | 34 +++++++++------------
 6 files changed, 90 insertions(+), 56 deletions(-)

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index aed9fc7131a4c..29a1feab08f52 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -364,7 +364,7 @@ var migrations = []Migration{
 	// v204 -> v205
 	NewMigration("Add key is verified to ssh key", addSSHKeyIsVerified),
 	// v205 -> v206
-	NewMigration("Add column authorize column for team_unit table", addAuthorizeColForTeamUnit),
+	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
 }
 
 // GetCurrentDBVersion returns the current db version
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 0af4640b7a4b4..79a37254d6a78 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -17,14 +17,15 @@ type Type int
 
 // Enumerate all the unit types
 const (
-	TypeCode            Type = iota + 1 // 1 code
-	TypeIssues                          // 2 issues
-	TypePullRequests                    // 3 PRs
-	TypeReleases                        // 4 Releases
-	TypeWiki                            // 5 Wiki
-	TypeExternalWiki                    // 6 ExternalWiki
-	TypeExternalTracker                 // 7 ExternalTracker
-	TypeProjects                        // 8 Kanban board
+	TypeInvalid         Type = iota // 0 invalid
+	TypeCode                        // 1 code
+	TypeIssues                      // 2 issues
+	TypePullRequests                // 3 PRs
+	TypeReleases                    // 4 Releases
+	TypeWiki                        // 5 Wiki
+	TypeExternalWiki                // 6 ExternalWiki
+	TypeExternalTracker             // 7 ExternalTracker
+	TypeProjects                    // 8 Kanban board
 )
 
 // Value returns integer value for unit type
@@ -269,15 +270,30 @@ var (
 	}
 )
 
-// FindUnitTypes give the unit key name and return unit
+// FindUnitTypes give the unit key names and return unit
 func FindUnitTypes(nameKeys ...string) (res []Type) {
 	for _, key := range nameKeys {
+		var found bool
 		for t, u := range Units {
 			if strings.EqualFold(key, u.NameKey) {
 				res = append(res, t)
+				found = true
 				break
 			}
 		}
+		if !found {
+			res = append(res, TypeInvalid)
+		}
 	}
 	return
 }
+
+// UnitTypeFromKey give the unit key name and return unit
+func UnitTypeFromKey(nameKey string) Type {
+	for t, u := range Units {
+		if strings.EqualFold(nameKey, u.NameKey) {
+			return t
+		}
+	}
+	return TypeInvalid
+}
diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
index 3b2c5e78391e0..9b5ea91105946 100644
--- a/modules/structs/org_team.go
+++ b/modules/structs/org_team.go
@@ -15,8 +15,10 @@ type Team struct {
 	// enum: none,read,write,admin,owner
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
-	Units            []string `json:"units"`
-	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
+	Units []string `json:"units"`
+	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
+	UnitsMap         map[string]string `json:"units_map"`
+	CanCreateOrgRepo bool              `json:"can_create_org_repo"`
 }
 
 // CreateTeamOption options for creating a team
@@ -28,8 +30,10 @@ type CreateTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
-	Units            []string `json:"units"`
-	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
+	Units []string `json:"units"`
+	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
+	UnitsMap         map[string]string `json:"units_map"`
+	CanCreateOrgRepo bool              `json:"can_create_org_repo"`
 }
 
 // EditTeamOption options for editing a team
@@ -41,6 +45,8 @@ type EditTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
-	Units            []string `json:"units"`
-	CanCreateOrgRepo *bool    `json:"can_create_org_repo"`
+	Units []string `json:"units"`
+	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
+	UnitsMap         map[string]string `json:"units_map"`
+	CanCreateOrgRepo *bool             `json:"can_create_org_repo"`
 }
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 499d8a46caceb..064d9ddbbe601 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2261,8 +2261,8 @@ teams.leave = Leave
 teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
-teams.none_access = None Access
-teams.none_access_helper = Members can view or do any other action on this unit.
+teams.none_access = No Access
+teams.none_access_helper = Members cannot view or do any other action on this unit.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.
 teams.read_access = Read Access
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index d39125b0500e3..a8be3a9ae2046 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -6,6 +6,7 @@
 package org
 
 import (
+	"errors"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -141,6 +142,29 @@ func GetTeam(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, convert.ToTeam(ctx.Org.Team))
 }
 
+func attachTeamUnits(team *models.Team, units []string) {
+	unitTypes := unit_model.FindUnitTypes(units...)
+	team.Units = make([]*models.TeamUnit, 0, len(units))
+	for _, tp := range unitTypes {
+		team.Units = append(team.Units, &models.TeamUnit{
+			OrgID:     team.OrgID,
+			Type:      tp,
+			Authorize: team.Authorize,
+		})
+	}
+}
+
+func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
+	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
+	for unitKey, perm := range unitsMap {
+		team.Units = append(team.Units, &models.TeamUnit{
+			OrgID:     team.OrgID,
+			Type:      unit_model.UnitTypeFromKey(unitKey),
+			Authorize: perm.ParseAccessMode(perm),
+		})
+	}
+}
+
 // CreateTeam api for create a team
 func CreateTeam(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/teams organization orgCreateTeam
@@ -175,17 +199,15 @@ func CreateTeam(ctx *context.APIContext) {
 		Authorize:               perm.ParseAccessMode(form.Permission),
 	}
 
-	unitTypes := unit_model.FindUnitTypes(form.Units...)
-
 	if team.Authorize < perm.AccessModeOwner {
-		var units = make([]*models.TeamUnit, 0, len(form.Units))
-		for _, tp := range unitTypes {
-			units = append(units, &models.TeamUnit{
-				OrgID: ctx.Org.Organization.ID,
-				Type:  tp,
-			})
+		if len(form.UnitsMap) > 0 {
+			attachTeamUnitsMap(team, form.UnitsMap)
+		} else if len(form.Units) > 0 {
+			attachTeamUnits(team, form.Units)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "getTeamUnits", errors.New("units permission should not be empty"))
+			return
 		}
-		team.Units = units
 	}
 
 	if err := models.NewTeam(team); err != nil {
@@ -261,16 +283,10 @@ func EditTeam(ctx *context.APIContext) {
 	}
 
 	if team.Authorize < perm.AccessModeOwner {
-		if len(form.Units) > 0 {
-			var units = make([]*models.TeamUnit, 0, len(form.Units))
-			unitTypes := unit_model.FindUnitTypes(form.Units...)
-			for _, tp := range unitTypes {
-				units = append(units, &models.TeamUnit{
-					OrgID: ctx.Org.Team.OrgID,
-					Type:  tp,
-				})
-			}
-			team.Units = units
+		if len(form.UnitsMap) > 0 {
+			attachTeamUnitsMap(team, form.UnitsMap)
+		} else if len(form.Units) > 0 {
+			attachTeamUnits(team, form.Units)
 		}
 	}
 
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index d9a686d5c7621..9153fb0138f31 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -225,16 +225,9 @@ func NewTeam(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplTeamNew)
 }
 
-// NewTeamPost response for create new team
-func NewTeamPost(ctx *context.Context) {
-	form := web.GetForm(ctx).(*forms.CreateTeamForm)
-	ctx.Data["Title"] = ctx.Org.Organization.FullName
-	ctx.Data["PageIsOrgTeams"] = true
-	ctx.Data["PageIsOrgTeamsNew"] = true
-	ctx.Data["Units"] = unit_model.Units
-	var includesAllRepositories = form.RepoAccess == "all"
+func getUnitPerms(forms url.Values) map[unit_model.Type]perm.AccessMode {
 	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
-	for k, v := range ctx.Req.Form {
+	for k, v := range forms {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
 			if t > 0 {
@@ -243,6 +236,18 @@ func NewTeamPost(ctx *context.Context) {
 			}
 		}
 	}
+	return unitPerms
+}
+
+// NewTeamPost response for create new team
+func NewTeamPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.CreateTeamForm)
+	ctx.Data["Title"] = ctx.Org.Organization.FullName
+	ctx.Data["PageIsOrgTeams"] = true
+	ctx.Data["PageIsOrgTeamsNew"] = true
+	ctx.Data["Units"] = unit_model.Units
+	var includesAllRepositories = form.RepoAccess == "all"
+	var unitPerms = getUnitPerms(ctx.Req.Form)
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
@@ -334,16 +339,7 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
-	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
-	for k, v := range ctx.Req.Form {
-		if strings.HasPrefix(k, "unit_") {
-			t, _ := strconv.Atoi(k[5:])
-			if t > 0 {
-				vv, _ := strconv.Atoi(v[0])
-				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
-			}
-		}
-	}
+	var unitPerms = getUnitPerms(ctx.Req.Form)
 
 	isAuthChanged := false
 	isIncludeAllChanged := false

From f0ed083fcc111c8146a530e4d5058c0b0264e5dc Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 27 Nov 2021 12:13:17 +0800
Subject: [PATCH 09/60] Add deprecated

---
 modules/structs/org_team.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
index 9b5ea91105946..bf18b4fc4be15 100644
--- a/modules/structs/org_team.go
+++ b/modules/structs/org_team.go
@@ -30,6 +30,7 @@ type CreateTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
+	// Deprecated: This variable should be replaced by UnitsMap and will be dropped in later versions.
 	Units []string `json:"units"`
 	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
 	UnitsMap         map[string]string `json:"units_map"`
@@ -45,6 +46,7 @@ type EditTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
+	// Deprecated: This variable should be replaced by UnitsMap and will be dropped in later versions.
 	Units []string `json:"units"`
 	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
 	UnitsMap         map[string]string `json:"units_map"`

From 5e4f7510a469384434514e9bb9cf4a2d8f8a0d38 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 27 Nov 2021 20:21:03 +0800
Subject: [PATCH 10/60] Improve code

---
 models/org_team.go         | 16 +---------------
 models/perm/access_mode.go | 16 ++++++++++++++++
 models/unit/unit.go        |  4 ++--
 routers/api/v1/org/team.go | 27 ++++++++++++++++++++++-----
 routers/web/org/teams.go   |  6 +++++-
 5 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/models/org_team.go b/models/org_team.go
index 4ced8ba65168f..d04885a2f0c95 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -151,11 +151,6 @@ func (t *Team) GetUnitNames() (res []string) {
 	return
 }
 
-// HasWriteAccess returns true if team has at least write level access mode.
-func (t *Team) HasWriteAccess() bool {
-	return t.Authorize >= perm.AccessModeWrite
-}
-
 // IsOwnerTeam returns true if team is owner team.
 func (t *Team) IsOwnerTeam() bool {
 	return t.Name == ownerTeamName
@@ -455,16 +450,7 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 }
 
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
-	if err := t.getUnits(e); err != nil {
-		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
-	}
-
-	for _, unit := range t.Units {
-		if unit.Type == tp {
-			return true
-		}
-	}
-	return false
+	return t.unitAccessMode(e, tp) > AccessModeNone
 }
 
 // UnitAccessMode returns if the team has the given unit type enabled
diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go
index f2c0a322a085f..fe14b7b4460b2 100644
--- a/models/perm/access_mode.go
+++ b/models/perm/access_mode.go
@@ -7,6 +7,7 @@ package perm
 import (
 	"fmt"
 
+	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/log"
 )
 
@@ -59,3 +60,18 @@ func ParseAccessMode(permission string) AccessMode {
 		return AccessModeRead
 	}
 }
+
+// MinUnitPerms returns the minial permission of the permission map
+func MinUnitPerms(unitsMap map[unit_model.Type]AccessMode) AccessMode {
+	var res = AccessModeNone
+	for _, mode := range unitsMap {
+		if mode > AccessModeNone {
+			if res == AccessModeNone {
+				res = mode
+			} else if mode < res {
+				res = mode
+			}
+		}
+	}
+	return res
+}
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 79a37254d6a78..d180b0165021c 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -288,8 +288,8 @@ func FindUnitTypes(nameKeys ...string) (res []Type) {
 	return
 }
 
-// UnitTypeFromKey give the unit key name and return unit
-func UnitTypeFromKey(nameKey string) Type {
+// TypeFromKey give the unit key name and return unit
+func TypeFromKey(nameKey string) Type {
 	for t, u := range Units {
 		if strings.EqualFold(nameKey, u.NameKey) {
 			return t
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index a8be3a9ae2046..4d9ff0cd7c44b 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -154,12 +154,20 @@ func attachTeamUnits(team *models.Team, units []string) {
 	}
 }
 
+func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]models.AccessMode {
+	var res = make(map[unit_model.Type]models.AccessMode, len(unitsMap))
+	for unitKey, perm := range unitsMap {
+		res[unit_model.TypeFromKey(unitKey)] = models.ParseAccessMode(perm)
+	}
+	return res
+}
+
 func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
 	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
 	for unitKey, perm := range unitsMap {
 		team.Units = append(team.Units, &models.TeamUnit{
 			OrgID:     team.OrgID,
-			Type:      unit_model.UnitTypeFromKey(unitKey),
+			Type:      unit_model.TypeFromKey(unitKey),
 			Authorize: perm.ParseAccessMode(perm),
 		})
 	}
@@ -190,13 +198,19 @@ func CreateTeam(ctx *context.APIContext) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"
 	form := web.GetForm(ctx).(*api.CreateTeamOption)
+
+	var p = perm.ParseAccessMode(form.Permission)
+	if p < perm.AccessModeOwner {
+		p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+	}
+
 	team := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.Name,
 		Description:             form.Description,
 		IncludesAllRepositories: form.IncludesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
-		Authorize:               perm.ParseAccessMode(form.Permission),
+		Authorize:               p,
 	}
 
 	if team.Authorize < perm.AccessModeOwner {
@@ -269,11 +283,14 @@ func EditTeam(ctx *context.APIContext) {
 	isIncludeAllChanged := false
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
-		auth := perm.ParseAccessMode(form.Permission)
+		var p = perm.ParseAccessMode(form.Permission)
+		if p < perm.AccessModeOwner {
+			p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+		}
 
-		if team.Authorize != auth {
+		if team.Authorize != p {
 			isAuthChanged = true
-			team.Authorize = auth
+			team.Authorize = p
 		}
 
 		if form.IncludesAllRepositories != nil {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 9153fb0138f31..7f4cf581f8730 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -248,12 +248,16 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["Units"] = unit_model.Units
 	var includesAllRepositories = form.RepoAccess == "all"
 	var unitPerms = getUnitPerms(ctx.Req.Form)
+	var p = perm.ParseAccessMode(form.Permission)
+	if p < perm.AccessModeOwner {
+		p = perm.MinUnitPerms(unitPerms)
+	}
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.TeamName,
 		Description:             form.Description,
-		Authorize:               perm.ParseAccessMode(form.Permission),
+		Authorize:               p,
 		IncludesAllRepositories: includesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}

From c53ce3db6f68abb55bc0532ad68857781f1f6af5 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 11:51:48 +0800
Subject: [PATCH 11/60] Add tooltip

---
 templates/org/team/new.tmpl | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index dd682cb09001c..a1fc9fde123d8 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -75,10 +75,17 @@
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<table class="ui celled table">
 									<thead>
-										<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
-										<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
-										<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
-										<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+										<tr>
+											<th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
+											<th class="center aligned">{{.i18n.Tr "org.teams.none_access"}}
+											<i class="circle help icon link tooltip" data-content="{{.i18n.Tr "org.teams.none_access_helper"}}"></i></th>
+											<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}
+											<i class="circle help icon link tooltip" data-content="{{.i18n.Tr "org.teams.read_access_helper"}}"></i>
+											</th>
+											<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}
+											<i class="circle help icon link tooltip" data-content="{{.i18n.Tr "org.teams.write_access_helper"}}"></i>
+											</th>
+										</tr>
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
@@ -97,7 +104,7 @@
 											</td>
 											<td class="center aligned">
 												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
 												</div>
 											</td>
 											<td class="center aligned">
@@ -107,7 +114,7 @@
 											</td>
 											<td class="center aligned">
 												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
 												</div>
 											</td>
 										</tr>

From 41b516da27427702ce44e8bd7eed16b0c3477101 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 12:05:16 +0800
Subject: [PATCH 12/60] Fix swagger

---
 templates/swagger/v1_json.tmpl | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 9438c41a29a66..83b1827ba7ab6 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -14049,6 +14049,14 @@
             "repo.projects",
             "repo.ext_wiki"
           ]
+        },
+        "units_map": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "x-go-name": "UnitsMap",
+          "example": "{\"repo.code\":\"read\",\"repo.issues\":\"write\",\"repo.ext_issues\":\"none\",\"repo.wiki\":\"admin\",\"repo.pulls\":\"owner\",\"repo.releases\":\"none\",\"repo.projects\":\"none\",\"repo.ext_wiki\":\"none\"]"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -14860,6 +14868,14 @@
             "repo.projects",
             "repo.ext_wiki"
           ]
+        },
+        "units_map": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "x-go-name": "UnitsMap",
+          "example": "{\"repo.code\":\"read\",\"repo.issues\":\"write\",\"repo.ext_issues\":\"none\",\"repo.wiki\":\"admin\",\"repo.pulls\":\"owner\",\"repo.releases\":\"none\",\"repo.projects\":\"none\",\"repo.ext_wiki\":\"none\"]"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -17453,6 +17469,14 @@
             "repo.projects",
             "repo.ext_wiki"
           ]
+        },
+        "units_map": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "x-go-name": "UnitsMap",
+          "example": "{\"repo.code\":\"read\",\"repo.issues\":\"write\",\"repo.ext_issues\":\"none\",\"repo.wiki\":\"admin\",\"repo.pulls\":\"owner\",\"repo.releases\":\"none\",\"repo.projects\":\"none\",\"repo.ext_wiki\":\"none\"]"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -18945,4 +18969,4 @@
       "TOTPHeader": []
     }
   ]
-}
+}
\ No newline at end of file

From fbe50f690d9566561a4c6d415c0bb30bd229cf03 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 12:10:41 +0800
Subject: [PATCH 13/60] Fix newline

---
 templates/swagger/v1_json.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 83b1827ba7ab6..50ea3463a6203 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -18969,4 +18969,4 @@
       "TOTPHeader": []
     }
   ]
-}
\ No newline at end of file
+}

From f81b33c8282bef02d66dbf2c5d9d5cc289bb5dd6 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 22:14:01 +0800
Subject: [PATCH 14/60] Fix tests

---
 integrations/api_team_test.go | 104 ++++++++++++++++++++++++++++------
 integrations/org_test.go      |   4 +-
 models/issue.go               |   2 +-
 models/org_team.go            |  11 +++-
 models/perm/access_mode.go    |   4 +-
 models/repo_permission.go     |   2 +-
 modules/convert/convert.go    |   1 +
 routers/api/v1/org/team.go    |  17 ++++--
 routers/web/org/teams.go      |   6 +-
 9 files changed, 121 insertions(+), 30 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index da22d40479760..4962cbcd9df50 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -67,9 +67,9 @@ func TestAPITeam(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	teamID := apiTeam.ID
 
 	// Edit team.
@@ -87,9 +87,9 @@ func TestAPITeam(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 
 	// Edit team Description only
 	editDescription = "first team"
@@ -98,17 +98,80 @@ func TestAPITeam(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 
 	// Read team.
 	teamRead := unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
+	assert.NoError(t, teamRead.GetUnits())
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
-		teamRead.Authorize.String(), teamRead.GetUnitNames())
+		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
+
+	panic("")
+	// Delete team.
+	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
+	session.MakeRequest(t, req, http.StatusNoContent)
+	unittest.AssertNotExistsBean(t, &models.Team{ID: teamID})
+
+	// create team again via UnitsMap
+	// Create team.
+	teamToCreate = &api.CreateTeamOption{
+		Name:                    "team2",
+		Description:             "team two",
+		IncludesAllRepositories: true,
+		Permission:              "write",
+		UnitsMap:                map[string]string{"repo.code": "read", "repo.issues": "write", "repo.wiki": "none"},
+	}
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
+	resp = session.MakeRequest(t, req, http.StatusCreated)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
+		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
+		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+	teamID = apiTeam.ID
+
+	// Edit team.
+	editDescription = "team 1"
+	editFalse = false
+	teamToEdit = &api.EditTeamOption{
+		Name:                    "teamtwo",
+		Description:             &editDescription,
+		Permission:              "write",
+		IncludesAllRepositories: &editFalse,
+		UnitsMap:                map[string]string{"repo.code": "read", "repo.pulls": "read", "repo.releases": "write"},
+	}
+
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+
+	// Edit team Description only
+	editDescription = "second team"
+	teamToEditDesc = api.EditTeamOption{Description: &editDescription}
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+
+	// Read team.
+	teamRead = unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
+		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
@@ -116,20 +179,27 @@ func TestAPITeam(t *testing.T) {
 	unittest.AssertNotExistsBean(t, &models.Team{ID: teamID})
 }
 
-func checkTeamResponse(t *testing.T, apiTeam *api.Team, name, description string, includesAllRepositories bool, permission string, units []string) {
-	assert.Equal(t, name, apiTeam.Name, "name")
-	assert.Equal(t, description, apiTeam.Description, "description")
-	assert.Equal(t, includesAllRepositories, apiTeam.IncludesAllRepositories, "includesAllRepositories")
-	assert.Equal(t, permission, apiTeam.Permission, "permission")
-	sort.StringSlice(units).Sort()
-	sort.StringSlice(apiTeam.Units).Sort()
-	assert.EqualValues(t, units, apiTeam.Units, "units")
+func checkTeamResponse(t *testing.T, apiTeam *api.Team, name, description string, includesAllRepositories bool, permission string, units []string, unitsMap map[string]string) {
+	t.Run(name+description, func(t *testing.T) {
+		assert.Equal(t, name, apiTeam.Name, "name")
+		assert.Equal(t, description, apiTeam.Description, "description")
+		assert.Equal(t, includesAllRepositories, apiTeam.IncludesAllRepositories, "includesAllRepositories")
+		assert.Equal(t, permission, apiTeam.Permission, "permission")
+		if units != nil {
+			sort.StringSlice(units).Sort()
+			sort.StringSlice(apiTeam.Units).Sort()
+			assert.EqualValues(t, units, apiTeam.Units, "units")
+		}
+		if unitsMap != nil {
+			assert.EqualValues(t, unitsMap, apiTeam.UnitsMap, "unitsMap")
+		}
+	})
 }
 
-func checkTeamBean(t *testing.T, id int64, name, description string, includesAllRepositories bool, permission string, units []string) {
+func checkTeamBean(t *testing.T, id int64, name, description string, includesAllRepositories bool, permission string, units []string, unitsMap map[string]string) {
 	team := unittest.AssertExistsAndLoadBean(t, &models.Team{ID: id}).(*models.Team)
 	assert.NoError(t, team.GetUnits(), "GetUnits")
-	checkTeamResponse(t, convert.ToTeam(team), name, description, includesAllRepositories, permission, units)
+	checkTeamResponse(t, convert.ToTeam(team), name, description, includesAllRepositories, permission, units, unitsMap)
 }
 
 type TeamSearchResults struct {
diff --git a/integrations/org_test.go b/integrations/org_test.go
index e94e4ea74c1c3..f5a6d5e4d92c4 100644
--- a/integrations/org_test.go
+++ b/integrations/org_test.go
@@ -156,9 +156,9 @@ func TestOrgRestrictedUser(t *testing.T) {
 	resp := adminSession.MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	//teamID := apiTeam.ID
 
 	// Now we need to add the restricted user to the team
diff --git a/models/issue.go b/models/issue.go
index f0040fbbc1af4..33fe8e91f027d 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -2147,7 +2147,7 @@ func (issue *Issue) ResolveMentionsByVisibility(ctx context.Context, doer *user_
 				unittype = unit.TypePullRequests
 			}
 			for _, team := range teams {
-				if team.Authorize >= perm.AccessModeOwner {
+				if team.Authorize >= perm.AccessModeAdmin {
 					checked = append(checked, team.ID)
 					resolved[issue.Repo.Owner.LowerName+"/"+team.LowerName] = true
 					continue
diff --git a/models/org_team.go b/models/org_team.go
index d04885a2f0c95..13c892695cecf 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -151,6 +151,15 @@ func (t *Team) GetUnitNames() (res []string) {
 	return
 }
 
+// GetUnitsMap returns the team units permissions
+func (t *Team) GetUnitsMap() map[string]string {
+	var m = make(map[string]string)
+	for _, u := range t.Units {
+		m[u.Unit().NameKey] = u.Authorize.String()
+	}
+	return m
+}
+
 // IsOwnerTeam returns true if team is owner team.
 func (t *Team) IsOwnerTeam() bool {
 	return t.Name == ownerTeamName
@@ -665,7 +674,7 @@ func UpdateTeam(t *Team, authChanged, includeAllChanged bool) (err error) {
 			Delete(new(TeamUnit)); err != nil {
 			return err
 		}
-		if _, err = sess.Cols("org_id", "team_id", "type").Insert(&t.Units); err != nil {
+		if _, err = sess.Cols("org_id", "team_id", "type", "authorize").Insert(&t.Units); err != nil {
 			return err
 		}
 	}
diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go
index fe14b7b4460b2..1ad5f5d4b0140 100644
--- a/models/perm/access_mode.go
+++ b/models/perm/access_mode.go
@@ -52,12 +52,14 @@ func (mode AccessMode) ColorFormat(s fmt.State) {
 // ParseAccessMode returns corresponding access mode to given permission string.
 func ParseAccessMode(permission string) AccessMode {
 	switch permission {
+	case "read":
+		return AccessModeRead
 	case "write":
 		return AccessModeWrite
 	case "admin":
 		return AccessModeAdmin
 	default:
-		return AccessModeRead
+		return AccessModeNone
 	}
 }
 
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 5bef6139913b6..242ba96b0e167 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -239,7 +239,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 
 	// if user in an owner team
 	for _, team := range teams {
-		if team.Authorize >= perm_model.AccessModeOwner {
+		if team.Authorize >= perm_model.AccessModeAdmin {
 			perm.AccessMode = perm_model.AccessModeOwner
 			perm.UnitsMode = nil
 			return
diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index f2b62a74bf7c9..2466e0dfd2960 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -308,6 +308,7 @@ func ToTeam(team *models.Team) *api.Team {
 		CanCreateOrgRepo:        team.CanCreateOrgRepo,
 		Permission:              team.Authorize.String(),
 		Units:                   team.GetUnitNames(),
+		UnitsMap:                team.GetUnitsMap(),
 	}
 }
 
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 4d9ff0cd7c44b..766215533caad 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -113,6 +113,10 @@ func ListUserTeams(ctx *context.APIContext) {
 			apiOrg = convert.ToOrganization(org)
 			cache[teams[i].OrgID] = apiOrg
 		}
+		if err := teams[i].GetUnits(); err != nil {
+			ctx.Error(http.StatusInternalServerError, "teams[i].GetUnits()", err)
+			return
+		}
 		apiTeams[i] = convert.ToTeam(teams[i])
 		apiTeams[i].Organization = apiOrg
 	}
@@ -139,6 +143,11 @@ func GetTeam(ctx *context.APIContext) {
 	//   "200":
 	//     "$ref": "#/responses/Team"
 
+	if err := ctx.Org.Team.GetUnits(); err != nil {
+		ctx.Error(http.StatusInternalServerError, "team.GetUnits", err)
+		return
+	}
+
 	ctx.JSON(http.StatusOK, convert.ToTeam(ctx.Org.Team))
 }
 
@@ -200,7 +209,7 @@ func CreateTeam(ctx *context.APIContext) {
 	form := web.GetForm(ctx).(*api.CreateTeamOption)
 
 	var p = perm.ParseAccessMode(form.Permission)
-	if p < perm.AccessModeOwner {
+	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
 		p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 	}
 
@@ -213,7 +222,7 @@ func CreateTeam(ctx *context.APIContext) {
 		Authorize:               p,
 	}
 
-	if team.Authorize < perm.AccessModeOwner {
+	if team.Authorize < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
@@ -284,7 +293,7 @@ func EditTeam(ctx *context.APIContext) {
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
 		var p = perm.ParseAccessMode(form.Permission)
-		if p < perm.AccessModeOwner {
+		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
 			p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 		}
 
@@ -299,7 +308,7 @@ func EditTeam(ctx *context.APIContext) {
 		}
 	}
 
-	if team.Authorize < perm.AccessModeOwner {
+	if team.Authorize < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 7f4cf581f8730..fc6f324073452 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -249,7 +249,7 @@ func NewTeamPost(ctx *context.Context) {
 	var includesAllRepositories = form.RepoAccess == "all"
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
-	if p < perm.AccessModeOwner {
+	if p < perm.AccessModeAdmin {
 		p = perm.MinUnitPerms(unitPerms)
 	}
 
@@ -262,7 +262,7 @@ func NewTeamPost(ctx *context.Context) {
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}
 
-	if t.Authorize < perm.AccessModeOwner {
+	if t.Authorize < perm.AccessModeAdmin {
 		var units = make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
@@ -364,7 +364,7 @@ func EditTeamPost(ctx *context.Context) {
 		}
 	}
 	t.Description = form.Description
-	if t.Authorize < perm.AccessModeOwner {
+	if t.Authorize < perm.AccessModeAdmin {
 		var units = make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{

From 013573906bbf131370e508053344a99fb5539372 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 30 Nov 2021 20:13:50 +0800
Subject: [PATCH 15/60] Fix tests

---
 integrations/api_team_test.go |  1 -
 models/org_team.go            | 10 +++++-----
 models/repo_permission.go     |  2 +-
 routers/api/v1/org/team.go    | 12 ++++++------
 4 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index 4962cbcd9df50..4691b5deb0653 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -111,7 +111,6 @@ func TestAPITeam(t *testing.T) {
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
-	panic("")
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
 	session.MakeRequest(t, req, http.StatusNoContent)
diff --git a/models/org_team.go b/models/org_team.go
index 13c892695cecf..7687b4edbc6f4 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -459,15 +459,15 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 }
 
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
-	return t.unitAccessMode(e, tp) > AccessModeNone
+	return t.unitAccessMode(e, tp) > perm.AccessModeNone
 }
 
 // UnitAccessMode returns if the team has the given unit type enabled
-func (t *Team) UnitAccessMode(tp unit.Type) AccessMode {
+func (t *Team) UnitAccessMode(tp unit.Type) perm.AccessMode {
 	return t.unitAccessMode(db.GetEngine(db.DefaultContext), tp)
 }
 
-func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) perm.AccessMode {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
@@ -477,7 +477,7 @@ func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
 			return unit.Authorize
 		}
 	}
-	return AccessModeNone
+	return perm.AccessModeNone
 }
 
 // IsUsableTeamName tests if a name could be as team name
@@ -1050,7 +1050,7 @@ type TeamUnit struct {
 	OrgID     int64     `xorm:"INDEX"`
 	TeamID    int64     `xorm:"UNIQUE(s)"`
 	Type      unit.Type `xorm:"UNIQUE(s)"`
-	Authorize AccessMode
+	Authorize perm.AccessMode
 }
 
 // Unit returns Unit
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 242ba96b0e167..1eec972c11acd 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -250,7 +250,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 		var found bool
 		for _, team := range teams {
 			teamMode := team.unitAccessMode(e, u.Type)
-			if teamMode > AccessModeNone {
+			if teamMode > perm_model.AccessModeNone {
 				m := perm.UnitsMode[u.Type]
 				if m < teamMode {
 					perm.UnitsMode[u.Type] = teamMode
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 766215533caad..890b7a317cdb9 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -163,21 +163,21 @@ func attachTeamUnits(team *models.Team, units []string) {
 	}
 }
 
-func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]models.AccessMode {
-	var res = make(map[unit_model.Type]models.AccessMode, len(unitsMap))
-	for unitKey, perm := range unitsMap {
-		res[unit_model.TypeFromKey(unitKey)] = models.ParseAccessMode(perm)
+func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]perm.AccessMode {
+	var res = make(map[unit_model.Type]perm.AccessMode, len(unitsMap))
+	for unitKey, p := range unitsMap {
+		res[unit_model.TypeFromKey(unitKey)] = perm.ParseAccessMode(p)
 	}
 	return res
 }
 
 func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
 	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
-	for unitKey, perm := range unitsMap {
+	for unitKey, p := range unitsMap {
 		team.Units = append(team.Units, &models.TeamUnit{
 			OrgID:     team.OrgID,
 			Type:      unit_model.TypeFromKey(unitKey),
-			Authorize: perm.ParseAccessMode(perm),
+			Authorize: perm.ParseAccessMode(p),
 		})
 	}
 }

From 9d92b30d5c1f092e8557ffde7aaaa31c57b303f6 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 1 Dec 2021 14:01:56 +0800
Subject: [PATCH 16/60] Fix test

---
 integrations/api_team_test.go | 30 ++++++++++++++++++++----------
 models/org_team.go            | 14 ++++++++++++--
 models/unit/unit.go           |  9 +++++++++
 3 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index 4691b5deb0653..d9aafcf7665d4 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/convert"
@@ -65,6 +66,7 @@ func TestAPITeam(t *testing.T) {
 	}
 	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
 	resp = session.MakeRequest(t, req, http.StatusCreated)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
 		teamToCreate.Permission, teamToCreate.Units, nil)
@@ -85,28 +87,31 @@ func TestAPITeam(t *testing.T) {
 
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 
 	// Edit team Description only
 	editDescription = "first team"
 	teamToEditDesc := api.EditTeamOption{Description: &editDescription}
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 
 	// Read team.
 	teamRead := unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
 	assert.NoError(t, teamRead.GetUnits())
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
@@ -127,11 +132,12 @@ func TestAPITeam(t *testing.T) {
 	}
 	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
 	resp = session.MakeRequest(t, req, http.StatusCreated)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+		"read", nil, teamToCreate.UnitsMap)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+		"read", nil, teamToCreate.UnitsMap)
 	teamID = apiTeam.ID
 
 	// Edit team.
@@ -147,28 +153,32 @@ func TestAPITeam(t *testing.T) {
 
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 
 	// Edit team Description only
 	editDescription = "second team"
 	teamToEditDesc = api.EditTeamOption{Description: &editDescription}
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 
 	// Read team.
 	teamRead = unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
+	assert.NoError(t, teamRead.GetUnits())
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
diff --git a/models/org_team.go b/models/org_team.go
index 7687b4edbc6f4..595f2a6a3f643 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -145,6 +145,10 @@ func (t *Team) getUnits(e db.Engine) (err error) {
 
 // GetUnitNames returns the team units names
 func (t *Team) GetUnitNames() (res []string) {
+	if t.Authorize >= perm.AccessModeAdmin {
+		return unit.AllUnitKeyNames()
+	}
+
 	for _, u := range t.Units {
 		res = append(res, unit.Units[u.Type].NameKey)
 	}
@@ -154,8 +158,14 @@ func (t *Team) GetUnitNames() (res []string) {
 // GetUnitsMap returns the team units permissions
 func (t *Team) GetUnitsMap() map[string]string {
 	var m = make(map[string]string)
-	for _, u := range t.Units {
-		m[u.Unit().NameKey] = u.Authorize.String()
+	if t.Authorize >= perm.AccessModeAdmin {
+		for _, u := range unit.Units {
+			m[u.NameKey] = t.Authorize.String()
+		}
+	} else {
+		for _, u := range t.Units {
+			m[u.Unit().NameKey] = u.Authorize.String()
+		}
 	}
 	return m
 }
diff --git a/models/unit/unit.go b/models/unit/unit.go
index d180b0165021c..c3f506b724c71 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -297,3 +297,12 @@ func TypeFromKey(nameKey string) Type {
 	}
 	return TypeInvalid
 }
+
+// AllUnitKeyNames returns all unit key names
+func AllUnitKeyNames() []string {
+	var res = make([]string, 0, len(Units))
+	for _, u := range Units {
+		res = append(res, u.NameKey)
+	}
+	return res
+}

From 7c77e068f8866c436a5a822ebdcb7abcc49cca42 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 1 Dec 2021 15:14:04 +0800
Subject: [PATCH 17/60] Fix test

---
 integrations/api_repo_teams_test.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/integrations/api_repo_teams_test.go b/integrations/api_repo_teams_test.go
index 07a8b9418e1eb..a3baeba63c804 100644
--- a/integrations/api_repo_teams_test.go
+++ b/integrations/api_repo_teams_test.go
@@ -10,9 +10,11 @@ import (
 	"testing"
 
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -36,7 +38,7 @@ func TestAPIRepoTeams(t *testing.T) {
 	if assert.Len(t, teams, 2) {
 		assert.EqualValues(t, "Owners", teams[0].Name)
 		assert.False(t, teams[0].CanCreateOrgRepo)
-		assert.EqualValues(t, []string{"repo.code", "repo.issues", "repo.pulls", "repo.releases", "repo.wiki", "repo.ext_wiki", "repo.ext_issues"}, teams[0].Units)
+		assert.True(t, util.IsEqualSlice(unit.AllUnitKeyNames(), teams[0].Units), fmt.Sprintf("%v == %v", unit.AllUnitKeyNames(), teams[0].Units))
 		assert.EqualValues(t, "owner", teams[0].Permission)
 
 		assert.EqualValues(t, "test_team", teams[1].Name)

From 1396e7432c7b6c483736871acccdcb9c0434aea7 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 2 Dec 2021 15:51:14 +0800
Subject: [PATCH 18/60] Max permission of external wiki and issues should be
 read

---
 models/perm/access_mode.go  | 16 ----------
 models/unit/unit.go         | 35 ++++++++++++++++++----
 routers/api/v1/org/team.go  |  4 +--
 routers/web/org/teams.go    |  2 +-
 templates/org/team/new.tmpl | 58 +++++++++++++++++++------------------
 5 files changed, 63 insertions(+), 52 deletions(-)

diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go
index 1ad5f5d4b0140..dfa7f7b7524a1 100644
--- a/models/perm/access_mode.go
+++ b/models/perm/access_mode.go
@@ -7,7 +7,6 @@ package perm
 import (
 	"fmt"
 
-	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/log"
 )
 
@@ -62,18 +61,3 @@ func ParseAccessMode(permission string) AccessMode {
 		return AccessModeNone
 	}
 }
-
-// MinUnitPerms returns the minial permission of the permission map
-func MinUnitPerms(unitsMap map[unit_model.Type]AccessMode) AccessMode {
-	var res = AccessModeNone
-	for _, mode := range unitsMap {
-		if mode > AccessModeNone {
-			if res == AccessModeNone {
-				res = mode
-			} else if mode < res {
-				res = mode
-			}
-		}
-	}
-	return res
-}
diff --git a/models/unit/unit.go b/models/unit/unit.go
index c3f506b724c71..8e41beef2aa7d 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"strings"
 
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 )
@@ -171,11 +172,12 @@ func (u *Type) CanBeDefault() bool {
 
 // Unit is a section of one repository
 type Unit struct {
-	Type    Type
-	NameKey string
-	URI     string
-	DescKey string
-	Idx     int
+	Type     Type
+	NameKey  string
+	URI      string
+	DescKey  string
+	Idx      int
+	MaxPerms perm.AccessMode
 }
 
 // CanDisable returns if this unit could be disabled.
@@ -199,6 +201,7 @@ var (
 		"/",
 		"repo.code.desc",
 		0,
+		perm.AccessModeOwner,
 	}
 
 	UnitIssues = Unit{
@@ -207,6 +210,7 @@ var (
 		"/issues",
 		"repo.issues.desc",
 		1,
+		perm.AccessModeOwner,
 	}
 
 	UnitExternalTracker = Unit{
@@ -215,6 +219,7 @@ var (
 		"/issues",
 		"repo.ext_issues.desc",
 		1,
+		perm.AccessModeRead,
 	}
 
 	UnitPullRequests = Unit{
@@ -223,6 +228,7 @@ var (
 		"/pulls",
 		"repo.pulls.desc",
 		2,
+		perm.AccessModeOwner,
 	}
 
 	UnitReleases = Unit{
@@ -231,6 +237,7 @@ var (
 		"/releases",
 		"repo.releases.desc",
 		3,
+		perm.AccessModeOwner,
 	}
 
 	UnitWiki = Unit{
@@ -239,6 +246,7 @@ var (
 		"/wiki",
 		"repo.wiki.desc",
 		4,
+		perm.AccessModeOwner,
 	}
 
 	UnitExternalWiki = Unit{
@@ -247,6 +255,7 @@ var (
 		"/wiki",
 		"repo.ext_wiki.desc",
 		4,
+		perm.AccessModeRead,
 	}
 
 	UnitProjects = Unit{
@@ -255,6 +264,7 @@ var (
 		"/projects",
 		"repo.projects.desc",
 		5,
+		perm.AccessModeOwner,
 	}
 
 	// Units contains all the units
@@ -306,3 +316,18 @@ func AllUnitKeyNames() []string {
 	}
 	return res
 }
+
+// MinUnitPerms returns the minial permission of the permission map
+func MinUnitPerms(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
+	var res = perm.AccessModeNone
+	for _, mode := range unitsMap {
+		if mode > perm.AccessModeNone {
+			if res == perm.AccessModeNone {
+				res = mode
+			} else if mode < res {
+				res = mode
+			}
+		}
+	}
+	return res
+}
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 890b7a317cdb9..08392c6aa679f 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -210,7 +210,7 @@ func CreateTeam(ctx *context.APIContext) {
 
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-		p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+		p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 	}
 
 	team := &models.Team{
@@ -294,7 +294,7 @@ func EditTeam(ctx *context.APIContext) {
 		// Validate permission level.
 		var p = perm.ParseAccessMode(form.Permission)
 		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-			p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+			p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 		}
 
 		if team.Authorize != p {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index fc6f324073452..28d06367d03a6 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -250,7 +250,7 @@ func NewTeamPost(ctx *context.Context) {
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
-		p = perm.MinUnitPerms(unitPerms)
+		p = unit_model.MinUnitPerms(unitPerms)
 	}
 
 	t := &models.Team{
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index a1fc9fde123d8..4562db988b42d 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -89,35 +89,37 @@
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
-										<tr>
-											<td>
-												{{if $unit.Type.UnitGlobalDisabled}}
-												<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-												{{else}}
-												<div class="field">
-												{{end}}
-													<div class="ui">
-														<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-														<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											<tr>
+												<td>
+													{{if $unit.Type.UnitGlobalDisabled}}
+													<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+													{{else}}
+													<div class="field">
+													{{end}}
+														<div class="ui">
+															<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+															<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+														</div>
 													</div>
-												</div>
-											</td>
-											<td class="center aligned">
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-												</div>
-											</td>
-											<td class="center aligned">
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
-												</div>
-											</td>
-											<td class="center aligned">
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
-												</div>
-											</td>
-										</tr>
+												</td>
+												<td class="center aligned">
+													<div class="ui radio checkbox">
+														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+													</div>
+												</td>
+												<td class="center aligned">
+													<div class="ui radio checkbox">
+														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+													</div>
+												</td>
+												<td class="center aligned">
+													{{if ge $unit.MaxPerms 2}}
+													<div class="ui radio checkbox">
+														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+													</div>
+													{{end}}
+												</td>
+											</tr>
 										{{end}}
 									</tbody>
 								</table>

From 0738b2c8366ab8bb23fc805896ed9f01324e2294 Mon Sep 17 00:00:00 2001
From: Lauris BH <lauris@nix.lv>
Date: Fri, 3 Dec 2021 22:56:27 +0200
Subject: [PATCH 19/60] Move team units with limited max level below units
 table

* Update label and column names
---
 options/locale/locale_en-US.ini |  8 ++--
 templates/org/team/new.tmpl     | 75 ++++++++++++++++++++-------------
 2 files changed, 49 insertions(+), 34 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 064d9ddbbe601..7a3dbd50a812c 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1099,7 +1099,7 @@ commits.signed_by_untrusted_user_unmatched = Signed by untrusted user who does n
 commits.gpg_key_id = GPG Key ID
 commits.ssh_key_fingerprint = SSH Key Fingerprint
 
-ext_issues = Ext. Issues
+ext_issues = Access to External Issues
 ext_issues.desc = Link to an external issue tracker.
 
 projects = Projects
@@ -1579,7 +1579,7 @@ signing.wont_sign.commitssigned = The merge will not be signed as all the associ
 signing.wont_sign.approved = The merge will not be signed as the PR is not approved
 signing.wont_sign.not_signed_in = You are not signed in
 
-ext_wiki = Ext. Wiki
+ext_wiki = Access to External Wiki
 ext_wiki.desc = Link to an external wiki.
 
 wiki = Wiki
@@ -2265,9 +2265,9 @@ teams.none_access = No Access
 teams.none_access_helper = Members cannot view or do any other action on this unit.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.
-teams.read_access = Read Access
+teams.read_access = Read
 teams.read_access_helper = Members can view and clone team repositories.
-teams.write_access = Write Access
+teams.write_access = Write
 teams.write_access_helper = Members can read and push to team repositories.
 teams.admin_access = Administrator Access
 teams.admin_access_helper = Members can pull and push to team repositories and add collaborators to them.
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 4562db988b42d..1d231c0100044 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -89,40 +89,55 @@
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
-											<tr>
-												<td>
-													{{if $unit.Type.UnitGlobalDisabled}}
-													<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-													{{else}}
-													<div class="field">
-													{{end}}
-														<div class="ui">
-															<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-															<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											{{if ge $unit.MaxPerms 2}}
+												<tr>
+													<td>
+														{{if $unit.Type.UnitGlobalDisabled}}
+														<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+														{{else}}
+														<div class="field">
+														{{end}}
+															<div class="ui">
+																<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+																<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+															</div>
 														</div>
-													</div>
-												</td>
-												<td class="center aligned">
-													<div class="ui radio checkbox">
-														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-													</div>
-												</td>
-												<td class="center aligned">
-													<div class="ui radio checkbox">
-														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
-													</div>
-												</td>
-												<td class="center aligned">
-													{{if ge $unit.MaxPerms 2}}
-													<div class="ui radio checkbox">
-														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
-													</div>
-													{{end}}
-												</td>
-											</tr>
+													</td>
+													<td class="center aligned">
+														<div class="ui radio checkbox">
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+														</div>
+													</td>
+													<td class="center aligned">
+														<div class="ui radio checkbox">
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+														</div>
+													</td>
+													<td class="center aligned">
+														<div class="ui radio checkbox">
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+														</div>
+													</td>
+												</tr>
+											{{end}}
 										{{end}}
 									</tbody>
 								</table>
+								{{range $t, $unit := $.Units}}
+									{{if lt $unit.MaxPerms 2}}
+										{{if $unit.Type.UnitGlobalDisabled}}
+										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+										{{else}}
+										<div class="field">
+										{{end}}
+											<div class="ui checkbox">
+												<input type="checkbox" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											</div>
+										</div>
+									{{end}}
+								{{end}}
 							</div>
 						{{end}}
 

From dc09224da003111b7cc3990d80f32a38d854b04c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 6 Dec 2021 19:24:27 +0800
Subject: [PATCH 20/60] Some improvements

---
 models/org_team.go          | 14 +++++++-------
 models/unit/unit.go         | 24 ++++++++++--------------
 routers/api/v1/org/team.go  | 16 ++++++++--------
 routers/web/org/teams.go    | 16 ++++++++--------
 templates/org/team/new.tmpl | 13 +++----------
 5 files changed, 36 insertions(+), 47 deletions(-)

diff --git a/models/org_team.go b/models/org_team.go
index 595f2a6a3f643..9094cc8bb913b 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -164,7 +164,7 @@ func (t *Team) GetUnitsMap() map[string]string {
 		}
 	} else {
 		for _, u := range t.Units {
-			m[u.Unit().NameKey] = u.Authorize.String()
+			m[u.Unit().NameKey] = u.AccessMode.String()
 		}
 	}
 	return m
@@ -484,7 +484,7 @@ func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) perm.AccessMode {
 
 	for _, unit := range t.Units {
 		if unit.Type == tp {
-			return unit.Authorize
+			return unit.AccessMode
 		}
 	}
 	return perm.AccessModeNone
@@ -1056,11 +1056,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea
 
 // TeamUnit describes all units of a repository
 type TeamUnit struct {
-	ID        int64     `xorm:"pk autoincr"`
-	OrgID     int64     `xorm:"INDEX"`
-	TeamID    int64     `xorm:"UNIQUE(s)"`
-	Type      unit.Type `xorm:"UNIQUE(s)"`
-	Authorize perm.AccessMode
+	ID         int64     `xorm:"pk autoincr"`
+	OrgID      int64     `xorm:"INDEX"`
+	TeamID     int64     `xorm:"UNIQUE(s)"`
+	Type       unit.Type `xorm:"UNIQUE(s)"`
+	AccessMode perm.AccessMode
 }
 
 // Unit returns Unit
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 8e41beef2aa7d..c8ae811650587 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -172,12 +172,12 @@ func (u *Type) CanBeDefault() bool {
 
 // Unit is a section of one repository
 type Unit struct {
-	Type     Type
-	NameKey  string
-	URI      string
-	DescKey  string
-	Idx      int
-	MaxPerms perm.AccessMode
+	Type          Type
+	NameKey       string
+	URI           string
+	DescKey       string
+	Idx           int
+	MaxAccessMode perm.AccessMode // The max access mode of the unit. i.e. Read means this unit can only be read.
 }
 
 // CanDisable returns if this unit could be disabled.
@@ -317,16 +317,12 @@ func AllUnitKeyNames() []string {
 	return res
 }
 
-// MinUnitPerms returns the minial permission of the permission map
-func MinUnitPerms(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
+// MinUnitAccessMode returns the minial permission of the permission map
+func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
 	var res = perm.AccessModeNone
 	for _, mode := range unitsMap {
-		if mode > perm.AccessModeNone {
-			if res == perm.AccessModeNone {
-				res = mode
-			} else if mode < res {
-				res = mode
-			}
+		if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
+			res = mode
 		}
 	}
 	return res
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 08392c6aa679f..1e81b669664cc 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -156,9 +156,9 @@ func attachTeamUnits(team *models.Team, units []string) {
 	team.Units = make([]*models.TeamUnit, 0, len(units))
 	for _, tp := range unitTypes {
 		team.Units = append(team.Units, &models.TeamUnit{
-			OrgID:     team.OrgID,
-			Type:      tp,
-			Authorize: team.Authorize,
+			OrgID:      team.OrgID,
+			Type:       tp,
+			AccessMode: team.Authorize,
 		})
 	}
 }
@@ -175,9 +175,9 @@ func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
 	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
 	for unitKey, p := range unitsMap {
 		team.Units = append(team.Units, &models.TeamUnit{
-			OrgID:     team.OrgID,
-			Type:      unit_model.TypeFromKey(unitKey),
-			Authorize: perm.ParseAccessMode(p),
+			OrgID:      team.OrgID,
+			Type:       unit_model.TypeFromKey(unitKey),
+			AccessMode: perm.ParseAccessMode(p),
 		})
 	}
 }
@@ -210,7 +210,7 @@ func CreateTeam(ctx *context.APIContext) {
 
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-		p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+		p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 	}
 
 	team := &models.Team{
@@ -294,7 +294,7 @@ func EditTeam(ctx *context.APIContext) {
 		// Validate permission level.
 		var p = perm.ParseAccessMode(form.Permission)
 		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-			p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+			p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 		}
 
 		if team.Authorize != p {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 28d06367d03a6..ab7f32b060cd0 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -250,7 +250,7 @@ func NewTeamPost(ctx *context.Context) {
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
-		p = unit_model.MinUnitPerms(unitPerms)
+		p = unit_model.MinUnitAccessMode(unitPerms)
 	}
 
 	t := &models.Team{
@@ -266,9 +266,9 @@ func NewTeamPost(ctx *context.Context) {
 		var units = make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
-				OrgID:     ctx.Org.Organization.ID,
-				Type:      tp,
-				Authorize: perm,
+				OrgID:      ctx.Org.Organization.ID,
+				Type:       tp,
+				AccessMode: perm,
 			})
 		}
 		t.Units = units
@@ -368,10 +368,10 @@ func EditTeamPost(ctx *context.Context) {
 		var units = make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
-				OrgID:     t.OrgID,
-				TeamID:    t.ID,
-				Type:      tp,
-				Authorize: perm,
+				OrgID:      t.OrgID,
+				TeamID:     t.ID,
+				Type:       tp,
+				AccessMode: perm,
 			})
 		}
 		err := models.UpdateTeamUnits(t, units)
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 1d231c0100044..66674241484db 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -92,11 +92,7 @@
 											{{if ge $unit.MaxPerms 2}}
 												<tr>
 													<td>
-														{{if $unit.Type.UnitGlobalDisabled}}
-														<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-														{{else}}
-														<div class="field">
-														{{end}}
+														<div {{if $unit.Type.UnitGlobalDisabled}}class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">{{- else -}}class="field"{{end}}>
 															<div class="ui">
 																<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
 																<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
@@ -125,11 +121,8 @@
 								</table>
 								{{range $t, $unit := $.Units}}
 									{{if lt $unit.MaxPerms 2}}
-										{{if $unit.Type.UnitGlobalDisabled}}
-										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-										{{else}}
-										<div class="field">
-										{{end}}
+										
+										<div {{if $unit.Type.UnitGlobalDisabled}}class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}"{{else}}class="field"{{end}}>
 											<div class="ui checkbox">
 												<input type="checkbox" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
 												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>

From 0bfffa251135b89943633e83cb305876f1a2d646 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 6 Dec 2021 22:00:46 +0800
Subject: [PATCH 21/60] Fix lint

---
 templates/org/team/new.tmpl | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 66674241484db..cbb58d262d5bb 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -121,7 +121,6 @@
 								</table>
 								{{range $t, $unit := $.Units}}
 									{{if lt $unit.MaxPerms 2}}
-										
 										<div {{if $unit.Type.UnitGlobalDisabled}}class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}"{{else}}class="field"{{end}}>
 											<div class="ui checkbox">
 												<input type="checkbox" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>

From fe09394a0769590866d58c7dff775c3a905fb0f4 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 8 Dec 2021 22:47:38 +0800
Subject: [PATCH 22/60] Some improvements

---
 integrations/api_team_test.go     |  4 ++--
 models/access.go                  |  8 ++++----
 models/issue.go                   |  2 +-
 models/org.go                     |  2 +-
 models/org_team.go                | 10 +++++-----
 models/org_team_test.go           |  2 +-
 models/repo_permission.go         |  4 ++--
 models/review.go                  |  2 +-
 modules/context/org.go            |  2 +-
 modules/convert/convert.go        |  2 +-
 modules/repository/create_test.go |  8 ++++----
 routers/api/v1/org/team.go        | 12 ++++++------
 routers/web/org/teams.go          | 23 +++++++++++++++--------
 13 files changed, 44 insertions(+), 37 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index d9aafcf7665d4..21263069bb211 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -114,7 +114,7 @@ func TestAPITeam(t *testing.T) {
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
-		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
+		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
@@ -180,7 +180,7 @@ func TestAPITeam(t *testing.T) {
 	DecodeJSON(t, resp, &apiTeam)
 	assert.NoError(t, teamRead.GetUnits())
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
-		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
+		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
diff --git a/models/access.go b/models/access.go
index 6a97bcffcf7b5..48b65c2c0f605 100644
--- a/models/access.go
+++ b/models/access.go
@@ -162,7 +162,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i
 		// Owner team gets owner access, and skip for teams that do not
 		// have relations with repository.
 		if t.IsOwnerTeam() {
-			t.Authorize = perm.AccessModeOwner
+			t.AccessMode = perm.AccessModeOwner
 		} else if !t.hasRepository(e, repo.ID) {
 			continue
 		}
@@ -171,7 +171,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i
 			return fmt.Errorf("getMembers '%d': %v", t.ID, err)
 		}
 		for _, m := range t.Members {
-			updateUserAccess(accessMap, m, t.Authorize)
+			updateUserAccess(accessMap, m, t.AccessMode)
 		}
 	}
 
@@ -210,10 +210,10 @@ func recalculateUserAccess(ctx context.Context, repo *repo_model.Repository, uid
 
 		for _, t := range teams {
 			if t.IsOwnerTeam() {
-				t.Authorize = perm.AccessModeOwner
+				t.AccessMode = perm.AccessModeOwner
 			}
 
-			accessMode = maxAccessMode(accessMode, t.Authorize)
+			accessMode = maxAccessMode(accessMode, t.AccessMode)
 		}
 	}
 
diff --git a/models/issue.go b/models/issue.go
index 33fe8e91f027d..c61f699d92b1d 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -2147,7 +2147,7 @@ func (issue *Issue) ResolveMentionsByVisibility(ctx context.Context, doer *user_
 				unittype = unit.TypePullRequests
 			}
 			for _, team := range teams {
-				if team.Authorize >= perm.AccessModeAdmin {
+				if team.AccessMode >= perm.AccessModeAdmin {
 					checked = append(checked, team.ID)
 					resolved[issue.Repo.Owner.LowerName+"/"+team.LowerName] = true
 					continue
diff --git a/models/org.go b/models/org.go
index c135bb9d3cc31..11c4662ba2235 100644
--- a/models/org.go
+++ b/models/org.go
@@ -265,7 +265,7 @@ func CreateOrganization(org *Organization, owner *user_model.User) (err error) {
 		OrgID:                   org.ID,
 		LowerName:               strings.ToLower(ownerTeamName),
 		Name:                    ownerTeamName,
-		Authorize:               perm.AccessModeOwner,
+		AccessMode:              perm.AccessModeOwner,
 		NumMembers:              1,
 		IncludesAllRepositories: true,
 		CanCreateOrgRepo:        true,
diff --git a/models/org_team.go b/models/org_team.go
index 9094cc8bb913b..ffc9c158c1a49 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -32,7 +32,7 @@ type Team struct {
 	LowerName               string
 	Name                    string
 	Description             string
-	Authorize               perm.AccessMode
+	AccessMode              perm.AccessMode          `xorm:"'authorize'"`
 	Repos                   []*repo_model.Repository `xorm:"-"`
 	Members                 []*user_model.User       `xorm:"-"`
 	NumRepos                int
@@ -126,7 +126,7 @@ func (t *Team) ColorFormat(s fmt.State) {
 		log.NewColoredIDValue(t.ID),
 		t.Name,
 		log.NewColoredIDValue(t.OrgID),
-		t.Authorize)
+		t.AccessMode)
 }
 
 // GetUnits return a list of available units for a team
@@ -145,7 +145,7 @@ func (t *Team) getUnits(e db.Engine) (err error) {
 
 // GetUnitNames returns the team units names
 func (t *Team) GetUnitNames() (res []string) {
-	if t.Authorize >= perm.AccessModeAdmin {
+	if t.AccessMode >= perm.AccessModeAdmin {
 		return unit.AllUnitKeyNames()
 	}
 
@@ -158,9 +158,9 @@ func (t *Team) GetUnitNames() (res []string) {
 // GetUnitsMap returns the team units permissions
 func (t *Team) GetUnitsMap() map[string]string {
 	var m = make(map[string]string)
-	if t.Authorize >= perm.AccessModeAdmin {
+	if t.AccessMode >= perm.AccessModeAdmin {
 		for _, u := range unit.Units {
-			m[u.NameKey] = t.Authorize.String()
+			m[u.NameKey] = t.AccessMode.String()
 		}
 	} else {
 		for _, u := range t.Units {
diff --git a/models/org_team_test.go b/models/org_team_test.go
index 59b7b6d5a834c..aa62cc58e2d00 100644
--- a/models/org_team_test.go
+++ b/models/org_team_test.go
@@ -211,7 +211,7 @@ func TestUpdateTeam(t *testing.T) {
 	team.LowerName = "newname"
 	team.Name = "newName"
 	team.Description = strings.Repeat("A long description!", 100)
-	team.Authorize = perm.AccessModeAdmin
+	team.AccessMode = perm.AccessModeAdmin
 	assert.NoError(t, UpdateTeam(team, true, false))
 
 	team = unittest.AssertExistsAndLoadBean(t, &Team{Name: "newName"}).(*Team)
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 1eec972c11acd..4e5cbfd55807e 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -239,7 +239,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 
 	// if user in an owner team
 	for _, team := range teams {
-		if team.Authorize >= perm_model.AccessModeAdmin {
+		if team.AccessMode >= perm_model.AccessModeAdmin {
 			perm.AccessMode = perm_model.AccessModeOwner
 			perm.UnitsMode = nil
 			return
@@ -325,7 +325,7 @@ func isUserRepoAdmin(e db.Engine, repo *repo_model.Repository, user *user_model.
 	}
 
 	for _, team := range teams {
-		if team.Authorize >= perm_model.AccessModeAdmin {
+		if team.AccessMode >= perm_model.AccessModeAdmin {
 			return true, nil
 		}
 	}
diff --git a/models/review.go b/models/review.go
index eeb33611ceb15..023f98c3eace5 100644
--- a/models/review.go
+++ b/models/review.go
@@ -280,7 +280,7 @@ func isOfficialReviewerTeam(ctx context.Context, issue *Issue, team *Team) (bool
 	}
 
 	if !pr.ProtectedBranch.EnableApprovalsWhitelist {
-		return team.Authorize >= perm.AccessModeWrite, nil
+		return team.UnitAccessMode(unit.TypeCode) >= perm.AccessModeWrite, nil
 	}
 
 	return base.Int64sContains(pr.ProtectedBranch.ApprovalsWhitelistTeamIDs, team.ID), nil
diff --git a/modules/context/org.go b/modules/context/org.go
index eb81f6644c171..585a5fd762c6d 100644
--- a/modules/context/org.go
+++ b/modules/context/org.go
@@ -168,7 +168,7 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 			return
 		}
 
-		ctx.Org.IsTeamAdmin = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= perm.AccessModeAdmin
+		ctx.Org.IsTeamAdmin = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.AccessMode >= perm.AccessModeAdmin
 		ctx.Data["IsTeamAdmin"] = ctx.Org.IsTeamAdmin
 		if requireTeamAdmin && !ctx.Org.IsTeamAdmin {
 			ctx.NotFound("OrgAssignment", err)
diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index 2466e0dfd2960..41a044c6d74e2 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -306,7 +306,7 @@ func ToTeam(team *models.Team) *api.Team {
 		Description:             team.Description,
 		IncludesAllRepositories: team.IncludesAllRepositories,
 		CanCreateOrgRepo:        team.CanCreateOrgRepo,
-		Permission:              team.Authorize.String(),
+		Permission:              team.AccessMode.String(),
 		Units:                   team.GetUnitNames(),
 		UnitsMap:                team.GetUnitsMap(),
 	}
diff --git a/modules/repository/create_test.go b/modules/repository/create_test.go
index 18995f4ecd210..ed890ace43319 100644
--- a/modules/repository/create_test.go
+++ b/modules/repository/create_test.go
@@ -70,25 +70,25 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 		{
 			OrgID:                   org.ID,
 			Name:                    "team one",
-			Authorize:               perm.AccessModeRead,
+			AccessMode:              perm.AccessModeRead,
 			IncludesAllRepositories: true,
 		},
 		{
 			OrgID:                   org.ID,
 			Name:                    "team 2",
-			Authorize:               perm.AccessModeRead,
+			AccessMode:              perm.AccessModeRead,
 			IncludesAllRepositories: false,
 		},
 		{
 			OrgID:                   org.ID,
 			Name:                    "team three",
-			Authorize:               perm.AccessModeWrite,
+			AccessMode:              perm.AccessModeWrite,
 			IncludesAllRepositories: true,
 		},
 		{
 			OrgID:                   org.ID,
 			Name:                    "team 4",
-			Authorize:               perm.AccessModeWrite,
+			AccessMode:              perm.AccessModeWrite,
 			IncludesAllRepositories: false,
 		},
 	}
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 1e81b669664cc..f3be88e919a32 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -158,7 +158,7 @@ func attachTeamUnits(team *models.Team, units []string) {
 		team.Units = append(team.Units, &models.TeamUnit{
 			OrgID:      team.OrgID,
 			Type:       tp,
-			AccessMode: team.Authorize,
+			AccessMode: team.AccessMode,
 		})
 	}
 }
@@ -219,10 +219,10 @@ func CreateTeam(ctx *context.APIContext) {
 		Description:             form.Description,
 		IncludesAllRepositories: form.IncludesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
-		Authorize:               p,
+		AccessMode:              p,
 	}
 
-	if team.Authorize < perm.AccessModeAdmin {
+	if team.AccessMode < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
@@ -297,9 +297,9 @@ func EditTeam(ctx *context.APIContext) {
 			p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 		}
 
-		if team.Authorize != p {
+		if team.AccessMode != p {
 			isAuthChanged = true
-			team.Authorize = p
+			team.AccessMode = p
 		}
 
 		if form.IncludesAllRepositories != nil {
@@ -308,7 +308,7 @@ func EditTeam(ctx *context.APIContext) {
 		}
 	}
 
-	if team.Authorize < perm.AccessModeAdmin {
+	if team.AccessMode < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index ab7f32b060cd0..78f9b147ec4db 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -250,6 +250,8 @@ func NewTeamPost(ctx *context.Context) {
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
+		// if p is less than admin accessmode, then it should be general accessmode,
+		// so we should calculate the minial accessmode from units accessmodes.
 		p = unit_model.MinUnitAccessMode(unitPerms)
 	}
 
@@ -257,12 +259,12 @@ func NewTeamPost(ctx *context.Context) {
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.TeamName,
 		Description:             form.Description,
-		Authorize:               p,
+		AccessMode:              p,
 		IncludesAllRepositories: includesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}
 
-	if t.Authorize < perm.AccessModeAdmin {
+	if t.AccessMode < perm.AccessModeAdmin {
 		var units = make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
@@ -281,7 +283,7 @@ func NewTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
+	if t.AccessMode < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
@@ -350,12 +352,17 @@ func EditTeamPost(ctx *context.Context) {
 	var includesAllRepositories = form.RepoAccess == "all"
 	if !t.IsOwnerTeam() {
 		// Validate permission level.
-		auth := perm.ParseAccessMode(form.Permission)
+		newAccessMode := perm.ParseAccessMode(form.Permission)
+		if newAccessMode < perm.AccessModeAdmin {
+			// if p is less than admin accessmode, then it should be general accessmode,
+			// so we should calculate the minial accessmode from units accessmodes.
+			newAccessMode = unit_model.MinUnitAccessMode(unitPerms)
+		}
 
 		t.Name = form.TeamName
-		if t.Authorize != auth {
+		if t.AccessMode != newAccessMode {
 			isAuthChanged = true
-			t.Authorize = auth
+			t.AccessMode = newAccessMode
 		}
 
 		if t.IncludesAllRepositories != includesAllRepositories {
@@ -364,7 +371,7 @@ func EditTeamPost(ctx *context.Context) {
 		}
 	}
 	t.Description = form.Description
-	if t.Authorize < perm.AccessModeAdmin {
+	if t.AccessMode < perm.AccessModeAdmin {
 		var units = make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
@@ -387,7 +394,7 @@ func EditTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
+	if t.AccessMode < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}

From fd1589357e90bb1684131134b77623b866a4bd0c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 13 Dec 2021 10:08:05 +0800
Subject: [PATCH 23/60] Fix template variables

---
 templates/org/team/new.tmpl     | 6 +++---
 templates/org/team/sidebar.tmpl | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index cbb58d262d5bb..1cf2dd0236ec1 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -56,14 +56,14 @@
 								<br>
 								<div class="field">
 									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="{{if .PageIsOrgTeamsNew}}read{{else}}{{.Team.Authorize}}{{end}}" {{if or .PageIsOrgTeamsNew (eq .Team.Authorize 1) (eq .Team.Authorize 2)}}checked{{end}}>
+										<input type="radio" name="permission" value="{{if .PageIsOrgTeamsNew}}read{{else}}{{.Team.AccessMode}}{{end}}" {{if or .PageIsOrgTeamsNew (eq .Team.AccessMode 1) (eq .Team.AccessMode 2)}}checked{{end}}>
 										<label>{{.i18n.Tr "org.teams.general_access"}}</label>
 										<span class="help">{{.i18n.Tr "org.teams.general_access_helper"}}</span>
 									</div>
 								</div>
 								<div class="field">
 									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="admin" {{if eq .Team.Authorize 3}}checked{{end}}>
+										<input type="radio" name="permission" value="admin" {{if eq .Team.AccessMode 3}}checked{{end}}>
 										<label>{{.i18n.Tr "org.teams.admin_access"}}</label>
 										<span class="help">{{.i18n.Tr "org.teams.admin_access_helper"}}</span>
 									</div>
@@ -71,7 +71,7 @@
 							</div>
 							<div class="ui divider"></div>
 
-							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
+							<div class="team-units required grouped field"{{if eq .Team.AccessMode 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<table class="ui celled table">
 									<thead>
diff --git a/templates/org/team/sidebar.tmpl b/templates/org/team/sidebar.tmpl
index 2e3769de479a1..6ea08740f714d 100644
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -29,19 +29,19 @@
 		<div class="item">
 			{{if eq .Team.LowerName "owners"}}
 				{{.i18n.Tr "org.teams.owners_permission_desc" | Str2html}}
-			{{else if (eq .Team.Authorize 1)}}
+			{{else if (eq .Team.AccessMode 1)}}
 				{{if .Team.IncludesAllRepositories}}
 					{{.i18n.Tr "org.teams.all_repositories_read_permission_desc" | Str2html}}
 				{{else}}
 					{{.i18n.Tr "org.teams.read_permission_desc" | Str2html}}
 				{{end}}
-			{{else if (eq .Team.Authorize 2)}}
+			{{else if (eq .Team.AccessMode 2)}}
 				{{if .Team.IncludesAllRepositories}}
 					{{.i18n.Tr "org.teams.all_repositories_write_permission_desc" | Str2html}}
 				{{else}}
 					{{.i18n.Tr "org.teams.write_permission_desc" | Str2html}}
 				{{end}}
-			{{else if (eq .Team.Authorize 3)}}
+			{{else if (eq .Team.AccessMode 3)}}
 				{{if .Team.IncludesAllRepositories}}
 					{{.i18n.Tr "org.teams.all_repositories_admin_permission_desc" | Str2html}}
 				{{else}}

From 1bce43ad392397b295f131698546fe54d35667c4 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 13 Dec 2021 13:17:53 +0800
Subject: [PATCH 24/60] Add permission docs

---
 docs/content/doc/usage/permissions.en-us.md | 73 +++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 docs/content/doc/usage/permissions.en-us.md

diff --git a/docs/content/doc/usage/permissions.en-us.md b/docs/content/doc/usage/permissions.en-us.md
new file mode 100644
index 0000000000000..fe1fac7534242
--- /dev/null
+++ b/docs/content/doc/usage/permissions.en-us.md
@@ -0,0 +1,73 @@
+---
+date: "2021-12-13:10:10+08:00"
+title: "Permissions"
+slug: "permissions"
+weight: 14
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Permissions"
+    weight: 14
+    identifier: "permissions"
+---
+
+# Permissions
+
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea supports permissions for repository so that you can give different access for different people. At first, we need to know about `Unit`.
+
+## Unit
+
+In Gitea, we call a sub module of a repository `Unit`. Now we have following units.
+
+| Name           | Description                                          | Permissions |
+| -------------- | ---------------------------------------------------- | ----------- |
+| Code           | Access source code, files, commits and branches.     | Read Write  |
+| Issues         | Organize bug reports, tasks and milestones.          | Read Write  |
+| PullRequests   | Enable pull requests and code reviews.               | Read Write  |
+| Releases       | Track project versions and downloads.                | Read Write  |
+| Wiki           | Write and share documentation with collaborators.    | Read Write  |
+| ExternalWiki   | Link to an external wiki                             | Read        |
+| ExternalTracer | Link to an external issue tracker                    | Read        |
+| Projects       | The URL to the template repository                   | Read Write  |
+| Settings       | Manage the repository                                | Admin       |
+
+With different permissions, people could do diffent things with these units.
+
+| Name           | Read                                               | Write                        | Admin                     |
+| -------------- | -------------------------------------------------  | ---------------------------- | ------------------------- |
+| Code           | View code trees, files, commits, branches and etc. | Push codes.                  | -                         |
+| Issues         | View issues and create new issues.                 | Add labels, assign, close    | -                         |
+| PullRequests   | View pull requests and create new pull requests.   | Add labels, assign, close    | -                         |
+| Releases       | View releases and download files.                  | Create/Edit releases         | -                         |
+| Wiki           | View wiki pages. Clone the wiki repository.        | Create/Edit wiki pages, push | -                         |
+| ExternalWiki   | Link to an external wiki                           | -                            | -                         |
+| ExternalTracer | Link to an external issue tracker                  | -                            | -                         |
+| Projects       | View the boards                                    | Change issues across boards  | -                         |
+| Settings       | -                                                  | -                            | Manage the repository     |
+
+And there are some differents for permissions between individule repositories and organization repositories.
+
+## Individule Repository
+
+For individule repositories, the creators are the only owners of repositories and have no limit to change anything of this 
+repository or delete it. Repositories owners could add collabrators to help maintain the repositories. Collaborators could have `Read`, `Write` and `Admin` permissions.
+
+## Organization Repository
+
+Different from individule repositories, the owner of organization repositories are the owner team of this organization.
+
+### Team
+
+A team in an organizaiton has unit permissions settings. It can have members and repositories scope. A team could access all the repositories in this organization or special repositories changed by the owner team. A team could also be allowed to create new
+repositories.
+
+The owner team will be created when the organization created and the creator will become the first member of the owner team.
+Notice Gitea will not allow a people is a member of organization but not in any team. The owner team could not be deleted and only
+members of owner team could create a new team. Admin team could be created to manange some of repositories, members of admin team
+could do anything with these repositories. Generate team could be created by the owner team to do the permissions allowed operations.

From ea2f677f6f57a5f00a6b7cd605e830e5b4d0a41e Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 16 Dec 2021 20:34:37 +0800
Subject: [PATCH 25/60] improve doc

---
 docs/content/doc/usage/permissions.en-us.md | 70 ++++++++++-----------
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/docs/content/doc/usage/permissions.en-us.md b/docs/content/doc/usage/permissions.en-us.md
index fe1fac7534242..1eea78b557134 100644
--- a/docs/content/doc/usage/permissions.en-us.md
+++ b/docs/content/doc/usage/permissions.en-us.md
@@ -25,49 +25,49 @@ Gitea supports permissions for repository so that you can give different access
 
 In Gitea, we call a sub module of a repository `Unit`. Now we have following units.
 
-| Name           | Description                                          | Permissions |
-| -------------- | ---------------------------------------------------- | ----------- |
-| Code           | Access source code, files, commits and branches.     | Read Write  |
-| Issues         | Organize bug reports, tasks and milestones.          | Read Write  |
-| PullRequests   | Enable pull requests and code reviews.               | Read Write  |
-| Releases       | Track project versions and downloads.                | Read Write  |
-| Wiki           | Write and share documentation with collaborators.    | Read Write  |
-| ExternalWiki   | Link to an external wiki                             | Read        |
-| ExternalTracer | Link to an external issue tracker                    | Read        |
-| Projects       | The URL to the template repository                   | Read Write  |
-| Settings       | Manage the repository                                | Admin       |
-
-With different permissions, people could do diffent things with these units.
-
-| Name           | Read                                               | Write                        | Admin                     |
-| -------------- | -------------------------------------------------  | ---------------------------- | ------------------------- |
-| Code           | View code trees, files, commits, branches and etc. | Push codes.                  | -                         |
-| Issues         | View issues and create new issues.                 | Add labels, assign, close    | -                         |
-| PullRequests   | View pull requests and create new pull requests.   | Add labels, assign, close    | -                         |
-| Releases       | View releases and download files.                  | Create/Edit releases         | -                         |
-| Wiki           | View wiki pages. Clone the wiki repository.        | Create/Edit wiki pages, push | -                         |
-| ExternalWiki   | Link to an external wiki                           | -                            | -                         |
-| ExternalTracer | Link to an external issue tracker                  | -                            | -                         |
-| Projects       | View the boards                                    | Change issues across boards  | -                         |
-| Settings       | -                                                  | -                            | Manage the repository     |
-
-And there are some differents for permissions between individule repositories and organization repositories.
-
-## Individule Repository
-
-For individule repositories, the creators are the only owners of repositories and have no limit to change anything of this 
-repository or delete it. Repositories owners could add collabrators to help maintain the repositories. Collaborators could have `Read`, `Write` and `Admin` permissions.
+| Name            | Description                                          | Permissions |
+| --------------- | ---------------------------------------------------- | ----------- |
+| Code            | Access source code, files, commits and branches.     | Read Write  |
+| Issues          | Organize bug reports, tasks and milestones.          | Read Write  |
+| PullRequests    | Enable pull requests and code reviews.               | Read Write  |
+| Releases        | Track project versions and downloads.                | Read Write  |
+| Wiki            | Write and share documentation with collaborators.    | Read Write  |
+| ExternalWiki    | Link to an external wiki                             | Read        |
+| ExternalTracker | Link to an external issue tracker                    | Read        |
+| Projects        | The URL to the template repository                   | Read Write  |
+| Settings        | Manage the repository                                | Admin       |
+
+With different permissions, people could do different things with these units.
+
+| Name            | Read                                               | Write                        | Admin                     |
+| --------------- | -------------------------------------------------  | ---------------------------- | ------------------------- |
+| Code            | View code trees, files, commits, branches and etc. | Push codes.                  | -                         |
+| Issues          | View issues and create new issues.                 | Add labels, assign, close    | -                         |
+| PullRequests    | View pull requests and create new pull requests.   | Add labels, assign, close    | -                         |
+| Releases        | View releases and download files.                  | Create/Edit releases         | -                         |
+| Wiki            | View wiki pages. Clone the wiki repository.        | Create/Edit wiki pages, push | -                         |
+| ExternalWiki    | Link to an external wiki                           | -                            | -                         |
+| ExternalTracker | Link to an external issue tracker                  | -                            | -                         |
+| Projects        | View the boards                                    | Change issues across boards  | -                         |
+| Settings        | -                                                  | -                            | Manage the repository     |
+
+And there are some differences for permissions between individual repositories and organization repositories.
+
+## Individual Repository
+
+For individual repositories, the creators are the only owners of repositories and have no limit to change anything of this 
+repository or delete it. Repositories owners could add collaborators to help maintain the repositories. Collaborators could have `Read`, `Write` and `Admin` permissions.
 
 ## Organization Repository
 
-Different from individule repositories, the owner of organization repositories are the owner team of this organization.
+Different from individual repositories, the owner of organization repositories are the owner team of this organization.
 
 ### Team
 
-A team in an organizaiton has unit permissions settings. It can have members and repositories scope. A team could access all the repositories in this organization or special repositories changed by the owner team. A team could also be allowed to create new
+A team in an organization has unit permissions settings. It can have members and repositories scope. A team could access all the repositories in this organization or special repositories changed by the owner team. A team could also be allowed to create new
 repositories.
 
 The owner team will be created when the organization created and the creator will become the first member of the owner team.
 Notice Gitea will not allow a people is a member of organization but not in any team. The owner team could not be deleted and only
-members of owner team could create a new team. Admin team could be created to manange some of repositories, members of admin team
+members of owner team could create a new team. Admin team could be created to manage some of repositories, members of admin team
 could do anything with these repositories. Generate team could be created by the owner team to do the permissions allowed operations.

From 367d1d07bdf51d6517c1e45b788c959ebb8099ae Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 16 Dec 2021 20:44:43 +0800
Subject: [PATCH 26/60] Fix fixture

---
 models/fixtures/team_unit.yml | 90 +++++++++++++++++------------------
 1 file changed, 45 insertions(+), 45 deletions(-)

diff --git a/models/fixtures/team_unit.yml b/models/fixtures/team_unit.yml
index 1d7be8d5d5935..66f0d22efdfe5 100644
--- a/models/fixtures/team_unit.yml
+++ b/models/fixtures/team_unit.yml
@@ -2,268 +2,268 @@
   id: 1
   team_id: 1
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 2
   team_id: 1
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 3
   team_id: 1
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 4
   team_id: 1
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 5
   team_id: 1
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 6
   team_id: 1
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 7
   team_id: 1
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 8
   team_id: 2
   type: 1
-  authorize: 2
+  access_mode: 2
 
 -
   id: 9
   team_id: 2
   type: 2
-  authorize: 2
+  access_mode: 2
 
 -
   id: 10
   team_id: 2
   type: 3
-  authorize: 2
+  access_mode: 2
 
 -
   id: 11
   team_id: 2
   type: 4
-  authorize: 2
+  access_mode: 2
 
 -
   id: 12
   team_id: 2
   type: 5
-  authorize: 2
+  access_mode: 2
 
 -
   id: 13
   team_id: 2
   type: 6
-  authorize: 2
+  access_mode: 2
 
 -
   id: 14
   team_id: 2
   type: 7
-  authorize: 2
+  access_mode: 2
 
 -
   id: 15
   team_id: 3
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 16
   team_id: 3
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 17
   team_id: 3
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 18
   team_id: 3
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 19
   team_id: 3
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 20
   team_id: 3
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 21
   team_id: 3
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 22
   team_id: 4
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 23
   team_id: 4
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 24
   team_id: 4
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 25
   team_id: 4
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 26
   team_id: 4
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 27
   team_id: 4
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 28
   team_id: 4
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 29
   team_id: 5
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 30
   team_id: 5
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 31
   team_id: 5
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 32
   team_id: 5
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 33
   team_id: 5
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 34
   team_id: 5
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 35
   team_id: 5
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 36
   team_id: 6
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 37
   team_id: 6
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 38
   team_id: 6
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 39
   team_id: 6
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 40
   team_id: 6
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 41
   team_id: 6
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 42
   team_id: 6
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 43
   team_id: 7
   type: 2 # issues
-  authorize: 2
+  access_mode: 2
 
 -
   id: 44
   team_id: 8
   type: 2 # issues
-  authorize: 2
+  access_mode: 2
 
 -
   id: 45
   team_id: 9
   type: 1 # code
-  authorize: 1
\ No newline at end of file
+  access_mode: 1

From 232affa4f7d9932435ed12f97710ad1f405e8f2a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 2 Jan 2022 15:17:44 +0800
Subject: [PATCH 27/60] Fix bug

---
 models/org_team.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/org_team.go b/models/org_team.go
index ffc9c158c1a49..3cf976353f75a 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -684,7 +684,7 @@ func UpdateTeam(t *Team, authChanged, includeAllChanged bool) (err error) {
 			Delete(new(TeamUnit)); err != nil {
 			return err
 		}
-		if _, err = sess.Cols("org_id", "team_id", "type", "authorize").Insert(&t.Units); err != nil {
+		if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil {
 			return err
 		}
 	}

From c4ae43cc8b5d0bebd40d43fb6c7ff36c66be6c01 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 4 Jan 2022 09:11:56 +0800
Subject: [PATCH 28/60] Fix some bug

---
 models/migrations/v205.go   | 12 ++++++------
 models/unit/unit.go         |  2 +-
 modules/structs/org_team.go |  1 +
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/models/migrations/v205.go b/models/migrations/v205.go
index 3449bebbdf475..bb52aae219342 100644
--- a/models/migrations/v205.go
+++ b/models/migrations/v205.go
@@ -12,11 +12,11 @@ import (
 
 func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
 	type TeamUnit struct {
-		ID        int64 `xorm:"pk autoincr"`
-		OrgID     int64 `xorm:"INDEX"`
-		TeamID    int64 `xorm:"UNIQUE(s)"`
-		Type      int   `xorm:"UNIQUE(s)"`
-		Authorize int
+		ID         int64 `xorm:"pk autoincr"`
+		OrgID      int64 `xorm:"INDEX"`
+		TeamID     int64 `xorm:"UNIQUE(s)"`
+		Type       int   `xorm:"UNIQUE(s)"`
+		AccessMode int
 	}
 
 	if err := x.Sync2(new(TeamUnit)); err != nil {
@@ -24,7 +24,7 @@ func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
 	}
 
 	// migrate old permission
-	_, err := x.Exec("UPDATE team_unit SET authorize = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
+	_, err := x.Exec("UPDATE team_unit SET access_mode = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
 	return err
 
 }
diff --git a/models/unit/unit.go b/models/unit/unit.go
index c8ae811650587..c9142e84510bc 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -321,7 +321,7 @@ func AllUnitKeyNames() []string {
 func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
 	var res = perm.AccessModeNone
 	for _, mode := range unitsMap {
-		if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
+		if mode > perm.AccessModeNone && mode < res {
 			res = mode
 		}
 	}
diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
index bf18b4fc4be15..53e3fcf62da45 100644
--- a/modules/structs/org_team.go
+++ b/modules/structs/org_team.go
@@ -15,6 +15,7 @@ type Team struct {
 	// enum: none,read,write,admin,owner
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
+	// Deprecated: This variable should be replaced by UnitsMap and will be dropped in later versions.
 	Units []string `json:"units"`
 	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
 	UnitsMap         map[string]string `json:"units_map"`

From dbfa40fcb090a3b516e76aa774a0e61c6a6d55c5 Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Tue, 4 Jan 2022 18:28:13 +0100
Subject: [PATCH 29/60] fix

---
 models/migrations/migrations.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 37112c655546e..36dd19ec5f59a 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -364,11 +364,9 @@ var migrations = []Migration{
 	// v204 -> v205
 	NewMigration("Add key is verified to ssh key", addSSHKeyIsVerified),
 	// v205 -> v206
-<<<<<<< HEAD
-	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
-=======
 	NewMigration("Migrate to higher varchar on user struct", migrateUserPasswordSalt),
->>>>>>> master
+	// v206 -> v207
+	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
 }
 
 // GetCurrentDBVersion returns the current db version

From 23ee2b589efbefb80acbd16675233bba9694e77d Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Tue, 4 Jan 2022 18:34:56 +0100
Subject: [PATCH 30/60] gofumpt

---
 integrations/api_team_test.go   |  1 -
 integrations/org_test.go        |  3 +--
 models/issue.go                 |  4 ++--
 models/migrations/migrations.go |  1 -
 models/migrations/v206.go       |  1 -
 models/org.go                   |  4 ++--
 models/org_team.go              |  2 +-
 models/unit/unit.go             |  4 ++--
 routers/api/v1/org/team.go      |  8 +++-----
 routers/web/org/teams.go        | 16 ++++++++--------
 10 files changed, 19 insertions(+), 25 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index 21263069bb211..a622c63145f70 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -241,5 +241,4 @@ func TestAPITeamSearch(t *testing.T) {
 	req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "team")
 	req.Header.Add("X-Csrf-Token", csrf)
 	session.MakeRequest(t, req, http.StatusForbidden)
-
 }
diff --git a/integrations/org_test.go b/integrations/org_test.go
index f5a6d5e4d92c4..794475a9245d8 100644
--- a/integrations/org_test.go
+++ b/integrations/org_test.go
@@ -159,7 +159,7 @@ func TestOrgRestrictedUser(t *testing.T) {
 		teamToCreate.Permission, teamToCreate.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
 		teamToCreate.Permission, teamToCreate.Units, nil)
-	//teamID := apiTeam.ID
+	// teamID := apiTeam.ID
 
 	// Now we need to add the restricted user to the team
 	req = NewRequest(t, "PUT",
@@ -172,5 +172,4 @@ func TestOrgRestrictedUser(t *testing.T) {
 
 	req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s", orgName, repoName))
 	restrictedSession.MakeRequest(t, req, http.StatusOK)
-
 }
diff --git a/models/issue.go b/models/issue.go
index c61f699d92b1d..108d9b217afd8 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -1350,8 +1350,8 @@ func (opts *IssuesOptions) setupSession(sess *xorm.Session) {
 
 // issuePullAccessibleRepoCond userID must not be zero, this condition require join repository table
 func issuePullAccessibleRepoCond(repoIDstr string, userID int64, org *Organization, team *Team, isPull bool) builder.Cond {
-	var cond = builder.NewCond()
-	var unitType = unit.TypeIssues
+	cond := builder.NewCond()
+	unitType := unit.TypeIssues
 	if isPull {
 		unitType = unit.TypePullRequests
 	}
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 36dd19ec5f59a..9423e5c5f6954 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -60,7 +60,6 @@ type Version struct {
 // If you want to "retire" a migration, remove it from the top of the list and
 // update minDBVersion accordingly
 var migrations = []Migration{
-
 	// Gitea 1.5.0 ends at v69
 
 	// v70 -> v71
diff --git a/models/migrations/v206.go b/models/migrations/v206.go
index bb52aae219342..3837f6f24fa5d 100644
--- a/models/migrations/v206.go
+++ b/models/migrations/v206.go
@@ -26,5 +26,4 @@ func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
 	// migrate old permission
 	_, err := x.Exec("UPDATE team_unit SET access_mode = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
 	return err
-
 }
diff --git a/models/org.go b/models/org.go
index 11c4662ba2235..0ea2ce6886fd2 100644
--- a/models/org.go
+++ b/models/org.go
@@ -523,7 +523,7 @@ type FindOrgOptions struct {
 }
 
 func queryUserOrgIDs(userID int64, includePrivate bool) *builder.Builder {
-	var cond = builder.Eq{"uid": userID}
+	cond := builder.Eq{"uid": userID}
 	if !includePrivate {
 		cond["is_public"] = true
 	}
@@ -531,7 +531,7 @@ func queryUserOrgIDs(userID int64, includePrivate bool) *builder.Builder {
 }
 
 func (opts FindOrgOptions) toConds() builder.Cond {
-	var cond = builder.NewCond()
+	cond := builder.NewCond()
 	if opts.UserID > 0 {
 		cond = cond.And(builder.In("`user`.`id`", queryUserOrgIDs(opts.UserID, opts.IncludePrivate)))
 	}
diff --git a/models/org_team.go b/models/org_team.go
index 3cf976353f75a..bce4afb0611b1 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -157,7 +157,7 @@ func (t *Team) GetUnitNames() (res []string) {
 
 // GetUnitsMap returns the team units permissions
 func (t *Team) GetUnitsMap() map[string]string {
-	var m = make(map[string]string)
+	m := make(map[string]string)
 	if t.AccessMode >= perm.AccessModeAdmin {
 		for _, u := range unit.Units {
 			m[u.NameKey] = t.AccessMode.String()
diff --git a/models/unit/unit.go b/models/unit/unit.go
index c9142e84510bc..abb3659efa6c5 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -310,7 +310,7 @@ func TypeFromKey(nameKey string) Type {
 
 // AllUnitKeyNames returns all unit key names
 func AllUnitKeyNames() []string {
-	var res = make([]string, 0, len(Units))
+	res := make([]string, 0, len(Units))
 	for _, u := range Units {
 		res = append(res, u.NameKey)
 	}
@@ -319,7 +319,7 @@ func AllUnitKeyNames() []string {
 
 // MinUnitAccessMode returns the minial permission of the permission map
 func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
-	var res = perm.AccessModeNone
+	res := perm.AccessModeNone
 	for _, mode := range unitsMap {
 		if mode > perm.AccessModeNone && mode < res {
 			res = mode
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index f3be88e919a32..3a4415c6fa8ef 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -51,7 +51,6 @@ func ListTeams(ctx *context.APIContext) {
 		ListOptions: utils.GetListOptions(ctx),
 		OrgID:       ctx.Org.Organization.ID,
 	})
-
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "LoadTeams", err)
 		return
@@ -164,7 +163,7 @@ func attachTeamUnits(team *models.Team, units []string) {
 }
 
 func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]perm.AccessMode {
-	var res = make(map[unit_model.Type]perm.AccessMode, len(unitsMap))
+	res := make(map[unit_model.Type]perm.AccessMode, len(unitsMap))
 	for unitKey, p := range unitsMap {
 		res[unit_model.TypeFromKey(unitKey)] = perm.ParseAccessMode(p)
 	}
@@ -208,7 +207,7 @@ func CreateTeam(ctx *context.APIContext) {
 	//     "$ref": "#/responses/validationError"
 	form := web.GetForm(ctx).(*api.CreateTeamOption)
 
-	var p = perm.ParseAccessMode(form.Permission)
+	p := perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
 		p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 	}
@@ -292,7 +291,7 @@ func EditTeam(ctx *context.APIContext) {
 	isIncludeAllChanged := false
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
-		var p = perm.ParseAccessMode(form.Permission)
+		p := perm.ParseAccessMode(form.Permission)
 		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
 			p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 		}
@@ -748,5 +747,4 @@ func SearchTeam(ctx *context.APIContext) {
 		"ok":   true,
 		"data": apiTeams,
 	})
-
 }
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 78f9b147ec4db..493209bdc9654 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -226,7 +226,7 @@ func NewTeam(ctx *context.Context) {
 }
 
 func getUnitPerms(forms url.Values) map[unit_model.Type]perm.AccessMode {
-	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
+	unitPerms := make(map[unit_model.Type]perm.AccessMode)
 	for k, v := range forms {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
@@ -246,9 +246,9 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["PageIsOrgTeams"] = true
 	ctx.Data["PageIsOrgTeamsNew"] = true
 	ctx.Data["Units"] = unit_model.Units
-	var includesAllRepositories = form.RepoAccess == "all"
-	var unitPerms = getUnitPerms(ctx.Req.Form)
-	var p = perm.ParseAccessMode(form.Permission)
+	includesAllRepositories := form.RepoAccess == "all"
+	unitPerms := getUnitPerms(ctx.Req.Form)
+	p := perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
 		// if p is less than admin accessmode, then it should be general accessmode,
 		// so we should calculate the minial accessmode from units accessmodes.
@@ -265,7 +265,7 @@ func NewTeamPost(ctx *context.Context) {
 	}
 
 	if t.AccessMode < perm.AccessModeAdmin {
-		var units = make([]*models.TeamUnit, 0, len(unitPerms))
+		units := make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
 				OrgID:      ctx.Org.Organization.ID,
@@ -345,11 +345,11 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
-	var unitPerms = getUnitPerms(ctx.Req.Form)
+	unitPerms := getUnitPerms(ctx.Req.Form)
 
 	isAuthChanged := false
 	isIncludeAllChanged := false
-	var includesAllRepositories = form.RepoAccess == "all"
+	includesAllRepositories := form.RepoAccess == "all"
 	if !t.IsOwnerTeam() {
 		// Validate permission level.
 		newAccessMode := perm.ParseAccessMode(form.Permission)
@@ -372,7 +372,7 @@ func EditTeamPost(ctx *context.Context) {
 	}
 	t.Description = form.Description
 	if t.AccessMode < perm.AccessModeAdmin {
-		var units = make([]models.TeamUnit, 0, len(unitPerms))
+		units := make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
 				OrgID:      t.OrgID,

From 12ad6dd0e385fea277f5344d52865c9599232c22 Mon Sep 17 00:00:00 2001
From: Aravinth Manivannan <realaravinth@batsense.net>
Date: Tue, 4 Jan 2022 19:24:27 +0000
Subject: [PATCH 31/60] Integration test for migration (#18124)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

integrations: basic test for Gitea {dump,restore}-repo
This is a first step for integration testing of DumpRepository and
RestoreRepository. It:

runs a Gitea server,
dumps a repo via DumpRepository to the filesystem,
restores the repo via RestoreRepository from the filesystem,
dumps the restored repository to the filesystem,
compares the first and second dump and expects them to be identical

The verification is trivial and the goal is to add more tests for each
topic of the dump.

Signed-off-by: Loïc Dachary <loic@dachary.org>
---
 integrations/dump_restore_test.go | 104 ++++++++++++++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 integrations/dump_restore_test.go

diff --git a/integrations/dump_restore_test.go b/integrations/dump_restore_test.go
new file mode 100644
index 0000000000000..6fe5d8fe6a86c
--- /dev/null
+++ b/integrations/dump_restore_test.go
@@ -0,0 +1,104 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"context"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/services/migrations"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDumpRestore(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		AllowLocalNetworks := setting.Migrations.AllowLocalNetworks
+		setting.Migrations.AllowLocalNetworks = true
+		AppVer := setting.AppVer
+		// Gitea SDK (go-sdk) need to parse the AppVer from server response, so we must set it to a valid version string.
+		setting.AppVer = "1.16.0"
+		defer func() {
+			setting.Migrations.AllowLocalNetworks = AllowLocalNetworks
+			setting.AppVer = AppVer
+		}()
+
+		assert.NoError(t, migrations.Init())
+
+		reponame := "repo1"
+
+		basePath, err := os.MkdirTemp("", reponame)
+		assert.NoError(t, err)
+		defer util.RemoveAll(basePath)
+
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: reponame}).(*repo_model.Repository)
+		repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}).(*user_model.User)
+		session := loginUser(t, repoOwner.Name)
+		token := getTokenForLoggedInUser(t, session)
+
+		//
+		// Phase 1: dump repo1 from the Gitea instance to the filesystem
+		//
+
+		ctx := context.Background()
+		var opts = migrations.MigrateOptions{
+			GitServiceType: structs.GiteaService,
+			Issues:         true,
+			Comments:       true,
+			AuthToken:      token,
+			CloneAddr:      repo.CloneLink().HTTPS,
+			RepoName:       reponame,
+		}
+		err = migrations.DumpRepository(ctx, basePath, repoOwner.Name, opts)
+		assert.NoError(t, err)
+
+		//
+		// Verify desired side effects of the dump
+		//
+		d := filepath.Join(basePath, repo.OwnerName, repo.Name)
+		for _, f := range []string{"repo.yml", "topic.yml", "issue.yml"} {
+			assert.FileExists(t, filepath.Join(d, f))
+		}
+
+		//
+		// Phase 2: restore from the filesystem to the Gitea instance in restoredrepo
+		//
+
+		newreponame := "restoredrepo"
+		err = migrations.RestoreRepository(ctx, d, repo.OwnerName, newreponame, []string{"issues", "comments"})
+		assert.NoError(t, err)
+
+		newrepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: newreponame}).(*repo_model.Repository)
+
+		//
+		// Phase 3: dump restoredrepo from the Gitea instance to the filesystem
+		//
+		opts.RepoName = newreponame
+		opts.CloneAddr = newrepo.CloneLink().HTTPS
+		err = migrations.DumpRepository(ctx, basePath, repoOwner.Name, opts)
+		assert.NoError(t, err)
+
+		//
+		// Verify the dump of restoredrepo is the same as the dump of repo1
+		//
+		newd := filepath.Join(basePath, newrepo.OwnerName, newrepo.Name)
+		beforeBytes, err := os.ReadFile(filepath.Join(d, "repo.yml"))
+		assert.NoError(t, err)
+		before := strings.ReplaceAll(string(beforeBytes), reponame, newreponame)
+		after, err := os.ReadFile(filepath.Join(newd, "repo.yml"))
+		assert.NoError(t, err)
+		assert.EqualValues(t, before, string(after))
+	})
+}

From 8bc9da54f1cfc1bbbef1c5ccaa6cc2f762e94ac1 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 11:57:36 +0800
Subject: [PATCH 32/60] Team permission allow different unit has different
 permission

---
 models/migrations/migrations.go |  2 ++
 models/migrations/v206.go       | 30 +++++++++++++++++++
 models/org_team.go              | 22 +++++++++++---
 models/repo_permission.go       |  7 +++--
 templates/org/team/new.tmpl     | 51 ++++++++++++++++++++++++---------
 5 files changed, 91 insertions(+), 21 deletions(-)
 create mode 100644 models/migrations/v206.go

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 4b720c3f02a4f..7a80ec7fc9122 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -365,6 +365,8 @@ var migrations = []Migration{
 	NewMigration("Add key is verified to ssh key", addSSHKeyIsVerified),
 	// v205 -> v206
 	NewMigration("Migrate to higher varchar on user struct", migrateUserPasswordSalt),
+	// v206 -> v207
+	NewMigration("Add column authorize column for team_unit table", addAuthorizeColForTeamUnit),
 }
 
 // GetCurrentDBVersion returns the current db version
diff --git a/models/migrations/v206.go b/models/migrations/v206.go
new file mode 100644
index 0000000000000..3449bebbdf475
--- /dev/null
+++ b/models/migrations/v206.go
@@ -0,0 +1,30 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"xorm.io/xorm"
+)
+
+func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
+	type TeamUnit struct {
+		ID        int64 `xorm:"pk autoincr"`
+		OrgID     int64 `xorm:"INDEX"`
+		TeamID    int64 `xorm:"UNIQUE(s)"`
+		Type      int   `xorm:"UNIQUE(s)"`
+		Authorize int
+	}
+
+	if err := x.Sync2(new(TeamUnit)); err != nil {
+		return fmt.Errorf("sync2: %v", err)
+	}
+
+	// migrate old permission
+	_, err := x.Exec("UPDATE team_unit SET authorize = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
+	return err
+
+}
diff --git a/models/org_team.go b/models/org_team.go
index 7eac0f7bc52fe..ce270ca19942b 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -454,6 +454,19 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 	return t.unitEnabled(db.GetEngine(db.DefaultContext), tp)
 }
 
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+	if err := t.getUnits(e); err != nil {
+		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
+	}
+
+	for _, unit := range t.Units {
+		if unit.Type == tp {
+			return unit.Authorize
+		}
+	}
+	return AccessModeNone
+}
+
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
@@ -1033,10 +1046,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea
 
 // TeamUnit describes all units of a repository
 type TeamUnit struct {
-	ID     int64     `xorm:"pk autoincr"`
-	OrgID  int64     `xorm:"INDEX"`
-	TeamID int64     `xorm:"UNIQUE(s)"`
-	Type   unit.Type `xorm:"UNIQUE(s)"`
+	ID        int64     `xorm:"pk autoincr"`
+	OrgID     int64     `xorm:"INDEX"`
+	TeamID    int64     `xorm:"UNIQUE(s)"`
+	Type      unit.Type `xorm:"UNIQUE(s)"`
+	Authorize AccessMode
 }
 
 // Unit returns Unit
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 40b63aa804313..5bef6139913b6 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -249,10 +249,11 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 	for _, u := range repo.Units {
 		var found bool
 		for _, team := range teams {
-			if team.unitEnabled(e, u.Type) {
+			teamMode := team.unitAccessMode(e, u.Type)
+			if teamMode > AccessModeNone {
 				m := perm.UnitsMode[u.Type]
-				if m < team.Authorize {
-					perm.UnitsMode[u.Type] = team.Authorize
+				if m < teamMode {
+					perm.UnitsMode[u.Type] = teamMode
 				}
 				found = true
 			}
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 783e025ebdc08..000befe88cef9 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -81,21 +81,44 @@
 							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<br>
-								{{range $t, $unit := $.Units}}
-								{{if $unit.Type.UnitGlobalDisabled}}
-								<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-								{{else}}
-								<div class="field">
-								{{end}}
-									<div class="ui toggle checkbox">
-										<input type="checkbox" class="hidden" name="units" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-										<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-										<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
-									</div>
-								</div>
-								{{end}}
+								<table class="ui celled table">
+									<thead>
+										<tr><th>Unit</th><th>{{.i18n.Tr "org.teams.none_access"}}</th><th>{{.i18n.Tr "org.teams.read_access"}}</th><th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+									</thead>
+									<tbody>
+										{{range $t, $unit := $.Units}}
+										<tr><td>
+										{{if $unit.Type.UnitGlobalDisabled}}
+										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+										{{else}}
+										<div class="field">
+										{{end}}
+											<div class="ui">
+												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											</div>
+										</div>
+										</td>
+										<td>
+
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										<td>
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										<td>
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										{{end}}
+									</tbody>
+								</table>
 							</div>
-							<div class="ui divider"></div>
 						{{end}}
 
 						<div class="field">

From ecc65cf4bd3d7605fb08d849c3c9253f5796fb15 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 17:18:02 +0800
Subject: [PATCH 33/60] Finish the interface and the logic

---
 models/org_team.go              | 17 +++++---
 options/locale/locale_en-US.ini |  5 +++
 routers/web/org/teams.go        | 47 ++++++++++++++++-----
 services/forms/org.go           |  2 -
 templates/org/team/new.tmpl     | 74 ++++++++++++++++-----------------
 5 files changed, 87 insertions(+), 58 deletions(-)

diff --git a/models/org_team.go b/models/org_team.go
index ce270ca19942b..4ced8ba65168f 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -454,30 +454,35 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 	return t.unitEnabled(db.GetEngine(db.DefaultContext), tp)
 }
 
-func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
 
 	for _, unit := range t.Units {
 		if unit.Type == tp {
-			return unit.Authorize
+			return true
 		}
 	}
-	return AccessModeNone
+	return false
 }
 
-func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
+// UnitAccessMode returns if the team has the given unit type enabled
+func (t *Team) UnitAccessMode(tp unit.Type) AccessMode {
+	return t.unitAccessMode(db.GetEngine(db.DefaultContext), tp)
+}
+
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
 
 	for _, unit := range t.Units {
 		if unit.Type == tp {
-			return true
+			return unit.Authorize
 		}
 	}
-	return false
+	return AccessModeNone
 }
 
 // IsUsableTeamName tests if a name could be as team name
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 9164d5ffdceda..4b12b8e980e82 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2261,6 +2261,10 @@ teams.leave = Leave
 teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
+teams.none_access = None
+teams.none_access_helper = Members can view or do any other action on this unit.
+teams.general_access = General Access
+teams.general_access_helper = Members permissions will be decided by below permission table.
 teams.read_access = Read Access
 teams.read_access_helper = Members can view and clone team repositories.
 teams.write_access = Write Access
@@ -2892,5 +2896,6 @@ error.probable_bad_signature = "WARNING! Although there is a key with this ID in
 error.probable_bad_default_signature = "WARNING! Although the default key has this ID it does not verify this commit! This commit is SUSPICIOUS."
 
 [units]
+unit = Unit
 error.no_unit_allowed_repo = You are not allowed to access any section of this repository.
 error.unit_not_allowed = You are not allowed to access this repository section.
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 40fba5cd09a4f..9cf2d85633395 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -9,11 +9,13 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"strconv"
 	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@@ -232,6 +234,16 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["PageIsOrgTeamsNew"] = true
 	ctx.Data["Units"] = unit_model.Units
 	var includesAllRepositories = form.RepoAccess == "all"
+	var unitPerms = make(map[unit.Type]models.AccessMode)
+	for k, v := range ctx.Req.Form {
+		if strings.HasPrefix(k, "unit_") {
+			t, _ := strconv.Atoi(k[5:])
+			if t > 0 {
+				vv, _ := strconv.Atoi(v[0])
+				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+			}
+		}
+	}
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
@@ -243,11 +255,12 @@ func NewTeamPost(ctx *context.Context) {
 	}
 
 	if t.Authorize < perm.AccessModeOwner {
-		var units = make([]*models.TeamUnit, 0, len(form.Units))
-		for _, tp := range form.Units {
+		var units = make([]*models.TeamUnit, 0, len(unitPerms))
+		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
-				OrgID: ctx.Org.Organization.ID,
-				Type:  tp,
+				OrgID:     ctx.Org.Organization.ID,
+				Type:      tp,
+				Authorize: perm,
 			})
 		}
 		t.Units = units
@@ -260,7 +273,7 @@ func NewTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
+	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
@@ -322,6 +335,17 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
+	var unitPerms = make(map[unit.Type]models.AccessMode)
+	for k, v := range ctx.Req.Form {
+		if strings.HasPrefix(k, "unit_") {
+			t, _ := strconv.Atoi(k[5:])
+			if t > 0 {
+				vv, _ := strconv.Atoi(v[0])
+				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+			}
+		}
+	}
+
 	isAuthChanged := false
 	isIncludeAllChanged := false
 	var includesAllRepositories = form.RepoAccess == "all"
@@ -342,12 +366,13 @@ func EditTeamPost(ctx *context.Context) {
 	}
 	t.Description = form.Description
 	if t.Authorize < perm.AccessModeOwner {
-		var units = make([]models.TeamUnit, 0, len(form.Units))
-		for _, tp := range form.Units {
+		var units = make([]models.TeamUnit, 0, len(unitPerms))
+		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
-				OrgID:  t.OrgID,
-				TeamID: t.ID,
-				Type:   tp,
+				OrgID:     t.OrgID,
+				TeamID:    t.ID,
+				Type:      tp,
+				Authorize: perm,
 			})
 		}
 		err := models.UpdateTeamUnits(t, units)
@@ -363,7 +388,7 @@ func EditTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(form.Units) == 0 {
+	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
diff --git a/services/forms/org.go b/services/forms/org.go
index 7c8f17f95ee60..dec2dbfa6555a 100644
--- a/services/forms/org.go
+++ b/services/forms/org.go
@@ -8,7 +8,6 @@ package forms
 import (
 	"net/http"
 
-	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/web/middleware"
@@ -66,7 +65,6 @@ type CreateTeamForm struct {
 	TeamName         string `binding:"Required;AlphaDashDot;MaxSize(30)"`
 	Description      string `binding:"MaxSize(255)"`
 	Permission       string
-	Units            []unit.Type
 	RepoAccess       string
 	CanCreateOrgRepo bool
 }
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 000befe88cef9..559ff7f3596a6 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -56,16 +56,9 @@
 								<br>
 								<div class="field">
 									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="read" {{if or .PageIsOrgTeamsNew (eq .Team.Authorize 1)}}checked{{end}}>
-										<label>{{.i18n.Tr "org.teams.read_access"}}</label>
-										<span class="help">{{.i18n.Tr "org.teams.read_access_helper"}}</span>
-									</div>
-								</div>
-								<div class="field">
-									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="write" {{if eq .Team.Authorize 2}}checked{{end}}>
-										<label>{{.i18n.Tr "org.teams.write_access"}}</label>
-										<span class="help">{{.i18n.Tr "org.teams.write_access_helper"}}</span>
+										<input type="radio" name="permission" value="{{if .PageIsOrgTeamsNew}}read{{else}}{{.Team.Authorize}}{{end}}" {{if or .PageIsOrgTeamsNew (eq .Team.Authorize 1) (eq .Team.Authorize 2)}}checked{{end}}>
+										<label>{{.i18n.Tr "org.teams.general_access"}}</label>
+										<span class="help">{{.i18n.Tr "org.teams.general_access_helper"}}</span>
 									</div>
 								</div>
 								<div class="field">
@@ -80,41 +73,44 @@
 
 							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
-								<br>
 								<table class="ui celled table">
 									<thead>
-										<tr><th>Unit</th><th>{{.i18n.Tr "org.teams.none_access"}}</th><th>{{.i18n.Tr "org.teams.read_access"}}</th><th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+										<tr><th>{{.i18n.Tr "units.unit"}}</th>
+										<th><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
+										<th>{{.i18n.Tr "org.teams.read_access"}}</th>
+										<th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
-										<tr><td>
-										{{if $unit.Type.UnitGlobalDisabled}}
-										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-										{{else}}
-										<div class="field">
-										{{end}}
-											<div class="ui">
-												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
-											</div>
-										</div>
-										</td>
-										<td>
-
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-											</div>
-										</td>
-										<td>
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-											</div>
-										</td>
-										<td>
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+										<tr>
+											<td>
+											{{if $unit.Type.UnitGlobalDisabled}}
+											<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+											{{else}}
+											<div class="field">
+											{{end}}
+												<div class="ui">
+													<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+													<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+												</div>
 											</div>
-										</td>
+											</td>
+											<td>
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+												</div>
+											</td>
+											<td>
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
+												</div>
+											</td>
+											<td>
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+												</div>
+											</td>
+										</tr>
 										{{end}}
 									</tbody>
 								</table>

From 7f03e0cc41b56495c5eedab31a4ff681f8b06b08 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:08:20 +0800
Subject: [PATCH 34/60] Fix lint

---
 routers/web/org/teams.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 9cf2d85633395..d9a686d5c7621 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -15,7 +15,6 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
-	"code.gitea.io/gitea/models/unit"
 	unit_model "code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
@@ -234,13 +233,13 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["PageIsOrgTeamsNew"] = true
 	ctx.Data["Units"] = unit_model.Units
 	var includesAllRepositories = form.RepoAccess == "all"
-	var unitPerms = make(map[unit.Type]models.AccessMode)
+	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
 	for k, v := range ctx.Req.Form {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
 			if t > 0 {
 				vv, _ := strconv.Atoi(v[0])
-				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
 			}
 		}
 	}
@@ -335,13 +334,13 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
-	var unitPerms = make(map[unit.Type]models.AccessMode)
+	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
 	for k, v := range ctx.Req.Form {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
 			if t > 0 {
 				vv, _ := strconv.Atoi(v[0])
-				unitPerms[unit.Type(t)] = models.AccessMode(vv)
+				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
 			}
 		}
 	}

From 43808fc06d0f7af222f2a96ed7eb41686dbb767a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:09:28 +0800
Subject: [PATCH 35/60] Fix translation

---
 options/locale/locale_en-US.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 4b12b8e980e82..499d8a46caceb 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2261,7 +2261,7 @@ teams.leave = Leave
 teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
-teams.none_access = None
+teams.none_access = None Access
 teams.none_access_helper = Members can view or do any other action on this unit.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.

From 1d1419cdb419d8bebdbbd86f33256d1c0de48c31 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:21:28 +0800
Subject: [PATCH 36/60] align center for table cell content

---
 templates/org/team/new.tmpl | 70 ++++++++++++++++++-------------------
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 559ff7f3596a6..d9dbb7f8d5ec5 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -71,19 +71,19 @@
 							</div>
 							<div class="ui divider"></div>
 
-							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
-								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
-								<table class="ui celled table">
-									<thead>
-										<tr><th>{{.i18n.Tr "units.unit"}}</th>
-										<th><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
-										<th>{{.i18n.Tr "org.teams.read_access"}}</th>
-										<th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
-									</thead>
-									<tbody>
-										{{range $t, $unit := $.Units}}
-										<tr>
-											<td>
+						<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
+							<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
+							<table class="ui celled table">
+								<thead>
+									<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
+									<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
+									<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
+									<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+								</thead>
+								<tbody>
+									{{range $t, $unit := $.Units}}
+									<tr>
+										<td>
 											{{if $unit.Type.UnitGlobalDisabled}}
 											<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
 											{{else}}
@@ -94,28 +94,28 @@
 													<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
 												</div>
 											</div>
-											</td>
-											<td>
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-												</div>
-											</td>
-											<td>
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
-												</div>
-											</td>
-											<td>
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
-												</div>
-											</td>
-										</tr>
-										{{end}}
-									</tbody>
-								</table>
-							</div>
-						{{end}}
+										</td>
+										<td class="center aligned">
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+											</div>
+										</td>
+										<td class="center aligned">
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
+											</div>
+										</td>
+										<td class="center aligned">
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+											</div>
+										</td>
+									</tr>
+									{{end}}
+								</tbody>
+							</table>
+						</div>
+					{{end}}
 
 						<div class="field">
 							{{if .PageIsOrgTeamsNew}}

From d42a89d863e54c048e5115a95d5f2f75e73458da Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 19:24:59 +0800
Subject: [PATCH 37/60] Fix fixture

---
 models/fixtures/team_unit.yml | 47 ++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/models/fixtures/team_unit.yml b/models/fixtures/team_unit.yml
index 943745c000f9b..1d7be8d5d5935 100644
--- a/models/fixtures/team_unit.yml
+++ b/models/fixtures/team_unit.yml
@@ -2,223 +2,268 @@
   id: 1
   team_id: 1
   type: 1
+  authorize: 4
 
 -
   id: 2
   team_id: 1
   type: 2
+  authorize: 4
 
 -
   id: 3
   team_id: 1
   type: 3
+  authorize: 4
 
 -
   id: 4
   team_id: 1
   type: 4
+  authorize: 4
 
 -
   id: 5
   team_id: 1
   type: 5
+  authorize: 4
 
 -
   id: 6
   team_id: 1
   type: 6
+  authorize: 4
 
 -
   id: 7
   team_id: 1
   type: 7
+  authorize: 4
 
 -
   id: 8
   team_id: 2
   type: 1
+  authorize: 2
 
 -
   id: 9
   team_id: 2
   type: 2
+  authorize: 2
 
 -
   id: 10
   team_id: 2
   type: 3
+  authorize: 2
 
 -
   id: 11
   team_id: 2
   type: 4
+  authorize: 2
 
 -
   id: 12
   team_id: 2
   type: 5
+  authorize: 2
 
 -
   id: 13
   team_id: 2
   type: 6
+  authorize: 2
 
 -
   id: 14
   team_id: 2
   type: 7
+  authorize: 2
 
 -
   id: 15
   team_id: 3
   type: 1
+  authorize: 4
 
 -
   id: 16
   team_id: 3
   type: 2
+  authorize: 4
 
 -
   id: 17
   team_id: 3
   type: 3
+  authorize: 4
 
 -
   id: 18
   team_id: 3
   type: 4
+  authorize: 4
 
 -
   id: 19
   team_id: 3
   type: 5
+  authorize: 4
 
 -
   id: 20
   team_id: 3
   type: 6
+  authorize: 4
 
 -
   id: 21
   team_id: 3
   type: 7
+  authorize: 4
 
 -
   id: 22
   team_id: 4
   type: 1
+  authorize: 4
 
 -
   id: 23
   team_id: 4
   type: 2
+  authorize: 4
 
 -
   id: 24
   team_id: 4
   type: 3
+  authorize: 4
 
 -
   id: 25
   team_id: 4
   type: 4
+  authorize: 4
 
 -
   id: 26
   team_id: 4
   type: 5
+  authorize: 4
 
 -
   id: 27
   team_id: 4
   type: 6
+  authorize: 4
 
 -
   id: 28
   team_id: 4
   type: 7
+  authorize: 4
 
 -
   id: 29
   team_id: 5
   type: 1
+  authorize: 4
 
 -
   id: 30
   team_id: 5
   type: 2
+  authorize: 4
 
 -
   id: 31
   team_id: 5
   type: 3
+  authorize: 4
 
 -
   id: 32
   team_id: 5
   type: 4
+  authorize: 4
 
 -
   id: 33
   team_id: 5
   type: 5
+  authorize: 4
 
 -
   id: 34
   team_id: 5
   type: 6
+  authorize: 4
 
 -
   id: 35
   team_id: 5
   type: 7
+  authorize: 4
 
 -
   id: 36
   team_id: 6
   type: 1
+  authorize: 4
 
 -
   id: 37
   team_id: 6
   type: 2
+  authorize: 4
 
 -
   id: 38
   team_id: 6
   type: 3
+  authorize: 4
 
 -
   id: 39
   team_id: 6
   type: 4
+  authorize: 4
 
 -
   id: 40
   team_id: 6
   type: 5
+  authorize: 4
 
 -
   id: 41
   team_id: 6
   type: 6
+  authorize: 4
 
 -
   id: 42
   team_id: 6
   type: 7
+  authorize: 4
 
 -
   id: 43
   team_id: 7
   type: 2 # issues
+  authorize: 2
 
 -
   id: 44
   team_id: 8
   type: 2 # issues
+  authorize: 2
 
 -
   id: 45
   team_id: 9
-  type: 1 # code
\ No newline at end of file
+  type: 1 # code
+  authorize: 1
\ No newline at end of file

From 58f8f0e93d9cd738b78d68b28278adb852966c5f Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 25 Nov 2021 22:45:06 +0800
Subject: [PATCH 38/60] merge

---
 templates/org/team/new.tmpl | 88 ++++++++++++++++++-------------------
 1 file changed, 44 insertions(+), 44 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index d9dbb7f8d5ec5..dd682cb09001c 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -71,51 +71,51 @@
 							</div>
 							<div class="ui divider"></div>
 
-						<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
-							<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
-							<table class="ui celled table">
-								<thead>
-									<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
-									<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
-									<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
-									<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
-								</thead>
-								<tbody>
-									{{range $t, $unit := $.Units}}
-									<tr>
-										<td>
-											{{if $unit.Type.UnitGlobalDisabled}}
-											<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-											{{else}}
-											<div class="field">
-											{{end}}
-												<div class="ui">
-													<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-													<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
+								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
+								<table class="ui celled table">
+									<thead>
+										<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
+										<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
+										<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
+										<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+									</thead>
+									<tbody>
+										{{range $t, $unit := $.Units}}
+										<tr>
+											<td>
+												{{if $unit.Type.UnitGlobalDisabled}}
+												<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+												{{else}}
+												<div class="field">
+												{{end}}
+													<div class="ui">
+														<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+														<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+													</div>
 												</div>
-											</div>
-										</td>
-										<td class="center aligned">
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-											</div>
-										</td>
-										<td class="center aligned">
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
-											</div>
-										</td>
-										<td class="center aligned">
-											<div class="ui radio checkbox">
-												<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
-											</div>
-										</td>
-									</tr>
-									{{end}}
-								</tbody>
-							</table>
-						</div>
-					{{end}}
+											</td>
+											<td class="center aligned">
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+												</div>
+											</td>
+											<td class="center aligned">
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
+												</div>
+											</td>
+											<td class="center aligned">
+												<div class="ui radio checkbox">
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+												</div>
+											</td>
+										</tr>
+										{{end}}
+									</tbody>
+								</table>
+							</div>
+						{{end}}
 
 						<div class="field">
 							{{if .PageIsOrgTeamsNew}}

From 24bccf4213fc6d318dd8b28faf895b75af07cf51 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 27 Nov 2021 12:10:57 +0800
Subject: [PATCH 39/60] Fix test

---
 models/migrations/migrations.go |  2 +-
 models/unit/unit.go             | 34 +++++++++++++++------
 modules/structs/org_team.go     | 18 +++++++----
 options/locale/locale_en-US.ini |  4 +--
 routers/api/v1/org/team.go      | 54 +++++++++++++++++++++------------
 routers/web/org/teams.go        | 34 +++++++++------------
 6 files changed, 90 insertions(+), 56 deletions(-)

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 7a80ec7fc9122..36dd19ec5f59a 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -366,7 +366,7 @@ var migrations = []Migration{
 	// v205 -> v206
 	NewMigration("Migrate to higher varchar on user struct", migrateUserPasswordSalt),
 	// v206 -> v207
-	NewMigration("Add column authorize column for team_unit table", addAuthorizeColForTeamUnit),
+	NewMigration("Add authorize column to team_unit table", addAuthorizeColForTeamUnit),
 }
 
 // GetCurrentDBVersion returns the current db version
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 0af4640b7a4b4..79a37254d6a78 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -17,14 +17,15 @@ type Type int
 
 // Enumerate all the unit types
 const (
-	TypeCode            Type = iota + 1 // 1 code
-	TypeIssues                          // 2 issues
-	TypePullRequests                    // 3 PRs
-	TypeReleases                        // 4 Releases
-	TypeWiki                            // 5 Wiki
-	TypeExternalWiki                    // 6 ExternalWiki
-	TypeExternalTracker                 // 7 ExternalTracker
-	TypeProjects                        // 8 Kanban board
+	TypeInvalid         Type = iota // 0 invalid
+	TypeCode                        // 1 code
+	TypeIssues                      // 2 issues
+	TypePullRequests                // 3 PRs
+	TypeReleases                    // 4 Releases
+	TypeWiki                        // 5 Wiki
+	TypeExternalWiki                // 6 ExternalWiki
+	TypeExternalTracker             // 7 ExternalTracker
+	TypeProjects                    // 8 Kanban board
 )
 
 // Value returns integer value for unit type
@@ -269,15 +270,30 @@ var (
 	}
 )
 
-// FindUnitTypes give the unit key name and return unit
+// FindUnitTypes give the unit key names and return unit
 func FindUnitTypes(nameKeys ...string) (res []Type) {
 	for _, key := range nameKeys {
+		var found bool
 		for t, u := range Units {
 			if strings.EqualFold(key, u.NameKey) {
 				res = append(res, t)
+				found = true
 				break
 			}
 		}
+		if !found {
+			res = append(res, TypeInvalid)
+		}
 	}
 	return
 }
+
+// UnitTypeFromKey give the unit key name and return unit
+func UnitTypeFromKey(nameKey string) Type {
+	for t, u := range Units {
+		if strings.EqualFold(nameKey, u.NameKey) {
+			return t
+		}
+	}
+	return TypeInvalid
+}
diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
index 3b2c5e78391e0..9b5ea91105946 100644
--- a/modules/structs/org_team.go
+++ b/modules/structs/org_team.go
@@ -15,8 +15,10 @@ type Team struct {
 	// enum: none,read,write,admin,owner
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
-	Units            []string `json:"units"`
-	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
+	Units []string `json:"units"`
+	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
+	UnitsMap         map[string]string `json:"units_map"`
+	CanCreateOrgRepo bool              `json:"can_create_org_repo"`
 }
 
 // CreateTeamOption options for creating a team
@@ -28,8 +30,10 @@ type CreateTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
-	Units            []string `json:"units"`
-	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
+	Units []string `json:"units"`
+	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
+	UnitsMap         map[string]string `json:"units_map"`
+	CanCreateOrgRepo bool              `json:"can_create_org_repo"`
 }
 
 // EditTeamOption options for editing a team
@@ -41,6 +45,8 @@ type EditTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
-	Units            []string `json:"units"`
-	CanCreateOrgRepo *bool    `json:"can_create_org_repo"`
+	Units []string `json:"units"`
+	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
+	UnitsMap         map[string]string `json:"units_map"`
+	CanCreateOrgRepo *bool             `json:"can_create_org_repo"`
 }
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 499d8a46caceb..064d9ddbbe601 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -2261,8 +2261,8 @@ teams.leave = Leave
 teams.leave.detail = Leave %s?
 teams.can_create_org_repo = Create repositories
 teams.can_create_org_repo_helper = Members can create new repositories in organization. Creator will get administrator access to the new repository.
-teams.none_access = None Access
-teams.none_access_helper = Members can view or do any other action on this unit.
+teams.none_access = No Access
+teams.none_access_helper = Members cannot view or do any other action on this unit.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.
 teams.read_access = Read Access
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index d39125b0500e3..a8be3a9ae2046 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -6,6 +6,7 @@
 package org
 
 import (
+	"errors"
 	"net/http"
 
 	"code.gitea.io/gitea/models"
@@ -141,6 +142,29 @@ func GetTeam(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, convert.ToTeam(ctx.Org.Team))
 }
 
+func attachTeamUnits(team *models.Team, units []string) {
+	unitTypes := unit_model.FindUnitTypes(units...)
+	team.Units = make([]*models.TeamUnit, 0, len(units))
+	for _, tp := range unitTypes {
+		team.Units = append(team.Units, &models.TeamUnit{
+			OrgID:     team.OrgID,
+			Type:      tp,
+			Authorize: team.Authorize,
+		})
+	}
+}
+
+func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
+	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
+	for unitKey, perm := range unitsMap {
+		team.Units = append(team.Units, &models.TeamUnit{
+			OrgID:     team.OrgID,
+			Type:      unit_model.UnitTypeFromKey(unitKey),
+			Authorize: perm.ParseAccessMode(perm),
+		})
+	}
+}
+
 // CreateTeam api for create a team
 func CreateTeam(ctx *context.APIContext) {
 	// swagger:operation POST /orgs/{org}/teams organization orgCreateTeam
@@ -175,17 +199,15 @@ func CreateTeam(ctx *context.APIContext) {
 		Authorize:               perm.ParseAccessMode(form.Permission),
 	}
 
-	unitTypes := unit_model.FindUnitTypes(form.Units...)
-
 	if team.Authorize < perm.AccessModeOwner {
-		var units = make([]*models.TeamUnit, 0, len(form.Units))
-		for _, tp := range unitTypes {
-			units = append(units, &models.TeamUnit{
-				OrgID: ctx.Org.Organization.ID,
-				Type:  tp,
-			})
+		if len(form.UnitsMap) > 0 {
+			attachTeamUnitsMap(team, form.UnitsMap)
+		} else if len(form.Units) > 0 {
+			attachTeamUnits(team, form.Units)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "getTeamUnits", errors.New("units permission should not be empty"))
+			return
 		}
-		team.Units = units
 	}
 
 	if err := models.NewTeam(team); err != nil {
@@ -261,16 +283,10 @@ func EditTeam(ctx *context.APIContext) {
 	}
 
 	if team.Authorize < perm.AccessModeOwner {
-		if len(form.Units) > 0 {
-			var units = make([]*models.TeamUnit, 0, len(form.Units))
-			unitTypes := unit_model.FindUnitTypes(form.Units...)
-			for _, tp := range unitTypes {
-				units = append(units, &models.TeamUnit{
-					OrgID: ctx.Org.Team.OrgID,
-					Type:  tp,
-				})
-			}
-			team.Units = units
+		if len(form.UnitsMap) > 0 {
+			attachTeamUnitsMap(team, form.UnitsMap)
+		} else if len(form.Units) > 0 {
+			attachTeamUnits(team, form.Units)
 		}
 	}
 
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index d9a686d5c7621..9153fb0138f31 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -225,16 +225,9 @@ func NewTeam(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplTeamNew)
 }
 
-// NewTeamPost response for create new team
-func NewTeamPost(ctx *context.Context) {
-	form := web.GetForm(ctx).(*forms.CreateTeamForm)
-	ctx.Data["Title"] = ctx.Org.Organization.FullName
-	ctx.Data["PageIsOrgTeams"] = true
-	ctx.Data["PageIsOrgTeamsNew"] = true
-	ctx.Data["Units"] = unit_model.Units
-	var includesAllRepositories = form.RepoAccess == "all"
+func getUnitPerms(forms url.Values) map[unit_model.Type]perm.AccessMode {
 	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
-	for k, v := range ctx.Req.Form {
+	for k, v := range forms {
 		if strings.HasPrefix(k, "unit_") {
 			t, _ := strconv.Atoi(k[5:])
 			if t > 0 {
@@ -243,6 +236,18 @@ func NewTeamPost(ctx *context.Context) {
 			}
 		}
 	}
+	return unitPerms
+}
+
+// NewTeamPost response for create new team
+func NewTeamPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.CreateTeamForm)
+	ctx.Data["Title"] = ctx.Org.Organization.FullName
+	ctx.Data["PageIsOrgTeams"] = true
+	ctx.Data["PageIsOrgTeamsNew"] = true
+	ctx.Data["Units"] = unit_model.Units
+	var includesAllRepositories = form.RepoAccess == "all"
+	var unitPerms = getUnitPerms(ctx.Req.Form)
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
@@ -334,16 +339,7 @@ func EditTeamPost(ctx *context.Context) {
 	ctx.Data["Team"] = t
 	ctx.Data["Units"] = unit_model.Units
 
-	var unitPerms = make(map[unit_model.Type]perm.AccessMode)
-	for k, v := range ctx.Req.Form {
-		if strings.HasPrefix(k, "unit_") {
-			t, _ := strconv.Atoi(k[5:])
-			if t > 0 {
-				vv, _ := strconv.Atoi(v[0])
-				unitPerms[unit_model.Type(t)] = perm.AccessMode(vv)
-			}
-		}
-	}
+	var unitPerms = getUnitPerms(ctx.Req.Form)
 
 	isAuthChanged := false
 	isIncludeAllChanged := false

From 3f847a372207813121d668b74a4b6380d7360fe5 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 27 Nov 2021 12:13:17 +0800
Subject: [PATCH 40/60] Add deprecated

---
 modules/structs/org_team.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
index 9b5ea91105946..bf18b4fc4be15 100644
--- a/modules/structs/org_team.go
+++ b/modules/structs/org_team.go
@@ -30,6 +30,7 @@ type CreateTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
+	// Deprecated: This variable should be replaced by UnitsMap and will be dropped in later versions.
 	Units []string `json:"units"`
 	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
 	UnitsMap         map[string]string `json:"units_map"`
@@ -45,6 +46,7 @@ type EditTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
+	// Deprecated: This variable should be replaced by UnitsMap and will be dropped in later versions.
 	Units []string `json:"units"`
 	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
 	UnitsMap         map[string]string `json:"units_map"`

From 910f9679fe72c34447eedec83cbb2ed3e0b3b827 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 27 Nov 2021 20:21:03 +0800
Subject: [PATCH 41/60] Improve code

---
 models/org_team.go         | 16 +---------------
 models/perm/access_mode.go | 16 ++++++++++++++++
 models/unit/unit.go        |  4 ++--
 routers/api/v1/org/team.go | 27 ++++++++++++++++++++++-----
 routers/web/org/teams.go   |  6 +++++-
 5 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/models/org_team.go b/models/org_team.go
index 4ced8ba65168f..d04885a2f0c95 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -151,11 +151,6 @@ func (t *Team) GetUnitNames() (res []string) {
 	return
 }
 
-// HasWriteAccess returns true if team has at least write level access mode.
-func (t *Team) HasWriteAccess() bool {
-	return t.Authorize >= perm.AccessModeWrite
-}
-
 // IsOwnerTeam returns true if team is owner team.
 func (t *Team) IsOwnerTeam() bool {
 	return t.Name == ownerTeamName
@@ -455,16 +450,7 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 }
 
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
-	if err := t.getUnits(e); err != nil {
-		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
-	}
-
-	for _, unit := range t.Units {
-		if unit.Type == tp {
-			return true
-		}
-	}
-	return false
+	return t.unitAccessMode(e, tp) > AccessModeNone
 }
 
 // UnitAccessMode returns if the team has the given unit type enabled
diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go
index f2c0a322a085f..fe14b7b4460b2 100644
--- a/models/perm/access_mode.go
+++ b/models/perm/access_mode.go
@@ -7,6 +7,7 @@ package perm
 import (
 	"fmt"
 
+	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/log"
 )
 
@@ -59,3 +60,18 @@ func ParseAccessMode(permission string) AccessMode {
 		return AccessModeRead
 	}
 }
+
+// MinUnitPerms returns the minial permission of the permission map
+func MinUnitPerms(unitsMap map[unit_model.Type]AccessMode) AccessMode {
+	var res = AccessModeNone
+	for _, mode := range unitsMap {
+		if mode > AccessModeNone {
+			if res == AccessModeNone {
+				res = mode
+			} else if mode < res {
+				res = mode
+			}
+		}
+	}
+	return res
+}
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 79a37254d6a78..d180b0165021c 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -288,8 +288,8 @@ func FindUnitTypes(nameKeys ...string) (res []Type) {
 	return
 }
 
-// UnitTypeFromKey give the unit key name and return unit
-func UnitTypeFromKey(nameKey string) Type {
+// TypeFromKey give the unit key name and return unit
+func TypeFromKey(nameKey string) Type {
 	for t, u := range Units {
 		if strings.EqualFold(nameKey, u.NameKey) {
 			return t
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index a8be3a9ae2046..4d9ff0cd7c44b 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -154,12 +154,20 @@ func attachTeamUnits(team *models.Team, units []string) {
 	}
 }
 
+func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]models.AccessMode {
+	var res = make(map[unit_model.Type]models.AccessMode, len(unitsMap))
+	for unitKey, perm := range unitsMap {
+		res[unit_model.TypeFromKey(unitKey)] = models.ParseAccessMode(perm)
+	}
+	return res
+}
+
 func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
 	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
 	for unitKey, perm := range unitsMap {
 		team.Units = append(team.Units, &models.TeamUnit{
 			OrgID:     team.OrgID,
-			Type:      unit_model.UnitTypeFromKey(unitKey),
+			Type:      unit_model.TypeFromKey(unitKey),
 			Authorize: perm.ParseAccessMode(perm),
 		})
 	}
@@ -190,13 +198,19 @@ func CreateTeam(ctx *context.APIContext) {
 	//   "422":
 	//     "$ref": "#/responses/validationError"
 	form := web.GetForm(ctx).(*api.CreateTeamOption)
+
+	var p = perm.ParseAccessMode(form.Permission)
+	if p < perm.AccessModeOwner {
+		p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+	}
+
 	team := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.Name,
 		Description:             form.Description,
 		IncludesAllRepositories: form.IncludesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
-		Authorize:               perm.ParseAccessMode(form.Permission),
+		Authorize:               p,
 	}
 
 	if team.Authorize < perm.AccessModeOwner {
@@ -269,11 +283,14 @@ func EditTeam(ctx *context.APIContext) {
 	isIncludeAllChanged := false
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
-		auth := perm.ParseAccessMode(form.Permission)
+		var p = perm.ParseAccessMode(form.Permission)
+		if p < perm.AccessModeOwner {
+			p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+		}
 
-		if team.Authorize != auth {
+		if team.Authorize != p {
 			isAuthChanged = true
-			team.Authorize = auth
+			team.Authorize = p
 		}
 
 		if form.IncludesAllRepositories != nil {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 9153fb0138f31..7f4cf581f8730 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -248,12 +248,16 @@ func NewTeamPost(ctx *context.Context) {
 	ctx.Data["Units"] = unit_model.Units
 	var includesAllRepositories = form.RepoAccess == "all"
 	var unitPerms = getUnitPerms(ctx.Req.Form)
+	var p = perm.ParseAccessMode(form.Permission)
+	if p < perm.AccessModeOwner {
+		p = perm.MinUnitPerms(unitPerms)
+	}
 
 	t := &models.Team{
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.TeamName,
 		Description:             form.Description,
-		Authorize:               perm.ParseAccessMode(form.Permission),
+		Authorize:               p,
 		IncludesAllRepositories: includesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}

From 1079027d5eacdf7d66b2c9196ff578f2a5ce4aa5 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 11:51:48 +0800
Subject: [PATCH 42/60] Add tooltip

---
 templates/org/team/new.tmpl | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index dd682cb09001c..a1fc9fde123d8 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -75,10 +75,17 @@
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<table class="ui celled table">
 									<thead>
-										<tr><th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
-										<th class="center aligned"><div data-content="{{.i18n.Tr "org.teams.none_access_helper"}}">{{.i18n.Tr "org.teams.none_access"}}</div></th>
-										<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}</th>
-										<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+										<tr>
+											<th class="center aligned">{{.i18n.Tr "units.unit"}}</th>
+											<th class="center aligned">{{.i18n.Tr "org.teams.none_access"}}
+											<i class="circle help icon link tooltip" data-content="{{.i18n.Tr "org.teams.none_access_helper"}}"></i></th>
+											<th class="center aligned">{{.i18n.Tr "org.teams.read_access"}}
+											<i class="circle help icon link tooltip" data-content="{{.i18n.Tr "org.teams.read_access_helper"}}"></i>
+											</th>
+											<th class="center aligned">{{.i18n.Tr "org.teams.write_access"}}
+											<i class="circle help icon link tooltip" data-content="{{.i18n.Tr "org.teams.write_access_helper"}}"></i>
+											</th>
+										</tr>
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
@@ -97,7 +104,7 @@
 											</td>
 											<td class="center aligned">
 												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
 												</div>
 											</td>
 											<td class="center aligned">
@@ -107,7 +114,7 @@
 											</td>
 											<td class="center aligned">
 												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
+													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
 												</div>
 											</td>
 										</tr>

From 827826ec44224545c110a598b2608254e9bc3a2a Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 12:05:16 +0800
Subject: [PATCH 43/60] Fix swagger

---
 templates/swagger/v1_json.tmpl | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 9438c41a29a66..83b1827ba7ab6 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -14049,6 +14049,14 @@
             "repo.projects",
             "repo.ext_wiki"
           ]
+        },
+        "units_map": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "x-go-name": "UnitsMap",
+          "example": "{\"repo.code\":\"read\",\"repo.issues\":\"write\",\"repo.ext_issues\":\"none\",\"repo.wiki\":\"admin\",\"repo.pulls\":\"owner\",\"repo.releases\":\"none\",\"repo.projects\":\"none\",\"repo.ext_wiki\":\"none\"]"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -14860,6 +14868,14 @@
             "repo.projects",
             "repo.ext_wiki"
           ]
+        },
+        "units_map": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "x-go-name": "UnitsMap",
+          "example": "{\"repo.code\":\"read\",\"repo.issues\":\"write\",\"repo.ext_issues\":\"none\",\"repo.wiki\":\"admin\",\"repo.pulls\":\"owner\",\"repo.releases\":\"none\",\"repo.projects\":\"none\",\"repo.ext_wiki\":\"none\"]"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -17453,6 +17469,14 @@
             "repo.projects",
             "repo.ext_wiki"
           ]
+        },
+        "units_map": {
+          "type": "object",
+          "additionalProperties": {
+            "type": "string"
+          },
+          "x-go-name": "UnitsMap",
+          "example": "{\"repo.code\":\"read\",\"repo.issues\":\"write\",\"repo.ext_issues\":\"none\",\"repo.wiki\":\"admin\",\"repo.pulls\":\"owner\",\"repo.releases\":\"none\",\"repo.projects\":\"none\",\"repo.ext_wiki\":\"none\"]"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -18945,4 +18969,4 @@
       "TOTPHeader": []
     }
   ]
-}
+}
\ No newline at end of file

From 12ea655c4703848d2c7c907a636cb4684ce8adcf Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 12:10:41 +0800
Subject: [PATCH 44/60] Fix newline

---
 templates/swagger/v1_json.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 83b1827ba7ab6..50ea3463a6203 100644
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -18969,4 +18969,4 @@
       "TOTPHeader": []
     }
   ]
-}
\ No newline at end of file
+}

From 4209d4302aa573e071560f6cba4754b75df18584 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 28 Nov 2021 22:14:01 +0800
Subject: [PATCH 45/60] Fix tests

---
 integrations/api_team_test.go | 104 ++++++++++++++++++++++++++++------
 integrations/org_test.go      |   4 +-
 models/issue.go               |   2 +-
 models/org_team.go            |  11 +++-
 models/perm/access_mode.go    |   4 +-
 models/repo_permission.go     |   2 +-
 modules/convert/convert.go    |   1 +
 routers/api/v1/org/team.go    |  17 ++++--
 routers/web/org/teams.go      |   6 +-
 9 files changed, 121 insertions(+), 30 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index da22d40479760..4962cbcd9df50 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -67,9 +67,9 @@ func TestAPITeam(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	teamID := apiTeam.ID
 
 	// Edit team.
@@ -87,9 +87,9 @@ func TestAPITeam(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 
 	// Edit team Description only
 	editDescription = "first team"
@@ -98,17 +98,80 @@ func TestAPITeam(t *testing.T) {
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units)
+		teamToEdit.Permission, teamToEdit.Units, nil)
 
 	// Read team.
 	teamRead := unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
+	assert.NoError(t, teamRead.GetUnits())
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
-		teamRead.Authorize.String(), teamRead.GetUnitNames())
+		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
+
+	panic("")
+	// Delete team.
+	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
+	session.MakeRequest(t, req, http.StatusNoContent)
+	unittest.AssertNotExistsBean(t, &models.Team{ID: teamID})
+
+	// create team again via UnitsMap
+	// Create team.
+	teamToCreate = &api.CreateTeamOption{
+		Name:                    "team2",
+		Description:             "team two",
+		IncludesAllRepositories: true,
+		Permission:              "write",
+		UnitsMap:                map[string]string{"repo.code": "read", "repo.issues": "write", "repo.wiki": "none"},
+	}
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
+	resp = session.MakeRequest(t, req, http.StatusCreated)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
+		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
+		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+	teamID = apiTeam.ID
+
+	// Edit team.
+	editDescription = "team 1"
+	editFalse = false
+	teamToEdit = &api.EditTeamOption{
+		Name:                    "teamtwo",
+		Description:             &editDescription,
+		Permission:              "write",
+		IncludesAllRepositories: &editFalse,
+		UnitsMap:                map[string]string{"repo.code": "read", "repo.pulls": "read", "repo.releases": "write"},
+	}
+
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+
+	// Edit team Description only
+	editDescription = "second team"
+	teamToEditDesc = api.EditTeamOption{Description: &editDescription}
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
+		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+
+	// Read team.
+	teamRead = unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiTeam)
+	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
+		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
@@ -116,20 +179,27 @@ func TestAPITeam(t *testing.T) {
 	unittest.AssertNotExistsBean(t, &models.Team{ID: teamID})
 }
 
-func checkTeamResponse(t *testing.T, apiTeam *api.Team, name, description string, includesAllRepositories bool, permission string, units []string) {
-	assert.Equal(t, name, apiTeam.Name, "name")
-	assert.Equal(t, description, apiTeam.Description, "description")
-	assert.Equal(t, includesAllRepositories, apiTeam.IncludesAllRepositories, "includesAllRepositories")
-	assert.Equal(t, permission, apiTeam.Permission, "permission")
-	sort.StringSlice(units).Sort()
-	sort.StringSlice(apiTeam.Units).Sort()
-	assert.EqualValues(t, units, apiTeam.Units, "units")
+func checkTeamResponse(t *testing.T, apiTeam *api.Team, name, description string, includesAllRepositories bool, permission string, units []string, unitsMap map[string]string) {
+	t.Run(name+description, func(t *testing.T) {
+		assert.Equal(t, name, apiTeam.Name, "name")
+		assert.Equal(t, description, apiTeam.Description, "description")
+		assert.Equal(t, includesAllRepositories, apiTeam.IncludesAllRepositories, "includesAllRepositories")
+		assert.Equal(t, permission, apiTeam.Permission, "permission")
+		if units != nil {
+			sort.StringSlice(units).Sort()
+			sort.StringSlice(apiTeam.Units).Sort()
+			assert.EqualValues(t, units, apiTeam.Units, "units")
+		}
+		if unitsMap != nil {
+			assert.EqualValues(t, unitsMap, apiTeam.UnitsMap, "unitsMap")
+		}
+	})
 }
 
-func checkTeamBean(t *testing.T, id int64, name, description string, includesAllRepositories bool, permission string, units []string) {
+func checkTeamBean(t *testing.T, id int64, name, description string, includesAllRepositories bool, permission string, units []string, unitsMap map[string]string) {
 	team := unittest.AssertExistsAndLoadBean(t, &models.Team{ID: id}).(*models.Team)
 	assert.NoError(t, team.GetUnits(), "GetUnits")
-	checkTeamResponse(t, convert.ToTeam(team), name, description, includesAllRepositories, permission, units)
+	checkTeamResponse(t, convert.ToTeam(team), name, description, includesAllRepositories, permission, units, unitsMap)
 }
 
 type TeamSearchResults struct {
diff --git a/integrations/org_test.go b/integrations/org_test.go
index e94e4ea74c1c3..f5a6d5e4d92c4 100644
--- a/integrations/org_test.go
+++ b/integrations/org_test.go
@@ -156,9 +156,9 @@ func TestOrgRestrictedUser(t *testing.T) {
 	resp := adminSession.MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, teamToCreate.Units)
+		teamToCreate.Permission, teamToCreate.Units, nil)
 	//teamID := apiTeam.ID
 
 	// Now we need to add the restricted user to the team
diff --git a/models/issue.go b/models/issue.go
index f0040fbbc1af4..33fe8e91f027d 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -2147,7 +2147,7 @@ func (issue *Issue) ResolveMentionsByVisibility(ctx context.Context, doer *user_
 				unittype = unit.TypePullRequests
 			}
 			for _, team := range teams {
-				if team.Authorize >= perm.AccessModeOwner {
+				if team.Authorize >= perm.AccessModeAdmin {
 					checked = append(checked, team.ID)
 					resolved[issue.Repo.Owner.LowerName+"/"+team.LowerName] = true
 					continue
diff --git a/models/org_team.go b/models/org_team.go
index d04885a2f0c95..13c892695cecf 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -151,6 +151,15 @@ func (t *Team) GetUnitNames() (res []string) {
 	return
 }
 
+// GetUnitsMap returns the team units permissions
+func (t *Team) GetUnitsMap() map[string]string {
+	var m = make(map[string]string)
+	for _, u := range t.Units {
+		m[u.Unit().NameKey] = u.Authorize.String()
+	}
+	return m
+}
+
 // IsOwnerTeam returns true if team is owner team.
 func (t *Team) IsOwnerTeam() bool {
 	return t.Name == ownerTeamName
@@ -665,7 +674,7 @@ func UpdateTeam(t *Team, authChanged, includeAllChanged bool) (err error) {
 			Delete(new(TeamUnit)); err != nil {
 			return err
 		}
-		if _, err = sess.Cols("org_id", "team_id", "type").Insert(&t.Units); err != nil {
+		if _, err = sess.Cols("org_id", "team_id", "type", "authorize").Insert(&t.Units); err != nil {
 			return err
 		}
 	}
diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go
index fe14b7b4460b2..1ad5f5d4b0140 100644
--- a/models/perm/access_mode.go
+++ b/models/perm/access_mode.go
@@ -52,12 +52,14 @@ func (mode AccessMode) ColorFormat(s fmt.State) {
 // ParseAccessMode returns corresponding access mode to given permission string.
 func ParseAccessMode(permission string) AccessMode {
 	switch permission {
+	case "read":
+		return AccessModeRead
 	case "write":
 		return AccessModeWrite
 	case "admin":
 		return AccessModeAdmin
 	default:
-		return AccessModeRead
+		return AccessModeNone
 	}
 }
 
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 5bef6139913b6..242ba96b0e167 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -239,7 +239,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 
 	// if user in an owner team
 	for _, team := range teams {
-		if team.Authorize >= perm_model.AccessModeOwner {
+		if team.Authorize >= perm_model.AccessModeAdmin {
 			perm.AccessMode = perm_model.AccessModeOwner
 			perm.UnitsMode = nil
 			return
diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index f2b62a74bf7c9..2466e0dfd2960 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -308,6 +308,7 @@ func ToTeam(team *models.Team) *api.Team {
 		CanCreateOrgRepo:        team.CanCreateOrgRepo,
 		Permission:              team.Authorize.String(),
 		Units:                   team.GetUnitNames(),
+		UnitsMap:                team.GetUnitsMap(),
 	}
 }
 
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 4d9ff0cd7c44b..766215533caad 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -113,6 +113,10 @@ func ListUserTeams(ctx *context.APIContext) {
 			apiOrg = convert.ToOrganization(org)
 			cache[teams[i].OrgID] = apiOrg
 		}
+		if err := teams[i].GetUnits(); err != nil {
+			ctx.Error(http.StatusInternalServerError, "teams[i].GetUnits()", err)
+			return
+		}
 		apiTeams[i] = convert.ToTeam(teams[i])
 		apiTeams[i].Organization = apiOrg
 	}
@@ -139,6 +143,11 @@ func GetTeam(ctx *context.APIContext) {
 	//   "200":
 	//     "$ref": "#/responses/Team"
 
+	if err := ctx.Org.Team.GetUnits(); err != nil {
+		ctx.Error(http.StatusInternalServerError, "team.GetUnits", err)
+		return
+	}
+
 	ctx.JSON(http.StatusOK, convert.ToTeam(ctx.Org.Team))
 }
 
@@ -200,7 +209,7 @@ func CreateTeam(ctx *context.APIContext) {
 	form := web.GetForm(ctx).(*api.CreateTeamOption)
 
 	var p = perm.ParseAccessMode(form.Permission)
-	if p < perm.AccessModeOwner {
+	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
 		p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 	}
 
@@ -213,7 +222,7 @@ func CreateTeam(ctx *context.APIContext) {
 		Authorize:               p,
 	}
 
-	if team.Authorize < perm.AccessModeOwner {
+	if team.Authorize < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
@@ -284,7 +293,7 @@ func EditTeam(ctx *context.APIContext) {
 	if !team.IsOwnerTeam() && len(form.Permission) != 0 {
 		// Validate permission level.
 		var p = perm.ParseAccessMode(form.Permission)
-		if p < perm.AccessModeOwner {
+		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
 			p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 		}
 
@@ -299,7 +308,7 @@ func EditTeam(ctx *context.APIContext) {
 		}
 	}
 
-	if team.Authorize < perm.AccessModeOwner {
+	if team.Authorize < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 7f4cf581f8730..fc6f324073452 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -249,7 +249,7 @@ func NewTeamPost(ctx *context.Context) {
 	var includesAllRepositories = form.RepoAccess == "all"
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
-	if p < perm.AccessModeOwner {
+	if p < perm.AccessModeAdmin {
 		p = perm.MinUnitPerms(unitPerms)
 	}
 
@@ -262,7 +262,7 @@ func NewTeamPost(ctx *context.Context) {
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}
 
-	if t.Authorize < perm.AccessModeOwner {
+	if t.Authorize < perm.AccessModeAdmin {
 		var units = make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
@@ -364,7 +364,7 @@ func EditTeamPost(ctx *context.Context) {
 		}
 	}
 	t.Description = form.Description
-	if t.Authorize < perm.AccessModeOwner {
+	if t.Authorize < perm.AccessModeAdmin {
 		var units = make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{

From aed9f652356373c7ad6054f47e279fb87a76c966 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 30 Nov 2021 20:13:50 +0800
Subject: [PATCH 46/60] Fix tests

---
 integrations/api_team_test.go |  1 -
 models/org_team.go            | 10 +++++-----
 models/repo_permission.go     |  2 +-
 routers/api/v1/org/team.go    | 12 ++++++------
 4 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index 4962cbcd9df50..4691b5deb0653 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -111,7 +111,6 @@ func TestAPITeam(t *testing.T) {
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
-	panic("")
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
 	session.MakeRequest(t, req, http.StatusNoContent)
diff --git a/models/org_team.go b/models/org_team.go
index 13c892695cecf..7687b4edbc6f4 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -459,15 +459,15 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 }
 
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
-	return t.unitAccessMode(e, tp) > AccessModeNone
+	return t.unitAccessMode(e, tp) > perm.AccessModeNone
 }
 
 // UnitAccessMode returns if the team has the given unit type enabled
-func (t *Team) UnitAccessMode(tp unit.Type) AccessMode {
+func (t *Team) UnitAccessMode(tp unit.Type) perm.AccessMode {
 	return t.unitAccessMode(db.GetEngine(db.DefaultContext), tp)
 }
 
-func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) perm.AccessMode {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
 	}
@@ -477,7 +477,7 @@ func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
 			return unit.Authorize
 		}
 	}
-	return AccessModeNone
+	return perm.AccessModeNone
 }
 
 // IsUsableTeamName tests if a name could be as team name
@@ -1050,7 +1050,7 @@ type TeamUnit struct {
 	OrgID     int64     `xorm:"INDEX"`
 	TeamID    int64     `xorm:"UNIQUE(s)"`
 	Type      unit.Type `xorm:"UNIQUE(s)"`
-	Authorize AccessMode
+	Authorize perm.AccessMode
 }
 
 // Unit returns Unit
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 242ba96b0e167..1eec972c11acd 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -250,7 +250,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 		var found bool
 		for _, team := range teams {
 			teamMode := team.unitAccessMode(e, u.Type)
-			if teamMode > AccessModeNone {
+			if teamMode > perm_model.AccessModeNone {
 				m := perm.UnitsMode[u.Type]
 				if m < teamMode {
 					perm.UnitsMode[u.Type] = teamMode
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 766215533caad..890b7a317cdb9 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -163,21 +163,21 @@ func attachTeamUnits(team *models.Team, units []string) {
 	}
 }
 
-func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]models.AccessMode {
-	var res = make(map[unit_model.Type]models.AccessMode, len(unitsMap))
-	for unitKey, perm := range unitsMap {
-		res[unit_model.TypeFromKey(unitKey)] = models.ParseAccessMode(perm)
+func convertUnitsMap(unitsMap map[string]string) map[unit_model.Type]perm.AccessMode {
+	var res = make(map[unit_model.Type]perm.AccessMode, len(unitsMap))
+	for unitKey, p := range unitsMap {
+		res[unit_model.TypeFromKey(unitKey)] = perm.ParseAccessMode(p)
 	}
 	return res
 }
 
 func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
 	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
-	for unitKey, perm := range unitsMap {
+	for unitKey, p := range unitsMap {
 		team.Units = append(team.Units, &models.TeamUnit{
 			OrgID:     team.OrgID,
 			Type:      unit_model.TypeFromKey(unitKey),
-			Authorize: perm.ParseAccessMode(perm),
+			Authorize: perm.ParseAccessMode(p),
 		})
 	}
 }

From 9884caf944e8077f84ca45cab5c0dd7243f35662 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 1 Dec 2021 14:01:56 +0800
Subject: [PATCH 47/60] Fix test

---
 integrations/api_team_test.go | 30 ++++++++++++++++++++----------
 models/org_team.go            | 14 ++++++++++++--
 models/unit/unit.go           |  9 +++++++++
 3 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index 4691b5deb0653..d9aafcf7665d4 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/convert"
@@ -65,6 +66,7 @@ func TestAPITeam(t *testing.T) {
 	}
 	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
 	resp = session.MakeRequest(t, req, http.StatusCreated)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
 		teamToCreate.Permission, teamToCreate.Units, nil)
@@ -85,28 +87,31 @@ func TestAPITeam(t *testing.T) {
 
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 
 	// Edit team Description only
 	editDescription = "first team"
 	teamToEditDesc := api.EditTeamOption{Description: &editDescription}
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, teamToEdit.Units, nil)
+		teamToEdit.Permission, unit.AllUnitKeyNames(), nil)
 
 	// Read team.
 	teamRead := unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
 	assert.NoError(t, teamRead.GetUnits())
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
@@ -127,11 +132,12 @@ func TestAPITeam(t *testing.T) {
 	}
 	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", org.Name, token), teamToCreate)
 	resp = session.MakeRequest(t, req, http.StatusCreated)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+		"read", nil, teamToCreate.UnitsMap)
 	checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
-		teamToCreate.Permission, nil, teamToCreate.UnitsMap)
+		"read", nil, teamToCreate.UnitsMap)
 	teamID = apiTeam.ID
 
 	// Edit team.
@@ -147,28 +153,32 @@ func TestAPITeam(t *testing.T) {
 
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEdit)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEdit.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 
 	// Edit team Description only
 	editDescription = "second team"
 	teamToEditDesc = api.EditTeamOption{Description: &editDescription}
 	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/teams/%d?token=%s", teamID, token), teamToEditDesc)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 	checkTeamBean(t, apiTeam.ID, teamToEdit.Name, *teamToEditDesc.Description, *teamToEdit.IncludesAllRepositories,
-		teamToEdit.Permission, nil, teamToEdit.UnitsMap)
+		"read", nil, teamToEdit.UnitsMap)
 
 	// Read team.
 	teamRead = unittest.AssertExistsAndLoadBean(t, &models.Team{ID: teamID}).(*models.Team)
 	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamID)
 	resp = session.MakeRequest(t, req, http.StatusOK)
+	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
+	assert.NoError(t, teamRead.GetUnits())
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
 		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
diff --git a/models/org_team.go b/models/org_team.go
index 7687b4edbc6f4..595f2a6a3f643 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -145,6 +145,10 @@ func (t *Team) getUnits(e db.Engine) (err error) {
 
 // GetUnitNames returns the team units names
 func (t *Team) GetUnitNames() (res []string) {
+	if t.Authorize >= perm.AccessModeAdmin {
+		return unit.AllUnitKeyNames()
+	}
+
 	for _, u := range t.Units {
 		res = append(res, unit.Units[u.Type].NameKey)
 	}
@@ -154,8 +158,14 @@ func (t *Team) GetUnitNames() (res []string) {
 // GetUnitsMap returns the team units permissions
 func (t *Team) GetUnitsMap() map[string]string {
 	var m = make(map[string]string)
-	for _, u := range t.Units {
-		m[u.Unit().NameKey] = u.Authorize.String()
+	if t.Authorize >= perm.AccessModeAdmin {
+		for _, u := range unit.Units {
+			m[u.NameKey] = t.Authorize.String()
+		}
+	} else {
+		for _, u := range t.Units {
+			m[u.Unit().NameKey] = u.Authorize.String()
+		}
 	}
 	return m
 }
diff --git a/models/unit/unit.go b/models/unit/unit.go
index d180b0165021c..c3f506b724c71 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -297,3 +297,12 @@ func TypeFromKey(nameKey string) Type {
 	}
 	return TypeInvalid
 }
+
+// AllUnitKeyNames returns all unit key names
+func AllUnitKeyNames() []string {
+	var res = make([]string, 0, len(Units))
+	for _, u := range Units {
+		res = append(res, u.NameKey)
+	}
+	return res
+}

From 85d952d868fda4c0cd77135ca32c1f2923648793 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 1 Dec 2021 15:14:04 +0800
Subject: [PATCH 48/60] Fix test

---
 integrations/api_repo_teams_test.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/integrations/api_repo_teams_test.go b/integrations/api_repo_teams_test.go
index 07a8b9418e1eb..a3baeba63c804 100644
--- a/integrations/api_repo_teams_test.go
+++ b/integrations/api_repo_teams_test.go
@@ -10,9 +10,11 @@ import (
 	"testing"
 
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -36,7 +38,7 @@ func TestAPIRepoTeams(t *testing.T) {
 	if assert.Len(t, teams, 2) {
 		assert.EqualValues(t, "Owners", teams[0].Name)
 		assert.False(t, teams[0].CanCreateOrgRepo)
-		assert.EqualValues(t, []string{"repo.code", "repo.issues", "repo.pulls", "repo.releases", "repo.wiki", "repo.ext_wiki", "repo.ext_issues"}, teams[0].Units)
+		assert.True(t, util.IsEqualSlice(unit.AllUnitKeyNames(), teams[0].Units), fmt.Sprintf("%v == %v", unit.AllUnitKeyNames(), teams[0].Units))
 		assert.EqualValues(t, "owner", teams[0].Permission)
 
 		assert.EqualValues(t, "test_team", teams[1].Name)

From 034630fe0096ffb0336aac386ca281c57108375b Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 2 Dec 2021 15:51:14 +0800
Subject: [PATCH 49/60] Max permission of external wiki and issues should be
 read

---
 models/perm/access_mode.go  | 16 ----------
 models/unit/unit.go         | 35 ++++++++++++++++++----
 routers/api/v1/org/team.go  |  4 +--
 routers/web/org/teams.go    |  2 +-
 templates/org/team/new.tmpl | 58 +++++++++++++++++++------------------
 5 files changed, 63 insertions(+), 52 deletions(-)

diff --git a/models/perm/access_mode.go b/models/perm/access_mode.go
index 1ad5f5d4b0140..dfa7f7b7524a1 100644
--- a/models/perm/access_mode.go
+++ b/models/perm/access_mode.go
@@ -7,7 +7,6 @@ package perm
 import (
 	"fmt"
 
-	unit_model "code.gitea.io/gitea/models/unit"
 	"code.gitea.io/gitea/modules/log"
 )
 
@@ -62,18 +61,3 @@ func ParseAccessMode(permission string) AccessMode {
 		return AccessModeNone
 	}
 }
-
-// MinUnitPerms returns the minial permission of the permission map
-func MinUnitPerms(unitsMap map[unit_model.Type]AccessMode) AccessMode {
-	var res = AccessModeNone
-	for _, mode := range unitsMap {
-		if mode > AccessModeNone {
-			if res == AccessModeNone {
-				res = mode
-			} else if mode < res {
-				res = mode
-			}
-		}
-	}
-	return res
-}
diff --git a/models/unit/unit.go b/models/unit/unit.go
index c3f506b724c71..8e41beef2aa7d 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"strings"
 
+	"code.gitea.io/gitea/models/perm"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 )
@@ -171,11 +172,12 @@ func (u *Type) CanBeDefault() bool {
 
 // Unit is a section of one repository
 type Unit struct {
-	Type    Type
-	NameKey string
-	URI     string
-	DescKey string
-	Idx     int
+	Type     Type
+	NameKey  string
+	URI      string
+	DescKey  string
+	Idx      int
+	MaxPerms perm.AccessMode
 }
 
 // CanDisable returns if this unit could be disabled.
@@ -199,6 +201,7 @@ var (
 		"/",
 		"repo.code.desc",
 		0,
+		perm.AccessModeOwner,
 	}
 
 	UnitIssues = Unit{
@@ -207,6 +210,7 @@ var (
 		"/issues",
 		"repo.issues.desc",
 		1,
+		perm.AccessModeOwner,
 	}
 
 	UnitExternalTracker = Unit{
@@ -215,6 +219,7 @@ var (
 		"/issues",
 		"repo.ext_issues.desc",
 		1,
+		perm.AccessModeRead,
 	}
 
 	UnitPullRequests = Unit{
@@ -223,6 +228,7 @@ var (
 		"/pulls",
 		"repo.pulls.desc",
 		2,
+		perm.AccessModeOwner,
 	}
 
 	UnitReleases = Unit{
@@ -231,6 +237,7 @@ var (
 		"/releases",
 		"repo.releases.desc",
 		3,
+		perm.AccessModeOwner,
 	}
 
 	UnitWiki = Unit{
@@ -239,6 +246,7 @@ var (
 		"/wiki",
 		"repo.wiki.desc",
 		4,
+		perm.AccessModeOwner,
 	}
 
 	UnitExternalWiki = Unit{
@@ -247,6 +255,7 @@ var (
 		"/wiki",
 		"repo.ext_wiki.desc",
 		4,
+		perm.AccessModeRead,
 	}
 
 	UnitProjects = Unit{
@@ -255,6 +264,7 @@ var (
 		"/projects",
 		"repo.projects.desc",
 		5,
+		perm.AccessModeOwner,
 	}
 
 	// Units contains all the units
@@ -306,3 +316,18 @@ func AllUnitKeyNames() []string {
 	}
 	return res
 }
+
+// MinUnitPerms returns the minial permission of the permission map
+func MinUnitPerms(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
+	var res = perm.AccessModeNone
+	for _, mode := range unitsMap {
+		if mode > perm.AccessModeNone {
+			if res == perm.AccessModeNone {
+				res = mode
+			} else if mode < res {
+				res = mode
+			}
+		}
+	}
+	return res
+}
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 890b7a317cdb9..08392c6aa679f 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -210,7 +210,7 @@ func CreateTeam(ctx *context.APIContext) {
 
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-		p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+		p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 	}
 
 	team := &models.Team{
@@ -294,7 +294,7 @@ func EditTeam(ctx *context.APIContext) {
 		// Validate permission level.
 		var p = perm.ParseAccessMode(form.Permission)
 		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-			p = perm.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+			p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
 		}
 
 		if team.Authorize != p {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index fc6f324073452..28d06367d03a6 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -250,7 +250,7 @@ func NewTeamPost(ctx *context.Context) {
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
-		p = perm.MinUnitPerms(unitPerms)
+		p = unit_model.MinUnitPerms(unitPerms)
 	}
 
 	t := &models.Team{
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index a1fc9fde123d8..4562db988b42d 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -89,35 +89,37 @@
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
-										<tr>
-											<td>
-												{{if $unit.Type.UnitGlobalDisabled}}
-												<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-												{{else}}
-												<div class="field">
-												{{end}}
-													<div class="ui">
-														<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-														<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											<tr>
+												<td>
+													{{if $unit.Type.UnitGlobalDisabled}}
+													<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+													{{else}}
+													<div class="field">
+													{{end}}
+														<div class="ui">
+															<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+															<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+														</div>
 													</div>
-												</div>
-											</td>
-											<td class="center aligned">
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-												</div>
-											</td>
-											<td class="center aligned">
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}}>
-												</div>
-											</td>
-											<td class="center aligned">
-												<div class="ui radio checkbox">
-													<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}}>
-												</div>
-											</td>
-										</tr>
+												</td>
+												<td class="center aligned">
+													<div class="ui radio checkbox">
+														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+													</div>
+												</td>
+												<td class="center aligned">
+													<div class="ui radio checkbox">
+														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+													</div>
+												</td>
+												<td class="center aligned">
+													{{if ge $unit.MaxPerms 2}}
+													<div class="ui radio checkbox">
+														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+													</div>
+													{{end}}
+												</td>
+											</tr>
 										{{end}}
 									</tbody>
 								</table>

From e21c4493523269f05c20905a8244aee43b35acd2 Mon Sep 17 00:00:00 2001
From: Lauris BH <lauris@nix.lv>
Date: Fri, 3 Dec 2021 22:56:27 +0200
Subject: [PATCH 50/60] Move team units with limited max level below units
 table

* Update label and column names
---
 options/locale/locale_en-US.ini |  8 ++--
 templates/org/team/new.tmpl     | 75 ++++++++++++++++++++-------------
 2 files changed, 49 insertions(+), 34 deletions(-)

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 064d9ddbbe601..7a3dbd50a812c 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -1099,7 +1099,7 @@ commits.signed_by_untrusted_user_unmatched = Signed by untrusted user who does n
 commits.gpg_key_id = GPG Key ID
 commits.ssh_key_fingerprint = SSH Key Fingerprint
 
-ext_issues = Ext. Issues
+ext_issues = Access to External Issues
 ext_issues.desc = Link to an external issue tracker.
 
 projects = Projects
@@ -1579,7 +1579,7 @@ signing.wont_sign.commitssigned = The merge will not be signed as all the associ
 signing.wont_sign.approved = The merge will not be signed as the PR is not approved
 signing.wont_sign.not_signed_in = You are not signed in
 
-ext_wiki = Ext. Wiki
+ext_wiki = Access to External Wiki
 ext_wiki.desc = Link to an external wiki.
 
 wiki = Wiki
@@ -2265,9 +2265,9 @@ teams.none_access = No Access
 teams.none_access_helper = Members cannot view or do any other action on this unit.
 teams.general_access = General Access
 teams.general_access_helper = Members permissions will be decided by below permission table.
-teams.read_access = Read Access
+teams.read_access = Read
 teams.read_access_helper = Members can view and clone team repositories.
-teams.write_access = Write Access
+teams.write_access = Write
 teams.write_access_helper = Members can read and push to team repositories.
 teams.admin_access = Administrator Access
 teams.admin_access_helper = Members can pull and push to team repositories and add collaborators to them.
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 4562db988b42d..1d231c0100044 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -89,40 +89,55 @@
 									</thead>
 									<tbody>
 										{{range $t, $unit := $.Units}}
-											<tr>
-												<td>
-													{{if $unit.Type.UnitGlobalDisabled}}
-													<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-													{{else}}
-													<div class="field">
-													{{end}}
-														<div class="ui">
-															<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-															<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											{{if ge $unit.MaxPerms 2}}
+												<tr>
+													<td>
+														{{if $unit.Type.UnitGlobalDisabled}}
+														<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+														{{else}}
+														<div class="field">
+														{{end}}
+															<div class="ui">
+																<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+																<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+															</div>
 														</div>
-													</div>
-												</td>
-												<td class="center aligned">
-													<div class="ui radio checkbox">
-														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
-													</div>
-												</td>
-												<td class="center aligned">
-													<div class="ui radio checkbox">
-														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
-													</div>
-												</td>
-												<td class="center aligned">
-													{{if ge $unit.MaxPerms 2}}
-													<div class="ui radio checkbox">
-														<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
-													</div>
-													{{end}}
-												</td>
-											</tr>
+													</td>
+													<td class="center aligned">
+														<div class="ui radio checkbox">
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="0"{{if or ($unit.Type.UnitGlobalDisabled) (eq ($.Team.UnitAccessMode $unit.Type) 0)}} checked{{end}}>
+														</div>
+													</td>
+													<td class="center aligned">
+														<div class="ui radio checkbox">
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+														</div>
+													</td>
+													<td class="center aligned">
+														<div class="ui radio checkbox">
+															<input type="radio" class="hidden" name="unit_{{$unit.Type.Value}}" value="2"{{if (eq ($.Team.UnitAccessMode $unit.Type) 2)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+														</div>
+													</td>
+												</tr>
+											{{end}}
 										{{end}}
 									</tbody>
 								</table>
+								{{range $t, $unit := $.Units}}
+									{{if lt $unit.MaxPerms 2}}
+										{{if $unit.Type.UnitGlobalDisabled}}
+										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+										{{else}}
+										<div class="field">
+										{{end}}
+											<div class="ui checkbox">
+												<input type="checkbox" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
+												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											</div>
+										</div>
+									{{end}}
+								{{end}}
 							</div>
 						{{end}}
 

From 445588939fb844dbfbcfd03cbc7e43597949f800 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 6 Dec 2021 19:24:27 +0800
Subject: [PATCH 51/60] Some improvements

---
 models/org_team.go          | 14 +++++++-------
 models/unit/unit.go         | 24 ++++++++++--------------
 routers/api/v1/org/team.go  | 16 ++++++++--------
 routers/web/org/teams.go    | 16 ++++++++--------
 templates/org/team/new.tmpl | 13 +++----------
 5 files changed, 36 insertions(+), 47 deletions(-)

diff --git a/models/org_team.go b/models/org_team.go
index 595f2a6a3f643..9094cc8bb913b 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -164,7 +164,7 @@ func (t *Team) GetUnitsMap() map[string]string {
 		}
 	} else {
 		for _, u := range t.Units {
-			m[u.Unit().NameKey] = u.Authorize.String()
+			m[u.Unit().NameKey] = u.AccessMode.String()
 		}
 	}
 	return m
@@ -484,7 +484,7 @@ func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) perm.AccessMode {
 
 	for _, unit := range t.Units {
 		if unit.Type == tp {
-			return unit.Authorize
+			return unit.AccessMode
 		}
 	}
 	return perm.AccessModeNone
@@ -1056,11 +1056,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea
 
 // TeamUnit describes all units of a repository
 type TeamUnit struct {
-	ID        int64     `xorm:"pk autoincr"`
-	OrgID     int64     `xorm:"INDEX"`
-	TeamID    int64     `xorm:"UNIQUE(s)"`
-	Type      unit.Type `xorm:"UNIQUE(s)"`
-	Authorize perm.AccessMode
+	ID         int64     `xorm:"pk autoincr"`
+	OrgID      int64     `xorm:"INDEX"`
+	TeamID     int64     `xorm:"UNIQUE(s)"`
+	Type       unit.Type `xorm:"UNIQUE(s)"`
+	AccessMode perm.AccessMode
 }
 
 // Unit returns Unit
diff --git a/models/unit/unit.go b/models/unit/unit.go
index 8e41beef2aa7d..c8ae811650587 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -172,12 +172,12 @@ func (u *Type) CanBeDefault() bool {
 
 // Unit is a section of one repository
 type Unit struct {
-	Type     Type
-	NameKey  string
-	URI      string
-	DescKey  string
-	Idx      int
-	MaxPerms perm.AccessMode
+	Type          Type
+	NameKey       string
+	URI           string
+	DescKey       string
+	Idx           int
+	MaxAccessMode perm.AccessMode // The max access mode of the unit. i.e. Read means this unit can only be read.
 }
 
 // CanDisable returns if this unit could be disabled.
@@ -317,16 +317,12 @@ func AllUnitKeyNames() []string {
 	return res
 }
 
-// MinUnitPerms returns the minial permission of the permission map
-func MinUnitPerms(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
+// MinUnitAccessMode returns the minial permission of the permission map
+func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
 	var res = perm.AccessModeNone
 	for _, mode := range unitsMap {
-		if mode > perm.AccessModeNone {
-			if res == perm.AccessModeNone {
-				res = mode
-			} else if mode < res {
-				res = mode
-			}
+		if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
+			res = mode
 		}
 	}
 	return res
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 08392c6aa679f..1e81b669664cc 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -156,9 +156,9 @@ func attachTeamUnits(team *models.Team, units []string) {
 	team.Units = make([]*models.TeamUnit, 0, len(units))
 	for _, tp := range unitTypes {
 		team.Units = append(team.Units, &models.TeamUnit{
-			OrgID:     team.OrgID,
-			Type:      tp,
-			Authorize: team.Authorize,
+			OrgID:      team.OrgID,
+			Type:       tp,
+			AccessMode: team.Authorize,
 		})
 	}
 }
@@ -175,9 +175,9 @@ func attachTeamUnitsMap(team *models.Team, unitsMap map[string]string) {
 	team.Units = make([]*models.TeamUnit, 0, len(unitsMap))
 	for unitKey, p := range unitsMap {
 		team.Units = append(team.Units, &models.TeamUnit{
-			OrgID:     team.OrgID,
-			Type:      unit_model.TypeFromKey(unitKey),
-			Authorize: perm.ParseAccessMode(p),
+			OrgID:      team.OrgID,
+			Type:       unit_model.TypeFromKey(unitKey),
+			AccessMode: perm.ParseAccessMode(p),
 		})
 	}
 }
@@ -210,7 +210,7 @@ func CreateTeam(ctx *context.APIContext) {
 
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-		p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+		p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 	}
 
 	team := &models.Team{
@@ -294,7 +294,7 @@ func EditTeam(ctx *context.APIContext) {
 		// Validate permission level.
 		var p = perm.ParseAccessMode(form.Permission)
 		if p < perm.AccessModeAdmin && len(form.UnitsMap) > 0 {
-			p = unit_model.MinUnitPerms(convertUnitsMap(form.UnitsMap))
+			p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 		}
 
 		if team.Authorize != p {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index 28d06367d03a6..ab7f32b060cd0 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -250,7 +250,7 @@ func NewTeamPost(ctx *context.Context) {
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
-		p = unit_model.MinUnitPerms(unitPerms)
+		p = unit_model.MinUnitAccessMode(unitPerms)
 	}
 
 	t := &models.Team{
@@ -266,9 +266,9 @@ func NewTeamPost(ctx *context.Context) {
 		var units = make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
-				OrgID:     ctx.Org.Organization.ID,
-				Type:      tp,
-				Authorize: perm,
+				OrgID:      ctx.Org.Organization.ID,
+				Type:       tp,
+				AccessMode: perm,
 			})
 		}
 		t.Units = units
@@ -368,10 +368,10 @@ func EditTeamPost(ctx *context.Context) {
 		var units = make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
-				OrgID:     t.OrgID,
-				TeamID:    t.ID,
-				Type:      tp,
-				Authorize: perm,
+				OrgID:      t.OrgID,
+				TeamID:     t.ID,
+				Type:       tp,
+				AccessMode: perm,
 			})
 		}
 		err := models.UpdateTeamUnits(t, units)
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 1d231c0100044..66674241484db 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -92,11 +92,7 @@
 											{{if ge $unit.MaxPerms 2}}
 												<tr>
 													<td>
-														{{if $unit.Type.UnitGlobalDisabled}}
-														<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-														{{else}}
-														<div class="field">
-														{{end}}
+														<div {{if $unit.Type.UnitGlobalDisabled}}class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">{{- else -}}class="field"{{end}}>
 															<div class="ui">
 																<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
 																<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
@@ -125,11 +121,8 @@
 								</table>
 								{{range $t, $unit := $.Units}}
 									{{if lt $unit.MaxPerms 2}}
-										{{if $unit.Type.UnitGlobalDisabled}}
-										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-										{{else}}
-										<div class="field">
-										{{end}}
+										
+										<div {{if $unit.Type.UnitGlobalDisabled}}class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}"{{else}}class="field"{{end}}>
 											<div class="ui checkbox">
 												<input type="checkbox" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>
 												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>

From 35eafb153ceb3387b6b398711943dd848157883d Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 6 Dec 2021 22:00:46 +0800
Subject: [PATCH 52/60] Fix lint

---
 templates/org/team/new.tmpl | 1 -
 1 file changed, 1 deletion(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index 66674241484db..cbb58d262d5bb 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -121,7 +121,6 @@
 								</table>
 								{{range $t, $unit := $.Units}}
 									{{if lt $unit.MaxPerms 2}}
-										
 										<div {{if $unit.Type.UnitGlobalDisabled}}class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}"{{else}}class="field"{{end}}>
 											<div class="ui checkbox">
 												<input type="checkbox" class="hidden" name="unit_{{$unit.Type.Value}}" value="1"{{if or (eq $.Team.ID 0) (eq ($.Team.UnitAccessMode $unit.Type) 1)}} checked{{end}} {{if $unit.Type.UnitGlobalDisabled}}disabled{{end}}>

From 45962e430f539569567c123a6220ee4fe3d813e9 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 8 Dec 2021 22:47:38 +0800
Subject: [PATCH 53/60] Some improvements

---
 integrations/api_team_test.go     |  4 ++--
 models/access.go                  |  8 ++++----
 models/issue.go                   |  2 +-
 models/org.go                     |  2 +-
 models/org_team.go                | 10 +++++-----
 models/org_team_test.go           |  2 +-
 models/repo_permission.go         |  4 ++--
 models/review.go                  |  2 +-
 modules/context/org.go            |  2 +-
 modules/convert/convert.go        |  2 +-
 modules/repository/create_test.go |  8 ++++----
 routers/api/v1/org/team.go        | 12 ++++++------
 routers/web/org/teams.go          | 23 +++++++++++++++--------
 13 files changed, 44 insertions(+), 37 deletions(-)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index d9aafcf7665d4..21263069bb211 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -114,7 +114,7 @@ func TestAPITeam(t *testing.T) {
 	apiTeam = api.Team{}
 	DecodeJSON(t, resp, &apiTeam)
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
-		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
+		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
@@ -180,7 +180,7 @@ func TestAPITeam(t *testing.T) {
 	DecodeJSON(t, resp, &apiTeam)
 	assert.NoError(t, teamRead.GetUnits())
 	checkTeamResponse(t, &apiTeam, teamRead.Name, *teamToEditDesc.Description, teamRead.IncludesAllRepositories,
-		teamRead.Authorize.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
+		teamRead.AccessMode.String(), teamRead.GetUnitNames(), teamRead.GetUnitsMap())
 
 	// Delete team.
 	req = NewRequestf(t, "DELETE", "/api/v1/teams/%d?token="+token, teamID)
diff --git a/models/access.go b/models/access.go
index 6a97bcffcf7b5..48b65c2c0f605 100644
--- a/models/access.go
+++ b/models/access.go
@@ -162,7 +162,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i
 		// Owner team gets owner access, and skip for teams that do not
 		// have relations with repository.
 		if t.IsOwnerTeam() {
-			t.Authorize = perm.AccessModeOwner
+			t.AccessMode = perm.AccessModeOwner
 		} else if !t.hasRepository(e, repo.ID) {
 			continue
 		}
@@ -171,7 +171,7 @@ func recalculateTeamAccesses(ctx context.Context, repo *repo_model.Repository, i
 			return fmt.Errorf("getMembers '%d': %v", t.ID, err)
 		}
 		for _, m := range t.Members {
-			updateUserAccess(accessMap, m, t.Authorize)
+			updateUserAccess(accessMap, m, t.AccessMode)
 		}
 	}
 
@@ -210,10 +210,10 @@ func recalculateUserAccess(ctx context.Context, repo *repo_model.Repository, uid
 
 		for _, t := range teams {
 			if t.IsOwnerTeam() {
-				t.Authorize = perm.AccessModeOwner
+				t.AccessMode = perm.AccessModeOwner
 			}
 
-			accessMode = maxAccessMode(accessMode, t.Authorize)
+			accessMode = maxAccessMode(accessMode, t.AccessMode)
 		}
 	}
 
diff --git a/models/issue.go b/models/issue.go
index 33fe8e91f027d..c61f699d92b1d 100644
--- a/models/issue.go
+++ b/models/issue.go
@@ -2147,7 +2147,7 @@ func (issue *Issue) ResolveMentionsByVisibility(ctx context.Context, doer *user_
 				unittype = unit.TypePullRequests
 			}
 			for _, team := range teams {
-				if team.Authorize >= perm.AccessModeAdmin {
+				if team.AccessMode >= perm.AccessModeAdmin {
 					checked = append(checked, team.ID)
 					resolved[issue.Repo.Owner.LowerName+"/"+team.LowerName] = true
 					continue
diff --git a/models/org.go b/models/org.go
index c135bb9d3cc31..11c4662ba2235 100644
--- a/models/org.go
+++ b/models/org.go
@@ -265,7 +265,7 @@ func CreateOrganization(org *Organization, owner *user_model.User) (err error) {
 		OrgID:                   org.ID,
 		LowerName:               strings.ToLower(ownerTeamName),
 		Name:                    ownerTeamName,
-		Authorize:               perm.AccessModeOwner,
+		AccessMode:              perm.AccessModeOwner,
 		NumMembers:              1,
 		IncludesAllRepositories: true,
 		CanCreateOrgRepo:        true,
diff --git a/models/org_team.go b/models/org_team.go
index 9094cc8bb913b..ffc9c158c1a49 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -32,7 +32,7 @@ type Team struct {
 	LowerName               string
 	Name                    string
 	Description             string
-	Authorize               perm.AccessMode
+	AccessMode              perm.AccessMode          `xorm:"'authorize'"`
 	Repos                   []*repo_model.Repository `xorm:"-"`
 	Members                 []*user_model.User       `xorm:"-"`
 	NumRepos                int
@@ -126,7 +126,7 @@ func (t *Team) ColorFormat(s fmt.State) {
 		log.NewColoredIDValue(t.ID),
 		t.Name,
 		log.NewColoredIDValue(t.OrgID),
-		t.Authorize)
+		t.AccessMode)
 }
 
 // GetUnits return a list of available units for a team
@@ -145,7 +145,7 @@ func (t *Team) getUnits(e db.Engine) (err error) {
 
 // GetUnitNames returns the team units names
 func (t *Team) GetUnitNames() (res []string) {
-	if t.Authorize >= perm.AccessModeAdmin {
+	if t.AccessMode >= perm.AccessModeAdmin {
 		return unit.AllUnitKeyNames()
 	}
 
@@ -158,9 +158,9 @@ func (t *Team) GetUnitNames() (res []string) {
 // GetUnitsMap returns the team units permissions
 func (t *Team) GetUnitsMap() map[string]string {
 	var m = make(map[string]string)
-	if t.Authorize >= perm.AccessModeAdmin {
+	if t.AccessMode >= perm.AccessModeAdmin {
 		for _, u := range unit.Units {
-			m[u.NameKey] = t.Authorize.String()
+			m[u.NameKey] = t.AccessMode.String()
 		}
 	} else {
 		for _, u := range t.Units {
diff --git a/models/org_team_test.go b/models/org_team_test.go
index 59b7b6d5a834c..aa62cc58e2d00 100644
--- a/models/org_team_test.go
+++ b/models/org_team_test.go
@@ -211,7 +211,7 @@ func TestUpdateTeam(t *testing.T) {
 	team.LowerName = "newname"
 	team.Name = "newName"
 	team.Description = strings.Repeat("A long description!", 100)
-	team.Authorize = perm.AccessModeAdmin
+	team.AccessMode = perm.AccessModeAdmin
 	assert.NoError(t, UpdateTeam(team, true, false))
 
 	team = unittest.AssertExistsAndLoadBean(t, &Team{Name: "newName"}).(*Team)
diff --git a/models/repo_permission.go b/models/repo_permission.go
index 1eec972c11acd..4e5cbfd55807e 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -239,7 +239,7 @@ func getUserRepoPermission(ctx context.Context, repo *repo_model.Repository, use
 
 	// if user in an owner team
 	for _, team := range teams {
-		if team.Authorize >= perm_model.AccessModeAdmin {
+		if team.AccessMode >= perm_model.AccessModeAdmin {
 			perm.AccessMode = perm_model.AccessModeOwner
 			perm.UnitsMode = nil
 			return
@@ -325,7 +325,7 @@ func isUserRepoAdmin(e db.Engine, repo *repo_model.Repository, user *user_model.
 	}
 
 	for _, team := range teams {
-		if team.Authorize >= perm_model.AccessModeAdmin {
+		if team.AccessMode >= perm_model.AccessModeAdmin {
 			return true, nil
 		}
 	}
diff --git a/models/review.go b/models/review.go
index eeb33611ceb15..023f98c3eace5 100644
--- a/models/review.go
+++ b/models/review.go
@@ -280,7 +280,7 @@ func isOfficialReviewerTeam(ctx context.Context, issue *Issue, team *Team) (bool
 	}
 
 	if !pr.ProtectedBranch.EnableApprovalsWhitelist {
-		return team.Authorize >= perm.AccessModeWrite, nil
+		return team.UnitAccessMode(unit.TypeCode) >= perm.AccessModeWrite, nil
 	}
 
 	return base.Int64sContains(pr.ProtectedBranch.ApprovalsWhitelistTeamIDs, team.ID), nil
diff --git a/modules/context/org.go b/modules/context/org.go
index eb81f6644c171..585a5fd762c6d 100644
--- a/modules/context/org.go
+++ b/modules/context/org.go
@@ -168,7 +168,7 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 			return
 		}
 
-		ctx.Org.IsTeamAdmin = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= perm.AccessModeAdmin
+		ctx.Org.IsTeamAdmin = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.AccessMode >= perm.AccessModeAdmin
 		ctx.Data["IsTeamAdmin"] = ctx.Org.IsTeamAdmin
 		if requireTeamAdmin && !ctx.Org.IsTeamAdmin {
 			ctx.NotFound("OrgAssignment", err)
diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index 2466e0dfd2960..41a044c6d74e2 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -306,7 +306,7 @@ func ToTeam(team *models.Team) *api.Team {
 		Description:             team.Description,
 		IncludesAllRepositories: team.IncludesAllRepositories,
 		CanCreateOrgRepo:        team.CanCreateOrgRepo,
-		Permission:              team.Authorize.String(),
+		Permission:              team.AccessMode.String(),
 		Units:                   team.GetUnitNames(),
 		UnitsMap:                team.GetUnitsMap(),
 	}
diff --git a/modules/repository/create_test.go b/modules/repository/create_test.go
index 18995f4ecd210..ed890ace43319 100644
--- a/modules/repository/create_test.go
+++ b/modules/repository/create_test.go
@@ -70,25 +70,25 @@ func TestIncludesAllRepositoriesTeams(t *testing.T) {
 		{
 			OrgID:                   org.ID,
 			Name:                    "team one",
-			Authorize:               perm.AccessModeRead,
+			AccessMode:              perm.AccessModeRead,
 			IncludesAllRepositories: true,
 		},
 		{
 			OrgID:                   org.ID,
 			Name:                    "team 2",
-			Authorize:               perm.AccessModeRead,
+			AccessMode:              perm.AccessModeRead,
 			IncludesAllRepositories: false,
 		},
 		{
 			OrgID:                   org.ID,
 			Name:                    "team three",
-			Authorize:               perm.AccessModeWrite,
+			AccessMode:              perm.AccessModeWrite,
 			IncludesAllRepositories: true,
 		},
 		{
 			OrgID:                   org.ID,
 			Name:                    "team 4",
-			Authorize:               perm.AccessModeWrite,
+			AccessMode:              perm.AccessModeWrite,
 			IncludesAllRepositories: false,
 		},
 	}
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
index 1e81b669664cc..f3be88e919a32 100644
--- a/routers/api/v1/org/team.go
+++ b/routers/api/v1/org/team.go
@@ -158,7 +158,7 @@ func attachTeamUnits(team *models.Team, units []string) {
 		team.Units = append(team.Units, &models.TeamUnit{
 			OrgID:      team.OrgID,
 			Type:       tp,
-			AccessMode: team.Authorize,
+			AccessMode: team.AccessMode,
 		})
 	}
 }
@@ -219,10 +219,10 @@ func CreateTeam(ctx *context.APIContext) {
 		Description:             form.Description,
 		IncludesAllRepositories: form.IncludesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
-		Authorize:               p,
+		AccessMode:              p,
 	}
 
-	if team.Authorize < perm.AccessModeAdmin {
+	if team.AccessMode < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
@@ -297,9 +297,9 @@ func EditTeam(ctx *context.APIContext) {
 			p = unit_model.MinUnitAccessMode(convertUnitsMap(form.UnitsMap))
 		}
 
-		if team.Authorize != p {
+		if team.AccessMode != p {
 			isAuthChanged = true
-			team.Authorize = p
+			team.AccessMode = p
 		}
 
 		if form.IncludesAllRepositories != nil {
@@ -308,7 +308,7 @@ func EditTeam(ctx *context.APIContext) {
 		}
 	}
 
-	if team.Authorize < perm.AccessModeAdmin {
+	if team.AccessMode < perm.AccessModeAdmin {
 		if len(form.UnitsMap) > 0 {
 			attachTeamUnitsMap(team, form.UnitsMap)
 		} else if len(form.Units) > 0 {
diff --git a/routers/web/org/teams.go b/routers/web/org/teams.go
index ab7f32b060cd0..78f9b147ec4db 100644
--- a/routers/web/org/teams.go
+++ b/routers/web/org/teams.go
@@ -250,6 +250,8 @@ func NewTeamPost(ctx *context.Context) {
 	var unitPerms = getUnitPerms(ctx.Req.Form)
 	var p = perm.ParseAccessMode(form.Permission)
 	if p < perm.AccessModeAdmin {
+		// if p is less than admin accessmode, then it should be general accessmode,
+		// so we should calculate the minial accessmode from units accessmodes.
 		p = unit_model.MinUnitAccessMode(unitPerms)
 	}
 
@@ -257,12 +259,12 @@ func NewTeamPost(ctx *context.Context) {
 		OrgID:                   ctx.Org.Organization.ID,
 		Name:                    form.TeamName,
 		Description:             form.Description,
-		Authorize:               p,
+		AccessMode:              p,
 		IncludesAllRepositories: includesAllRepositories,
 		CanCreateOrgRepo:        form.CanCreateOrgRepo,
 	}
 
-	if t.Authorize < perm.AccessModeAdmin {
+	if t.AccessMode < perm.AccessModeAdmin {
 		var units = make([]*models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, &models.TeamUnit{
@@ -281,7 +283,7 @@ func NewTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
+	if t.AccessMode < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}
@@ -350,12 +352,17 @@ func EditTeamPost(ctx *context.Context) {
 	var includesAllRepositories = form.RepoAccess == "all"
 	if !t.IsOwnerTeam() {
 		// Validate permission level.
-		auth := perm.ParseAccessMode(form.Permission)
+		newAccessMode := perm.ParseAccessMode(form.Permission)
+		if newAccessMode < perm.AccessModeAdmin {
+			// if p is less than admin accessmode, then it should be general accessmode,
+			// so we should calculate the minial accessmode from units accessmodes.
+			newAccessMode = unit_model.MinUnitAccessMode(unitPerms)
+		}
 
 		t.Name = form.TeamName
-		if t.Authorize != auth {
+		if t.AccessMode != newAccessMode {
 			isAuthChanged = true
-			t.Authorize = auth
+			t.AccessMode = newAccessMode
 		}
 
 		if t.IncludesAllRepositories != includesAllRepositories {
@@ -364,7 +371,7 @@ func EditTeamPost(ctx *context.Context) {
 		}
 	}
 	t.Description = form.Description
-	if t.Authorize < perm.AccessModeAdmin {
+	if t.AccessMode < perm.AccessModeAdmin {
 		var units = make([]models.TeamUnit, 0, len(unitPerms))
 		for tp, perm := range unitPerms {
 			units = append(units, models.TeamUnit{
@@ -387,7 +394,7 @@ func EditTeamPost(ctx *context.Context) {
 		return
 	}
 
-	if t.Authorize < perm.AccessModeAdmin && len(unitPerms) == 0 {
+	if t.AccessMode < perm.AccessModeAdmin && len(unitPerms) == 0 {
 		ctx.RenderWithErr(ctx.Tr("form.team_no_units_error"), tplTeamNew, &form)
 		return
 	}

From 9c4f1e989c40fddd31366365e8cdfacc901d3c54 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 13 Dec 2021 10:08:05 +0800
Subject: [PATCH 54/60] Fix template variables

---
 templates/org/team/new.tmpl     | 6 +++---
 templates/org/team/sidebar.tmpl | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
index cbb58d262d5bb..1cf2dd0236ec1 100644
--- a/templates/org/team/new.tmpl
+++ b/templates/org/team/new.tmpl
@@ -56,14 +56,14 @@
 								<br>
 								<div class="field">
 									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="{{if .PageIsOrgTeamsNew}}read{{else}}{{.Team.Authorize}}{{end}}" {{if or .PageIsOrgTeamsNew (eq .Team.Authorize 1) (eq .Team.Authorize 2)}}checked{{end}}>
+										<input type="radio" name="permission" value="{{if .PageIsOrgTeamsNew}}read{{else}}{{.Team.AccessMode}}{{end}}" {{if or .PageIsOrgTeamsNew (eq .Team.AccessMode 1) (eq .Team.AccessMode 2)}}checked{{end}}>
 										<label>{{.i18n.Tr "org.teams.general_access"}}</label>
 										<span class="help">{{.i18n.Tr "org.teams.general_access_helper"}}</span>
 									</div>
 								</div>
 								<div class="field">
 									<div class="ui radio checkbox">
-										<input type="radio" name="permission" value="admin" {{if eq .Team.Authorize 3}}checked{{end}}>
+										<input type="radio" name="permission" value="admin" {{if eq .Team.AccessMode 3}}checked{{end}}>
 										<label>{{.i18n.Tr "org.teams.admin_access"}}</label>
 										<span class="help">{{.i18n.Tr "org.teams.admin_access_helper"}}</span>
 									</div>
@@ -71,7 +71,7 @@
 							</div>
 							<div class="ui divider"></div>
 
-							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
+							<div class="team-units required grouped field"{{if eq .Team.AccessMode 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<table class="ui celled table">
 									<thead>
diff --git a/templates/org/team/sidebar.tmpl b/templates/org/team/sidebar.tmpl
index 2e3769de479a1..6ea08740f714d 100644
--- a/templates/org/team/sidebar.tmpl
+++ b/templates/org/team/sidebar.tmpl
@@ -29,19 +29,19 @@
 		<div class="item">
 			{{if eq .Team.LowerName "owners"}}
 				{{.i18n.Tr "org.teams.owners_permission_desc" | Str2html}}
-			{{else if (eq .Team.Authorize 1)}}
+			{{else if (eq .Team.AccessMode 1)}}
 				{{if .Team.IncludesAllRepositories}}
 					{{.i18n.Tr "org.teams.all_repositories_read_permission_desc" | Str2html}}
 				{{else}}
 					{{.i18n.Tr "org.teams.read_permission_desc" | Str2html}}
 				{{end}}
-			{{else if (eq .Team.Authorize 2)}}
+			{{else if (eq .Team.AccessMode 2)}}
 				{{if .Team.IncludesAllRepositories}}
 					{{.i18n.Tr "org.teams.all_repositories_write_permission_desc" | Str2html}}
 				{{else}}
 					{{.i18n.Tr "org.teams.write_permission_desc" | Str2html}}
 				{{end}}
-			{{else if (eq .Team.Authorize 3)}}
+			{{else if (eq .Team.AccessMode 3)}}
 				{{if .Team.IncludesAllRepositories}}
 					{{.i18n.Tr "org.teams.all_repositories_admin_permission_desc" | Str2html}}
 				{{else}}

From 90bb10b21759452f1b3ac804d6694bb3ee3e40a6 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Mon, 13 Dec 2021 13:17:53 +0800
Subject: [PATCH 55/60] Add permission docs

---
 docs/content/doc/usage/permissions.en-us.md | 73 +++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 docs/content/doc/usage/permissions.en-us.md

diff --git a/docs/content/doc/usage/permissions.en-us.md b/docs/content/doc/usage/permissions.en-us.md
new file mode 100644
index 0000000000000..fe1fac7534242
--- /dev/null
+++ b/docs/content/doc/usage/permissions.en-us.md
@@ -0,0 +1,73 @@
+---
+date: "2021-12-13:10:10+08:00"
+title: "Permissions"
+slug: "permissions"
+weight: 14
+toc: false
+draft: false
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Permissions"
+    weight: 14
+    identifier: "permissions"
+---
+
+# Permissions
+
+**Table of Contents**
+
+{{< toc >}}
+
+Gitea supports permissions for repository so that you can give different access for different people. At first, we need to know about `Unit`.
+
+## Unit
+
+In Gitea, we call a sub module of a repository `Unit`. Now we have following units.
+
+| Name           | Description                                          | Permissions |
+| -------------- | ---------------------------------------------------- | ----------- |
+| Code           | Access source code, files, commits and branches.     | Read Write  |
+| Issues         | Organize bug reports, tasks and milestones.          | Read Write  |
+| PullRequests   | Enable pull requests and code reviews.               | Read Write  |
+| Releases       | Track project versions and downloads.                | Read Write  |
+| Wiki           | Write and share documentation with collaborators.    | Read Write  |
+| ExternalWiki   | Link to an external wiki                             | Read        |
+| ExternalTracer | Link to an external issue tracker                    | Read        |
+| Projects       | The URL to the template repository                   | Read Write  |
+| Settings       | Manage the repository                                | Admin       |
+
+With different permissions, people could do diffent things with these units.
+
+| Name           | Read                                               | Write                        | Admin                     |
+| -------------- | -------------------------------------------------  | ---------------------------- | ------------------------- |
+| Code           | View code trees, files, commits, branches and etc. | Push codes.                  | -                         |
+| Issues         | View issues and create new issues.                 | Add labels, assign, close    | -                         |
+| PullRequests   | View pull requests and create new pull requests.   | Add labels, assign, close    | -                         |
+| Releases       | View releases and download files.                  | Create/Edit releases         | -                         |
+| Wiki           | View wiki pages. Clone the wiki repository.        | Create/Edit wiki pages, push | -                         |
+| ExternalWiki   | Link to an external wiki                           | -                            | -                         |
+| ExternalTracer | Link to an external issue tracker                  | -                            | -                         |
+| Projects       | View the boards                                    | Change issues across boards  | -                         |
+| Settings       | -                                                  | -                            | Manage the repository     |
+
+And there are some differents for permissions between individule repositories and organization repositories.
+
+## Individule Repository
+
+For individule repositories, the creators are the only owners of repositories and have no limit to change anything of this 
+repository or delete it. Repositories owners could add collabrators to help maintain the repositories. Collaborators could have `Read`, `Write` and `Admin` permissions.
+
+## Organization Repository
+
+Different from individule repositories, the owner of organization repositories are the owner team of this organization.
+
+### Team
+
+A team in an organizaiton has unit permissions settings. It can have members and repositories scope. A team could access all the repositories in this organization or special repositories changed by the owner team. A team could also be allowed to create new
+repositories.
+
+The owner team will be created when the organization created and the creator will become the first member of the owner team.
+Notice Gitea will not allow a people is a member of organization but not in any team. The owner team could not be deleted and only
+members of owner team could create a new team. Admin team could be created to manange some of repositories, members of admin team
+could do anything with these repositories. Generate team could be created by the owner team to do the permissions allowed operations.

From 83a03cc4e7950181da2cc0edb70792c4d9407586 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 16 Dec 2021 20:34:37 +0800
Subject: [PATCH 56/60] improve doc

---
 docs/content/doc/usage/permissions.en-us.md | 70 ++++++++++-----------
 1 file changed, 35 insertions(+), 35 deletions(-)

diff --git a/docs/content/doc/usage/permissions.en-us.md b/docs/content/doc/usage/permissions.en-us.md
index fe1fac7534242..1eea78b557134 100644
--- a/docs/content/doc/usage/permissions.en-us.md
+++ b/docs/content/doc/usage/permissions.en-us.md
@@ -25,49 +25,49 @@ Gitea supports permissions for repository so that you can give different access
 
 In Gitea, we call a sub module of a repository `Unit`. Now we have following units.
 
-| Name           | Description                                          | Permissions |
-| -------------- | ---------------------------------------------------- | ----------- |
-| Code           | Access source code, files, commits and branches.     | Read Write  |
-| Issues         | Organize bug reports, tasks and milestones.          | Read Write  |
-| PullRequests   | Enable pull requests and code reviews.               | Read Write  |
-| Releases       | Track project versions and downloads.                | Read Write  |
-| Wiki           | Write and share documentation with collaborators.    | Read Write  |
-| ExternalWiki   | Link to an external wiki                             | Read        |
-| ExternalTracer | Link to an external issue tracker                    | Read        |
-| Projects       | The URL to the template repository                   | Read Write  |
-| Settings       | Manage the repository                                | Admin       |
-
-With different permissions, people could do diffent things with these units.
-
-| Name           | Read                                               | Write                        | Admin                     |
-| -------------- | -------------------------------------------------  | ---------------------------- | ------------------------- |
-| Code           | View code trees, files, commits, branches and etc. | Push codes.                  | -                         |
-| Issues         | View issues and create new issues.                 | Add labels, assign, close    | -                         |
-| PullRequests   | View pull requests and create new pull requests.   | Add labels, assign, close    | -                         |
-| Releases       | View releases and download files.                  | Create/Edit releases         | -                         |
-| Wiki           | View wiki pages. Clone the wiki repository.        | Create/Edit wiki pages, push | -                         |
-| ExternalWiki   | Link to an external wiki                           | -                            | -                         |
-| ExternalTracer | Link to an external issue tracker                  | -                            | -                         |
-| Projects       | View the boards                                    | Change issues across boards  | -                         |
-| Settings       | -                                                  | -                            | Manage the repository     |
-
-And there are some differents for permissions between individule repositories and organization repositories.
-
-## Individule Repository
-
-For individule repositories, the creators are the only owners of repositories and have no limit to change anything of this 
-repository or delete it. Repositories owners could add collabrators to help maintain the repositories. Collaborators could have `Read`, `Write` and `Admin` permissions.
+| Name            | Description                                          | Permissions |
+| --------------- | ---------------------------------------------------- | ----------- |
+| Code            | Access source code, files, commits and branches.     | Read Write  |
+| Issues          | Organize bug reports, tasks and milestones.          | Read Write  |
+| PullRequests    | Enable pull requests and code reviews.               | Read Write  |
+| Releases        | Track project versions and downloads.                | Read Write  |
+| Wiki            | Write and share documentation with collaborators.    | Read Write  |
+| ExternalWiki    | Link to an external wiki                             | Read        |
+| ExternalTracker | Link to an external issue tracker                    | Read        |
+| Projects        | The URL to the template repository                   | Read Write  |
+| Settings        | Manage the repository                                | Admin       |
+
+With different permissions, people could do different things with these units.
+
+| Name            | Read                                               | Write                        | Admin                     |
+| --------------- | -------------------------------------------------  | ---------------------------- | ------------------------- |
+| Code            | View code trees, files, commits, branches and etc. | Push codes.                  | -                         |
+| Issues          | View issues and create new issues.                 | Add labels, assign, close    | -                         |
+| PullRequests    | View pull requests and create new pull requests.   | Add labels, assign, close    | -                         |
+| Releases        | View releases and download files.                  | Create/Edit releases         | -                         |
+| Wiki            | View wiki pages. Clone the wiki repository.        | Create/Edit wiki pages, push | -                         |
+| ExternalWiki    | Link to an external wiki                           | -                            | -                         |
+| ExternalTracker | Link to an external issue tracker                  | -                            | -                         |
+| Projects        | View the boards                                    | Change issues across boards  | -                         |
+| Settings        | -                                                  | -                            | Manage the repository     |
+
+And there are some differences for permissions between individual repositories and organization repositories.
+
+## Individual Repository
+
+For individual repositories, the creators are the only owners of repositories and have no limit to change anything of this 
+repository or delete it. Repositories owners could add collaborators to help maintain the repositories. Collaborators could have `Read`, `Write` and `Admin` permissions.
 
 ## Organization Repository
 
-Different from individule repositories, the owner of organization repositories are the owner team of this organization.
+Different from individual repositories, the owner of organization repositories are the owner team of this organization.
 
 ### Team
 
-A team in an organizaiton has unit permissions settings. It can have members and repositories scope. A team could access all the repositories in this organization or special repositories changed by the owner team. A team could also be allowed to create new
+A team in an organization has unit permissions settings. It can have members and repositories scope. A team could access all the repositories in this organization or special repositories changed by the owner team. A team could also be allowed to create new
 repositories.
 
 The owner team will be created when the organization created and the creator will become the first member of the owner team.
 Notice Gitea will not allow a people is a member of organization but not in any team. The owner team could not be deleted and only
-members of owner team could create a new team. Admin team could be created to manange some of repositories, members of admin team
+members of owner team could create a new team. Admin team could be created to manage some of repositories, members of admin team
 could do anything with these repositories. Generate team could be created by the owner team to do the permissions allowed operations.

From 252d1a85614356f5d7335493b000a6cb6b558f44 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 16 Dec 2021 20:44:43 +0800
Subject: [PATCH 57/60] Fix fixture

---
 models/fixtures/team_unit.yml | 90 +++++++++++++++++------------------
 1 file changed, 45 insertions(+), 45 deletions(-)

diff --git a/models/fixtures/team_unit.yml b/models/fixtures/team_unit.yml
index 1d7be8d5d5935..66f0d22efdfe5 100644
--- a/models/fixtures/team_unit.yml
+++ b/models/fixtures/team_unit.yml
@@ -2,268 +2,268 @@
   id: 1
   team_id: 1
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 2
   team_id: 1
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 3
   team_id: 1
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 4
   team_id: 1
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 5
   team_id: 1
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 6
   team_id: 1
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 7
   team_id: 1
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 8
   team_id: 2
   type: 1
-  authorize: 2
+  access_mode: 2
 
 -
   id: 9
   team_id: 2
   type: 2
-  authorize: 2
+  access_mode: 2
 
 -
   id: 10
   team_id: 2
   type: 3
-  authorize: 2
+  access_mode: 2
 
 -
   id: 11
   team_id: 2
   type: 4
-  authorize: 2
+  access_mode: 2
 
 -
   id: 12
   team_id: 2
   type: 5
-  authorize: 2
+  access_mode: 2
 
 -
   id: 13
   team_id: 2
   type: 6
-  authorize: 2
+  access_mode: 2
 
 -
   id: 14
   team_id: 2
   type: 7
-  authorize: 2
+  access_mode: 2
 
 -
   id: 15
   team_id: 3
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 16
   team_id: 3
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 17
   team_id: 3
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 18
   team_id: 3
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 19
   team_id: 3
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 20
   team_id: 3
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 21
   team_id: 3
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 22
   team_id: 4
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 23
   team_id: 4
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 24
   team_id: 4
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 25
   team_id: 4
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 26
   team_id: 4
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 27
   team_id: 4
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 28
   team_id: 4
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 29
   team_id: 5
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 30
   team_id: 5
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 31
   team_id: 5
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 32
   team_id: 5
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 33
   team_id: 5
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 34
   team_id: 5
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 35
   team_id: 5
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 36
   team_id: 6
   type: 1
-  authorize: 4
+  access_mode: 4
 
 -
   id: 37
   team_id: 6
   type: 2
-  authorize: 4
+  access_mode: 4
 
 -
   id: 38
   team_id: 6
   type: 3
-  authorize: 4
+  access_mode: 4
 
 -
   id: 39
   team_id: 6
   type: 4
-  authorize: 4
+  access_mode: 4
 
 -
   id: 40
   team_id: 6
   type: 5
-  authorize: 4
+  access_mode: 4
 
 -
   id: 41
   team_id: 6
   type: 6
-  authorize: 4
+  access_mode: 4
 
 -
   id: 42
   team_id: 6
   type: 7
-  authorize: 4
+  access_mode: 4
 
 -
   id: 43
   team_id: 7
   type: 2 # issues
-  authorize: 2
+  access_mode: 2
 
 -
   id: 44
   team_id: 8
   type: 2 # issues
-  authorize: 2
+  access_mode: 2
 
 -
   id: 45
   team_id: 9
   type: 1 # code
-  authorize: 1
\ No newline at end of file
+  access_mode: 1

From d20b90ea0b4079e3eef67954b49f80082fc54049 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 2 Jan 2022 15:17:44 +0800
Subject: [PATCH 58/60] Fix bug

---
 models/org_team.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/org_team.go b/models/org_team.go
index ffc9c158c1a49..3cf976353f75a 100644
--- a/models/org_team.go
+++ b/models/org_team.go
@@ -684,7 +684,7 @@ func UpdateTeam(t *Team, authChanged, includeAllChanged bool) (err error) {
 			Delete(new(TeamUnit)); err != nil {
 			return err
 		}
-		if _, err = sess.Cols("org_id", "team_id", "type", "authorize").Insert(&t.Units); err != nil {
+		if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil {
 			return err
 		}
 	}

From fb1cc7e289c3d532120dc806b2210b0c32abaaf6 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 4 Jan 2022 09:11:56 +0800
Subject: [PATCH 59/60] Fix some bug

---
 models/migrations/v206.go   | 29 ++++++++++++++++++-----------
 models/unit/unit.go         |  2 +-
 modules/structs/org_team.go |  1 +
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/models/migrations/v206.go b/models/migrations/v206.go
index 3449bebbdf475..ede9abda8b246 100644
--- a/models/migrations/v206.go
+++ b/models/migrations/v206.go
@@ -1,30 +1,37 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
+// Copyright 2022 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
 package migrations
 
 import (
-	"fmt"
-
 	"xorm.io/xorm"
+	"xorm.io/xorm/schemas"
 )
 
 func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
 	type TeamUnit struct {
-		ID        int64 `xorm:"pk autoincr"`
-		OrgID     int64 `xorm:"INDEX"`
-		TeamID    int64 `xorm:"UNIQUE(s)"`
-		Type      int   `xorm:"UNIQUE(s)"`
-		Authorize int
+		ID         int64 `xorm:"pk autoincr"`
+		OrgID      int64 `xorm:"INDEX"`
+		TeamID     int64 `xorm:"UNIQUE(s)"`
+		Type       int   `xorm:"UNIQUE(s)"`
+		AccessMode int
 	}
 
-	if err := x.Sync2(new(TeamUnit)); err != nil {
-		return fmt.Errorf("sync2: %v", err)
+	if err := modifyColumn(x, "user", &schemas.Column{
+		Name: "rands",
+		SQLType: schemas.SQLType{
+			Name: "VARCHAR",
+		},
+		Length: 32,
+		// MySQL will like us again.
+		Nullable: true,
+	}); err != nil {
+		return err
 	}
 
 	// migrate old permission
-	_, err := x.Exec("UPDATE team_unit SET authorize = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
+	_, err := x.Exec("UPDATE team_unit SET access_mode = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
 	return err
 
 }
diff --git a/models/unit/unit.go b/models/unit/unit.go
index c8ae811650587..c9142e84510bc 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -321,7 +321,7 @@ func AllUnitKeyNames() []string {
 func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
 	var res = perm.AccessModeNone
 	for _, mode := range unitsMap {
-		if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
+		if mode > perm.AccessModeNone && mode < res {
 			res = mode
 		}
 	}
diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
index bf18b4fc4be15..53e3fcf62da45 100644
--- a/modules/structs/org_team.go
+++ b/modules/structs/org_team.go
@@ -15,6 +15,7 @@ type Team struct {
 	// enum: none,read,write,admin,owner
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.projects","repo.ext_wiki"]
+	// Deprecated: This variable should be replaced by UnitsMap and will be dropped in later versions.
 	Units []string `json:"units"`
 	// example: {"repo.code":"read","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"admin","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"]
 	UnitsMap         map[string]string `json:"units_map"`

From 55164ac4dc2d030ee58fa6a6d275c033231ea9c3 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 5 Jan 2022 10:39:29 +0800
Subject: [PATCH 60/60] Fix bug

---
 models/unit/unit.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/models/unit/unit.go b/models/unit/unit.go
index c9142e84510bc..ac131aae897fe 100644
--- a/models/unit/unit.go
+++ b/models/unit/unit.go
@@ -321,7 +321,8 @@ func AllUnitKeyNames() []string {
 func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
 	var res = perm.AccessModeNone
 	for _, mode := range unitsMap {
-		if mode > perm.AccessModeNone && mode < res {
+		// get the minial permission great than AccessModeNone except all are AccessModeNone
+		if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
 			res = mode
 		}
 	}