Grant project permissions to team members

divbzero · divbzero · commit 7211a1625913 · 2022-07-20T22:23:12.000-07:00
diff --git a/tests/unit/packaging/test_models.py b/tests/unit/packaging/test_models.py
@@ -18,12 +18,16 @@
 from pyramid.authorization import Allow
 from pyramid.location import lineage
 
+from warehouse.organizations.models import TeamProjectRoleType
 from warehouse.packaging.models import File, ProjectFactory, ReleaseURL
 
 from ...common.db.organizations import (
     OrganizationFactory as DBOrganizationFactory,
     OrganizationProjectFactory as DBOrganizationProjectFactory,
     OrganizationRoleFactory as DBOrganizationRoleFactory,
+    TeamFactory as DBTeamFactory,
+    TeamProjectRoleFactory as DBTeamProjectRoleFactory,
+    TeamRoleFactory as DBTeamRoleFactory,
 )
 from ...common.db.packaging import (
     FileFactory as DBFileFactory,
@@ -117,6 +121,12 @@ def test_acl(self, db_session):
         owner3 = DBOrganizationRoleFactory.create(organization=organization)
         DBOrganizationProjectFactory.create(organization=organization, project=project)
 
+        team = DBTeamFactory.create()
+        owner4 = DBTeamRoleFactory.create(team=team)
+        DBTeamProjectRoleFactory.create(
+            team=team, project=project, role_name=TeamProjectRoleType.Administer
+        )
+
         acls = []
         for location in lineage(project):
             try:
@@ -137,6 +147,7 @@ def test_acl(self, db_session):
                 (Allow, f"user:{owner1.user.id}", ["manage:project", "upload"]),
                 (Allow, f"user:{owner2.user.id}", ["manage:project", "upload"]),
                 (Allow, f"user:{owner3.user.id}", ["manage:project", "upload"]),
+                (Allow, f"user:{owner4.user.id}", ["manage:project", "upload"]),
             ],
             key=lambda x: x[1],
         ) + sorted(
diff --git a/warehouse/packaging/models.py b/warehouse/packaging/models.py
@@ -60,6 +60,7 @@
     OrganizationProject,
     OrganizationRole,
     OrganizationRoleType,
+    TeamProjectRole,
 )
 from warehouse.sitemap.models import SitemapMixin
 from warehouse.utils import dotted_navigator
@@ -254,7 +255,19 @@ def __acl__(self):
         query = session.query(Role).filter(Role.project == self)
         query = query.options(orm.lazyload("project"))
         query = query.options(orm.lazyload("user"))
-        roles = {(role.user_id, role.role_name) for role in query.all()}
+        permissions = {
+            (role.user_id, "Administer" if role.role_name == "Owner" else "Upload")
+            for role in query.all()
+        }
+
+        # Add all of the team members for this project.
+        query = session.query(TeamProjectRole).filter(TeamProjectRole.project == self)
+        query = query.options(orm.lazyload("project"))
+        query = query.options(orm.lazyload("team"))
+        for role in query.all():
+            permissions |= {
+                (user.id, role.role_name.value) for user in role.team.members
+            }
 
         # Add all organization owners for this project.
         if self.organization:
@@ -264,12 +277,10 @@ def __acl__(self):
             )
             query = query.options(orm.lazyload("organization"))
             query = query.options(orm.lazyload("user"))
-            roles |= {(role.user_id, "Owner") for role in query.all()}
+            permissions |= {(role.user_id, "Administer") for role in query.all()}
 
-        for user_id, role_name in sorted(
-            roles, key=lambda x: (["Owner", "Maintainer"].index(x[1]), x[0])
-        ):
-            if role_name == "Owner":
+        for user_id, permission_name in sorted(permissions, key=lambda x: (x[1], x[0])):
+            if permission_name == "Administer":
                 acls.append((Allow, f"user:{user_id}", ["manage:project", "upload"]))
             else:
                 acls.append((Allow, f"user:{user_id}", ["upload"]))
