Skip to content

Commit ce52514

Browse files
KN4CK3RKN4CK3R
authored
Fix org package owner permissions (go-gitea#19742)
Old code did not respect owner visibility and the organization access calculation was wrong if the user was not a member.
1 parent 3e5ea9a commit ce52514

File tree

1 file changed

+21
-13
lines changed

1 file changed

+21
-13
lines changed

modules/context/package.go

Lines changed: 21 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212
packages_model "code.gitea.io/gitea/models/packages"
1313
"code.gitea.io/gitea/models/perm"
1414
user_model "code.gitea.io/gitea/models/user"
15+
"code.gitea.io/gitea/modules/structs"
1516
)
1617

1718
// Package contains owner, access mode and optional the package descriptor
@@ -50,22 +51,29 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) {
5051
Owner: ctx.ContextUser,
5152
}
5253

53-
if ctx.Doer != nil && ctx.Doer.ID == ctx.ContextUser.ID {
54-
ctx.Package.AccessMode = perm.AccessModeOwner
54+
if ctx.Package.Owner.IsOrganization() {
55+
// 1. Get user max authorize level for the org (may be none, if user is not member of the org)
56+
if ctx.Doer != nil {
57+
var err error
58+
ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
59+
if err != nil {
60+
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err)
61+
return
62+
}
63+
}
64+
// 2. If authorize level is none, check if org is visible to user
65+
if ctx.Package.AccessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
66+
ctx.Package.AccessMode = perm.AccessModeRead
67+
}
5568
} else {
56-
if ctx.Package.Owner.IsOrganization() {
57-
if organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {
69+
if ctx.Doer != nil && !ctx.Doer.IsGhost() {
70+
// 1. Check if user is package owner
71+
if ctx.Doer.ID == ctx.Package.Owner.ID {
72+
ctx.Package.AccessMode = perm.AccessModeOwner
73+
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic || ctx.Package.Owner.Visibility == structs.VisibleTypeLimited { // 2. Check if package owner is public or limited
5874
ctx.Package.AccessMode = perm.AccessModeRead
59-
if ctx.Doer != nil {
60-
var err error
61-
ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID)
62-
if err != nil {
63-
errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err)
64-
return
65-
}
66-
}
6775
}
68-
} else {
76+
} else if ctx.Package.Owner.Visibility == structs.VisibleTypePublic { // 3. Check if package owner is public
6977
ctx.Package.AccessMode = perm.AccessModeRead
7078
}
7179
}

0 commit comments

Comments
 (0)