Allow collaborators to view repo owned private org (#6965)

Handle case where an orginization is private but a user who is not a
member of the orgninization has been added as a collaborator of a repo
within that org

Fixes #6962
This commit is contained in:
mrsdizzie 2019-05-16 11:48:40 -04:00 committed by techknowlogick
parent d9dcd09340
commit 68a83cc5a2
3 changed files with 27 additions and 4 deletions

View file

@ -92,6 +92,15 @@ func TestPrivateOrg(t *testing.T) {
req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
session.MakeRequest(t, req, http.StatusNotFound) session.MakeRequest(t, req, http.StatusNotFound)
// non-org member who is collaborator on repo in private org
session = loginUser(t, "user4")
req = NewRequest(t, "GET", "/privated_org")
session.MakeRequest(t, req, http.StatusNotFound)
req = NewRequest(t, "GET", "/privated_org/public_repo_on_private_org") // colab of this repo
session.MakeRequest(t, req, http.StatusOK)
req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
session.MakeRequest(t, req, http.StatusNotFound)
// site admin // site admin
session = loginUser(t, "user1") session = loginUser(t, "user1")
req = NewRequest(t, "GET", "/privated_org") req = NewRequest(t, "GET", "/privated_org")

View file

@ -9,3 +9,9 @@
repo_id: 4 repo_id: 4
user_id: 4 user_id: 4
mode: 2 # write mode: 2 # write
-
id: 3
repo_id: 40
user_id: 4
mode: 2 # write

View file

@ -168,7 +168,17 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
repo.mustOwner(e) repo.mustOwner(e)
} }
if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) { var isCollaborator bool
if user != nil {
isCollaborator, err = repo.isCollaborator(e, user.ID)
if err != nil {
return perm, err
}
}
// Prevent strangers from checking out public repo of private orginization
// Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself
if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator {
perm.AccessMode = AccessModeNone perm.AccessMode = AccessModeNone
return return
} }
@ -207,9 +217,7 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
perm.UnitsMode = make(map[UnitType]AccessMode) perm.UnitsMode = make(map[UnitType]AccessMode)
// Collaborators on organization // Collaborators on organization
if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil { if isCollaborator {
return perm, err
} else if isCollaborator {
for _, u := range repo.Units { for _, u := range repo.Units {
perm.UnitsMode[u.Type] = perm.AccessMode perm.UnitsMode[u.Type] = perm.AccessMode
} }