From a9a440e600cb589afe812339f9e07296ed5c27a8 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Thu, 28 Jul 2022 16:05:59 +0200 Subject: [PATCH] Fix package permission checks for organizations (#20517) (#20520) --- modules/context/package.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/modules/context/package.go b/modules/context/package.go index 4c52907dc..92a97831d 100644 --- a/modules/context/package.go +++ b/modules/context/package.go @@ -11,6 +11,7 @@ import ( "code.gitea.io/gitea/models/organization" packages_model "code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/perm" + "code.gitea.io/gitea/models/unit" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/structs" ) @@ -52,14 +53,30 @@ func packageAssignment(ctx *Context, errCb func(int, string, interface{})) { } if ctx.Package.Owner.IsOrganization() { + org := organization.OrgFromUser(ctx.Package.Owner) + // 1. Get user max authorize level for the org (may be none, if user is not member of the org) if ctx.Doer != nil { var err error - ctx.Package.AccessMode, err = organization.OrgFromUser(ctx.Package.Owner).GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID) + ctx.Package.AccessMode, err = org.GetOrgUserMaxAuthorizeLevel(ctx.Doer.ID) if err != nil { errCb(http.StatusInternalServerError, "GetOrgUserMaxAuthorizeLevel", err) return } + // If access mode is less than write check every team for more permissions + if ctx.Package.AccessMode < perm.AccessModeWrite { + teams, err := organization.GetUserOrgTeams(ctx, org.ID, ctx.Doer.ID) + if err != nil { + errCb(http.StatusInternalServerError, "GetUserOrgTeams", err) + return + } + for _, t := range teams { + perm := t.UnitAccessModeCtx(ctx, unit.TypePackages) + if ctx.Package.AccessMode < perm { + ctx.Package.AccessMode = perm + } + } + } } // 2. If authorize level is none, check if org is visible to user if ctx.Package.AccessMode == perm.AccessModeNone && organization.HasOrgOrUserVisible(ctx, ctx.Package.Owner, ctx.Doer) {