From be666b03eef1e085adc0749837480e0db7f811ad Mon Sep 17 00:00:00 2001 From: zeripath Date: Mon, 22 Apr 2019 21:40:51 +0100 Subject: [PATCH] Trace Logging on Permission Denied & ColorFormat (#6618) * Add log.ColorFormat and log.ColorFormatted Structs can now implement log.ColorFormatted to provide their own colored format when logged with `%-v` or additional flags. Signed-off-by: Andrew Thornton * Add basic ColorFormat to repository and user Signed-off-by: Andrew Thornton * Add basic ColorFormat to access and unit Signed-off-by: Andrew Thornton * Add ColorFormat to permission and on trace log it Signed-off-by: Andrew Thornton * Add log.NewColoredIDValue to make ID value coloring consistent Signed-off-by: Andrew Thornton * formatting changes * Add some better tracing to permission denied for read issues/pulls Signed-off-by: Andrew Thornton * Add Trace logging on permission denied Signed-off-by: Andrew Thornton * Remove isTrace() check from deferred func * Adjust repo and allow logging of team * use FormatInt instead of Itoa * Add blank line Signed-off-by: Andrew Thornton * Update access.go --- .../advanced/logging-documentation.en-us.md | 13 +++- models/access.go | 14 +++- models/org_team.go | 10 +++ models/repo.go | 19 ++++++ models/repo_permission.go | 61 +++++++++++++++++ models/unit.go | 30 +++++++++ models/user.go | 7 ++ modules/context/permission.go | 37 +++++++++++ modules/log/colors.go | 66 ++++++++++++++++++- modules/log/logger.go | 6 +- routers/api/v1/api.go | 50 ++++++++++++++ routers/api/v1/repo/pull.go | 7 +- routers/repo/issue.go | 54 +++++++++++++++ routers/repo/issue_watch.go | 18 +++++ routers/repo/pull.go | 19 +++++- routers/repo/wiki.go | 10 +++ routers/user/home.go | 9 +++ 17 files changed, 418 insertions(+), 12 deletions(-) diff --git a/docs/content/doc/advanced/logging-documentation.en-us.md b/docs/content/doc/advanced/logging-documentation.en-us.md index bef034e2e..3af75c0d8 100644 --- a/docs/content/doc/advanced/logging-documentation.en-us.md +++ b/docs/content/doc/advanced/logging-documentation.en-us.md @@ -362,6 +362,17 @@ also set the `resetBytes` to the cached `resetBytes`. The `colorBytes` and `resetBytes` are not exported to prevent accidental overwriting of internal values. +## ColorFormat & ColorFormatted + +Structs may implement the `log.ColorFormatted` interface by implementing the `ColorFormat(fmt.State)` function. + +If a `log.ColorFormatted` struct is logged with `%-v` format, its `ColorFormat` will be used instead of the usual `%v`. The full `fmt.State` will be passed to allow implementers to look at additional flags. + +In order to help implementers provide `ColorFormat` methods. There is a +`log.ColorFprintf(...)` function in the log module that will wrap values in `log.ColoredValue` and recognise `%-v`. + +In general it is recommended not to make the results of this function too verbose to help increase its versatility. Usually this should simply be an `ID`:`Name`. If you wish to make a more verbose result, it is recommended to use `%-+v` as your marker. + ## Log Spoofing protection In order to protect the logs from being spoofed with cleverly @@ -392,5 +403,5 @@ func newNewoneLogService() { } ``` -You should then add `newOneLogService` to `NewServices()` in +You should then add `newOneLogService` to `NewServices()` in `modules/setting/setting.go` diff --git a/models/access.go b/models/access.go index 34d76953f..3cdfc62f2 100644 --- a/models/access.go +++ b/models/access.go @@ -1,10 +1,15 @@ // Copyright 2014 The Gogs Authors. All rights reserved. +// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. package models -import "fmt" +import ( + "fmt" + + "code.gitea.io/gitea/modules/log" +) // AccessMode specifies the users access mode type AccessMode int @@ -37,6 +42,13 @@ func (mode AccessMode) String() string { } } +// ColorFormat provides a ColorFormatted version of this AccessMode +func (mode AccessMode) ColorFormat(s fmt.State) { + log.ColorFprintf(s, "%d:%s", + log.NewColoredIDValue(mode), + mode) +} + // ParseAccessMode returns corresponding access mode to given permission string. func ParseAccessMode(permission string) AccessMode { switch permission { diff --git a/models/org_team.go b/models/org_team.go index 4e496e2f7..49d06896e 100644 --- a/models/org_team.go +++ b/models/org_team.go @@ -34,6 +34,16 @@ type Team struct { Units []*TeamUnit `xorm:"-"` } +// ColorFormat provides a basic color format for a Team +func (t *Team) ColorFormat(s fmt.State) { + log.ColorFprintf(s, "%d:%s (OrgID: %d) %-v", + log.NewColoredIDValue(t.ID), + t.Name, + log.NewColoredIDValue(t.OrgID), + t.Authorize) + +} + // GetUnits return a list of available units for a team func (t *Team) GetUnits() error { return t.getUnits(x) diff --git a/models/repo.go b/models/repo.go index 6069be124..936ad2ae3 100644 --- a/models/repo.go +++ b/models/repo.go @@ -18,6 +18,7 @@ import ( "path/filepath" "regexp" "sort" + "strconv" "strings" "time" @@ -210,6 +211,24 @@ type Repository struct { UpdatedUnix util.TimeStamp `xorm:"INDEX updated"` } +// ColorFormat returns a colored string to represent this repo +func (repo *Repository) ColorFormat(s fmt.State) { + var ownerName interface{} + + if repo.OwnerName != "" { + ownerName = repo.OwnerName + } else if repo.Owner != nil { + ownerName = repo.Owner.Name + } else { + ownerName = log.NewColoredIDValue(strconv.FormatInt(repo.OwnerID, 10)) + } + + log.ColorFprintf(s, "%d:%s/%s", + log.NewColoredIDValue(repo.ID), + ownerName, + repo.Name) +} + // AfterLoad is invoked from XORM after setting the values of all fields of this object. func (repo *Repository) AfterLoad() { // FIXME: use models migration to solve all at once. diff --git a/models/repo_permission.go b/models/repo_permission.go index eb0628cbd..b4bd1c30f 100644 --- a/models/repo_permission.go +++ b/models/repo_permission.go @@ -4,6 +4,12 @@ package models +import ( + "fmt" + + "code.gitea.io/gitea/modules/log" +) + // Permission contains all the permissions related variables to a repository for a user type Permission struct { AccessMode AccessMode @@ -90,12 +96,67 @@ func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool { return p.CanWrite(UnitTypeIssues) } +// ColorFormat writes a colored string for these Permissions +func (p *Permission) ColorFormat(s fmt.State) { + noColor := log.ColorBytes(log.Reset) + + format := "AccessMode: %-v, %d Units, %d UnitsMode(s): [ " + args := []interface{}{ + p.AccessMode, + log.NewColoredValueBytes(len(p.Units), &noColor), + log.NewColoredValueBytes(len(p.UnitsMode), &noColor), + } + if s.Flag('+') { + for i, unit := range p.Units { + config := "" + if unit.Config != nil { + configBytes, err := unit.Config.ToDB() + config = string(configBytes) + if err != nil { + config = string(err.Error()) + } + } + format += "\nUnits[%d]: ID: %d RepoID: %d Type: %-v Config: %s" + args = append(args, + log.NewColoredValueBytes(i, &noColor), + log.NewColoredIDValue(unit.ID), + log.NewColoredIDValue(unit.RepoID), + unit.Type, + config) + } + for key, value := range p.UnitsMode { + format += "\nUnitMode[%-v]: %-v" + args = append(args, + key, + value) + } + } else { + format += "..." + } + format += " ]" + log.ColorFprintf(s, format, args...) +} + // GetUserRepoPermission returns the user permissions to the repository func GetUserRepoPermission(repo *Repository, user *User) (Permission, error) { return getUserRepoPermission(x, repo, user) } func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permission, err error) { + if log.IsTrace() { + defer func() { + if user == nil { + log.Trace("Permission Loaded for anonymous user in %-v:\nPermissions: %-+v", + repo, + perm) + return + } + log.Trace("Permission Loaded for %-v in %-v:\nPermissions: %-+v", + user, + repo, + perm) + }() + } // anonymous user visit private repo. // TODO: anonymous user visit public unit of private repo??? if user == nil && repo.IsPrivate { diff --git a/models/unit.go b/models/unit.go index 9619232cf..a8ddf285d 100644 --- a/models/unit.go +++ b/models/unit.go @@ -5,7 +5,10 @@ package models import ( + "fmt" "strings" + + "code.gitea.io/gitea/modules/log" ) // UnitType is Unit's Type @@ -22,6 +25,33 @@ const ( UnitTypeExternalTracker // 7 ExternalTracker ) +func (u UnitType) String() string { + switch u { + case UnitTypeCode: + return "UnitTypeCode" + case UnitTypeIssues: + return "UnitTypeIssues" + case UnitTypePullRequests: + return "UnitTypePullRequests" + case UnitTypeReleases: + return "UnitTypeReleases" + case UnitTypeWiki: + return "UnitTypeWiki" + case UnitTypeExternalWiki: + return "UnitTypeExternalWiki" + case UnitTypeExternalTracker: + return "UnitTypeExternalTracker" + } + return fmt.Sprintf("Unknown UnitType %d", u) +} + +// ColorFormat provides a ColorFormatted version of this UnitType +func (u UnitType) ColorFormat(s fmt.State) { + log.ColorFprintf(s, "%d:%s", + log.NewColoredIDValue(u), + u) +} + var ( // allRepUnitTypes contains all the unit types allRepUnitTypes = []UnitType{ diff --git a/models/user.go b/models/user.go index 93fdc6f4a..eafc53d6f 100644 --- a/models/user.go +++ b/models/user.go @@ -146,6 +146,13 @@ type User struct { Theme string `xorm:"NOT NULL DEFAULT ''"` } +// ColorFormat writes a colored string to identify this struct +func (u *User) ColorFormat(s fmt.State) { + log.ColorFprintf(s, "%d:%s", + log.NewColoredIDValue(u.ID), + log.NewColoredValue(u.Name)) +} + // BeforeUpdate is invoked from XORM before updating this object. func (u *User) BeforeUpdate() { if u.MaxRepoCreation < -1 { diff --git a/modules/context/permission.go b/modules/context/permission.go index 70f869530..6ac935686 100644 --- a/modules/context/permission.go +++ b/modules/context/permission.go @@ -6,6 +6,8 @@ package context import ( "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" + macaron "gopkg.in/macaron.v1" ) @@ -45,6 +47,22 @@ func RequireRepoWriterOr(unitTypes ...models.UnitType) macaron.Handler { func RequireRepoReader(unitType models.UnitType) macaron.Handler { return func(ctx *Context) { if !ctx.Repo.CanRead(unitType) { + if log.IsTrace() { + if ctx.IsSigned { + log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + unitType, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+ + "Anonymous user in Repo has Permissions: %-+v", + unitType, + ctx.Repo.Repository, + ctx.Repo.Permission) + } + } ctx.NotFound(ctx.Req.RequestURI, nil) return } @@ -59,6 +77,25 @@ func RequireRepoReaderOr(unitTypes ...models.UnitType) macaron.Handler { return } } + if log.IsTrace() { + var format string + var args []interface{} + if ctx.IsSigned { + format = "Permission Denied: User %-v cannot read [" + args = append(args, ctx.User) + } else { + format = "Permission Denied: Anonymous user cannot read [" + } + for _, unit := range unitTypes { + format += "%-v, " + args = append(args, unit) + } + + format = format[:len(format)-2] + "] in Repo %-v\n" + + "User in Repo has Permissions: %-+v" + args = append(args, ctx.Repo.Repository, ctx.Repo.Permission) + log.Trace(format, args...) + } ctx.NotFound(ctx.Req.RequestURI, nil) } } diff --git a/modules/log/colors.go b/modules/log/colors.go index ed6477d43..0ec8ce4ba 100644 --- a/modules/log/colors.go +++ b/modules/log/colors.go @@ -7,6 +7,7 @@ package log import ( "fmt" "io" + "reflect" "strconv" "strings" ) @@ -195,11 +196,12 @@ normalLoop: lasti := i if c.mode == escapeAll { - for i < end && (bytes[i] >= ' ' || bytes[i] == '\n') { + for i < end && (bytes[i] >= ' ' || bytes[i] == '\n' || bytes[i] == '\t') { i++ } } else { - for i < end && bytes[i] >= ' ' { + // Allow tabs if we're not escaping everything + for i < end && (bytes[i] >= ' ' || bytes[i] == '\t') { i++ } } @@ -266,6 +268,39 @@ normalLoop: return totalWritten, nil } +// ColorSprintf returns a colored string from a format and arguments +// arguments will be wrapped in ColoredValues to protect against color spoofing +func ColorSprintf(format string, args ...interface{}) string { + if len(args) > 0 { + v := make([]interface{}, len(args)) + for i := 0; i < len(v); i++ { + v[i] = NewColoredValuePointer(&args[i]) + } + return fmt.Sprintf(format, v...) + } + return fmt.Sprintf(format) +} + +// ColorFprintf will write to the provided writer similar to ColorSprintf +func ColorFprintf(w io.Writer, format string, args ...interface{}) (int, error) { + if len(args) > 0 { + v := make([]interface{}, len(args)) + for i := 0; i < len(v); i++ { + v[i] = NewColoredValuePointer(&args[i]) + } + return fmt.Fprintf(w, format, v...) + } + return fmt.Fprintf(w, format) +} + +// ColorFormatted structs provide their own colored string when formatted with ColorSprintf +type ColorFormatted interface { + // ColorFormat provides the colored representation of the value + ColorFormat(s fmt.State) +} + +var colorFormattedType = reflect.TypeOf((*ColorFormatted)(nil)).Elem() + // ColoredValue will Color the provided value type ColoredValue struct { colorBytes *[]byte @@ -316,8 +351,33 @@ func NewColoredValueBytes(value interface{}, colorBytes *[]byte) *ColoredValue { } } -// Format will format the provided value and protect against ANSI spoofing within the value +// NewColoredIDValue is a helper function to create a ColoredValue from a Value +// The Value will be colored with FgCyan +// If a ColoredValue is provided it is not changed +func NewColoredIDValue(value interface{}) *ColoredValue { + return NewColoredValueBytes(&value, &fgCyanBytes) +} + +// Format will format the provided value and protect against ANSI color spoofing within the value +// If the wrapped value is ColorFormatted and the format is "%-v" then its ColorString will +// be used. It is presumed that this ColorString is safe. func (cv *ColoredValue) Format(s fmt.State, c rune) { + if c == 'v' && s.Flag('-') { + if val, ok := (*cv.Value).(ColorFormatted); ok { + val.ColorFormat(s) + return + } + v := reflect.ValueOf(*cv.Value) + t := v.Type() + + if reflect.PtrTo(t).Implements(colorFormattedType) { + vp := reflect.New(t) + vp.Elem().Set(v) + val := vp.Interface().(ColorFormatted) + val.ColorFormat(s) + return + } + } s.Write([]byte(*cv.colorBytes)) fmt.Fprintf(&protectedANSIWriter{w: s}, fmtString(s, c), *(cv.Value)) s.Write([]byte(*cv.resetBytes)) diff --git a/modules/log/logger.go b/modules/log/logger.go index 925ab02b7..9704ffd3d 100644 --- a/modules/log/logger.go +++ b/modules/log/logger.go @@ -69,11 +69,7 @@ func (l *Logger) Log(skip int, level Level, format string, v ...interface{}) err } msg := format if len(v) > 0 { - args := make([]interface{}, len(v)) - for i := 0; i < len(args); i++ { - args[i] = NewColoredValuePointer(&v[i]) - } - msg = fmt.Sprintf(format, args...) + msg = ColorSprintf(format, v...) } stack := "" if l.GetStacktraceLevel() <= level { diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index ac92f7cd4..d201dff91 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -369,6 +369,22 @@ func orgAssignment(args ...bool) macaron.Handler { func mustEnableIssues(ctx *context.APIContext) { if !ctx.Repo.CanRead(models.UnitTypeIssues) { + if log.IsTrace() { + if ctx.IsSigned { + log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + models.UnitTypeIssues, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+ + "Anonymous user in Repo has Permissions: %-+v", + models.UnitTypeIssues, + ctx.Repo.Repository, + ctx.Repo.Permission) + } + } ctx.NotFound() return } @@ -376,6 +392,22 @@ func mustEnableIssues(ctx *context.APIContext) { func mustAllowPulls(ctx *context.APIContext) { if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) { + if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() { + if ctx.IsSigned { + log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + models.UnitTypePullRequests, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+ + "Anonymous user in Repo has Permissions: %-+v", + models.UnitTypePullRequests, + ctx.Repo.Repository, + ctx.Repo.Permission) + } + } ctx.NotFound() return } @@ -384,6 +416,24 @@ func mustAllowPulls(ctx *context.APIContext) { func mustEnableIssuesOrPulls(ctx *context.APIContext) { if !ctx.Repo.CanRead(models.UnitTypeIssues) && !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) { + if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() { + if ctx.IsSigned { + log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + models.UnitTypeIssues, + models.UnitTypePullRequests, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+ + "Anonymous user in Repo has Permissions: %-+v", + models.UnitTypeIssues, + models.UnitTypePullRequests, + ctx.Repo.Repository, + ctx.Repo.Permission) + } + } ctx.NotFound() return } diff --git a/routers/api/v1/repo/pull.go b/routers/api/v1/repo/pull.go index 7abe6241b..4fbd024f8 100644 --- a/routers/api/v1/repo/pull.go +++ b/routers/api/v1/repo/pull.go @@ -672,7 +672,12 @@ func parseCompareInfo(ctx *context.APIContext, form api.CreatePullRequestOption) return nil, nil, nil, nil, "", "" } if !perm.CanReadIssuesOrPulls(true) { - log.Trace("ParseCompareInfo[%d]: cannot create/read pull requests", baseRepo.ID) + if log.IsTrace() { + log.Trace("Permission Denied: User %-v cannot create/read pull requests in Repo %-v\nUser in headRepo has Permissions: %-+v", + ctx.User, + headRepo, + perm) + } ctx.NotFound() return nil, nil, nil, nil, "", "" } diff --git a/routers/repo/issue.go b/routers/repo/issue.go index 7a681033a..42661ef73 100644 --- a/routers/repo/issue.go +++ b/routers/repo/issue.go @@ -1163,6 +1163,24 @@ func NewComment(ctx *context.Context, form auth.CreateCommentForm) { } if !ctx.IsSigned || (ctx.User.ID != issue.PosterID && !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull)) { + if log.IsTrace() { + if ctx.IsSigned { + issueType := "issues" + if issue.IsPull { + issueType = "pulls" + } + log.Trace("Permission Denied: User %-v not the Poster (ID: %d) and cannot read %s in Repo %-v.\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + log.NewColoredIDValue(issue.PosterID), + issueType, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Not logged in") + } + } + ctx.Error(403) } @@ -1353,6 +1371,24 @@ func ChangeIssueReaction(ctx *context.Context, form auth.ReactionForm) { } if !ctx.IsSigned || (ctx.User.ID != issue.PosterID && !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull)) { + if log.IsTrace() { + if ctx.IsSigned { + issueType := "issues" + if issue.IsPull { + issueType = "pulls" + } + log.Trace("Permission Denied: User %-v not the Poster (ID: %d) and cannot read %s in Repo %-v.\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + log.NewColoredIDValue(issue.PosterID), + issueType, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Not logged in") + } + } + ctx.Error(403) return } @@ -1432,6 +1468,24 @@ func ChangeCommentReaction(ctx *context.Context, form auth.ReactionForm) { } if !ctx.IsSigned || (ctx.User.ID != comment.PosterID && !ctx.Repo.CanReadIssuesOrPulls(comment.Issue.IsPull)) { + if log.IsTrace() { + if ctx.IsSigned { + issueType := "issues" + if comment.Issue.IsPull { + issueType = "pulls" + } + log.Trace("Permission Denied: User %-v not the Poster (ID: %d) and cannot read %s in Repo %-v.\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + log.NewColoredIDValue(comment.Issue.PosterID), + issueType, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Not logged in") + } + } + ctx.Error(403) return } else if comment.Type != models.CommentTypeComment && comment.Type != models.CommentTypeCode { diff --git a/routers/repo/issue_watch.go b/routers/repo/issue_watch.go index c6a436801..eae663495 100644 --- a/routers/repo/issue_watch.go +++ b/routers/repo/issue_watch.go @@ -11,6 +11,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" + "code.gitea.io/gitea/modules/log" ) // IssueWatch sets issue watching @@ -21,6 +22,23 @@ func IssueWatch(ctx *context.Context) { } if !ctx.IsSigned || (ctx.User.ID != issue.PosterID && !ctx.Repo.CanReadIssuesOrPulls(issue.IsPull)) { + if log.IsTrace() { + if ctx.IsSigned { + issueType := "issues" + if issue.IsPull { + issueType = "pulls" + } + log.Trace("Permission Denied: User %-v not the Poster (ID: %d) and cannot read %s in Repo %-v.\n"+ + "User in Repo has Permissions: %-+v", + ctx.User, + log.NewColoredIDValue(issue.PosterID), + issueType, + ctx.Repo.Repository, + ctx.Repo.Permission) + } else { + log.Trace("Permission Denied: Not logged in") + } + } ctx.Error(403) return } diff --git a/routers/repo/pull.go b/routers/repo/pull.go index 0616ee2c7..70a1443e8 100644 --- a/routers/repo/pull.go +++ b/routers/repo/pull.go @@ -64,6 +64,18 @@ func getForkRepository(ctx *context.Context) *models.Repository { } if forkRepo.IsEmpty || !perm.CanRead(models.UnitTypeCode) { + if log.IsTrace() { + if forkRepo.IsEmpty { + log.Trace("Empty fork repository %-v", forkRepo) + } else { + log.Trace("Permission Denied: User %-v cannot read %-v of forkRepo %-v\n"+ + "User in forkRepo has Permissions: %-+v", + ctx.User, + models.UnitTypeCode, + ctx.Repo, + perm) + } + } ctx.NotFound("getForkRepository", nil) return nil } @@ -704,7 +716,12 @@ func ParseCompareInfo(ctx *context.Context) (*models.User, *models.Repository, * return nil, nil, nil, nil, "", "" } if !perm.CanReadIssuesOrPulls(true) { - log.Trace("ParseCompareInfo[%d]: cannot create/read pull requests", baseRepo.ID) + if log.IsTrace() { + log.Trace("Permission Denied: User: %-v cannot create/read pull requests in Repo: %-v\nUser in headRepo has Permissions: %-+v", + ctx.User, + headRepo, + perm) + } ctx.NotFound("ParseCompareInfo", nil) return nil, nil, nil, nil, "", "" } diff --git a/routers/repo/wiki.go b/routers/repo/wiki.go index c0fb370dd..43149c034 100644 --- a/routers/repo/wiki.go +++ b/routers/repo/wiki.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/git" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/markup" "code.gitea.io/gitea/modules/markup/markdown" "code.gitea.io/gitea/modules/util" @@ -32,6 +33,15 @@ const ( func MustEnableWiki(ctx *context.Context) { if !ctx.Repo.CanRead(models.UnitTypeWiki) && !ctx.Repo.CanRead(models.UnitTypeExternalWiki) { + if log.IsTrace() { + log.Trace("Permission Denied: User %-v cannot read %-v or %-v of repo %-v\n"+ + "User in repo has Permissions: %-+v", + ctx.User, + models.UnitTypeWiki, + models.UnitTypeExternalWiki, + ctx.Repo.Repository, + ctx.Repo.Permission) + } ctx.NotFound("MustEnableWiki", nil) return } diff --git a/routers/user/home.go b/routers/user/home.go index 79377ac50..2293461f0 100644 --- a/routers/user/home.go +++ b/routers/user/home.go @@ -14,6 +14,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" @@ -308,6 +309,14 @@ func Issues(ctx *context.Context) { return } if !perm.CanRead(models.UnitTypeIssues) { + if log.IsTrace() { + log.Trace("Permission Denied: User %-v cannot read %-v of repo %-v\n"+ + "User in repo has Permissions: %-+v", + ctxUser, + models.UnitTypeIssues, + repo, + perm) + } ctx.Status(404) return }