From d4e35b9dc61779559fe28a7537d28bef2938a443 Mon Sep 17 00:00:00 2001 From: wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf <61180606+wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf@users.noreply.github.com> Date: Sat, 22 Aug 2020 08:58:59 +0200 Subject: [PATCH] Hide 'New Project board' button for users that are not signed in (#12547) * hide: 'New Project board' button * there is no reason to show the button for users that are not signed in * update template: specifies the condition together with another one as per lafriks' suggestion in the comment * chore: add proper user authorization check * chore: also hide button if repo is archived * chore: show project board edit/delete menu to authorized users only * chore: drop the redundant IsSigned check * CanWriteIssues and CanWritePulls implies (and requires) signed in user * Add CanWriteProjects and properly assert permissions Signed-off-by: Andrew Thornton Co-authored-by: Andrew Thornton Co-authored-by: techknowlogick --- routers/repo/projects.go | 17 +++-- routers/routes/routes.go | 31 +++++---- templates/repo/projects/list.tmpl | 62 +++++++++--------- templates/repo/projects/new.tmpl | 2 +- templates/repo/projects/view.tmpl | 102 ++++++++++++++---------------- 5 files changed, 110 insertions(+), 104 deletions(-) diff --git a/routers/repo/projects.go b/routers/repo/projects.go index daa94a308..948f88375 100644 --- a/routers/repo/projects.go +++ b/routers/repo/projects.go @@ -95,6 +95,7 @@ func Projects(ctx *context.Context) { pager.AddParam(ctx, "state", "State") ctx.Data["Page"] = pager + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) ctx.Data["IsShowClosed"] = isShowClosed ctx.Data["IsProjectsPage"] = true ctx.Data["SortType"] = sortType @@ -106,16 +107,17 @@ func Projects(ctx *context.Context) { func NewProject(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("repo.projects.new") ctx.Data["ProjectTypes"] = models.GetProjectsConfig() - + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) ctx.HTML(200, tplProjectsNew) } -// NewRepoProjectPost creates a new project -func NewRepoProjectPost(ctx *context.Context, form auth.CreateProjectForm) { - +// NewProjectPost creates a new project +func NewProjectPost(ctx *context.Context, form auth.CreateProjectForm) { ctx.Data["Title"] = ctx.Tr("repo.projects.new") if ctx.HasError() { + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) + ctx.Data["ProjectTypes"] = models.GetProjectsConfig() ctx.HTML(200, tplProjectsNew) return } @@ -192,6 +194,7 @@ func EditProject(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("repo.projects.edit") ctx.Data["PageIsProjects"] = true ctx.Data["PageIsEditProjects"] = true + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) p, err := models.GetProjectByID(ctx.ParamsInt64(":id")) if err != nil { @@ -218,9 +221,10 @@ func EditProjectPost(ctx *context.Context, form auth.CreateProjectForm) { ctx.Data["Title"] = ctx.Tr("repo.projects.edit") ctx.Data["PageIsProjects"] = true ctx.Data["PageIsEditProjects"] = true + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) if ctx.HasError() { - ctx.HTML(200, tplMilestoneNew) + ctx.HTML(200, tplProjectsNew) return } @@ -287,6 +291,7 @@ func ViewProject(ctx *context.Context) { return } + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) ctx.Data["Project"] = project ctx.Data["Boards"] = allBoards ctx.Data["PageIsProjects"] = true @@ -551,6 +556,7 @@ func MoveIssueAcrossBoards(ctx *context.Context) { func CreateProject(ctx *context.Context) { ctx.Data["Title"] = ctx.Tr("repo.projects.new") ctx.Data["ProjectTypes"] = models.GetProjectsConfig() + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) ctx.HTML(200, tplGenericProjectsNew) } @@ -566,6 +572,7 @@ func CreateProjectPost(ctx *context.Context, form auth.UserCreateProjectForm) { ctx.Data["ContextUser"] = user if ctx.HasError() { + ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects) ctx.HTML(200, tplGenericProjectsNew) return } diff --git a/routers/routes/routes.go b/routers/routes/routes.go index 27af9275e..bdb82db6f 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -535,6 +535,7 @@ func RegisterRoutes(m *macaron.Macaron) { reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoProjectsReader := context.RequireRepoReader(models.UnitTypeProjects) + reqRepoProjectsWriter := context.RequireRepoWriter(models.UnitTypeProjects) // ***** START: Organization ***** m.Group("/org", func() { @@ -858,24 +859,26 @@ func RegisterRoutes(m *macaron.Macaron) { m.Group("/projects", func() { m.Get("", repo.Projects) - m.Get("/new", repo.NewProject) - m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewRepoProjectPost) - m.Group("/:id", func() { - m.Get("", repo.ViewProject) - m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost) - m.Post("/delete", repo.DeleteProject) + m.Get("/:id", repo.ViewProject) + m.Group("", func() { + m.Get("/new", repo.NewProject) + m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewProjectPost) + m.Group("/:id", func() { + m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost) + m.Post("/delete", repo.DeleteProject) - m.Get("/edit", repo.EditProject) - m.Post("/edit", bindIgnErr(auth.CreateProjectForm{}), repo.EditProjectPost) - m.Post("/^:action(open|close)$", repo.ChangeProjectStatus) + m.Get("/edit", repo.EditProject) + m.Post("/edit", bindIgnErr(auth.CreateProjectForm{}), repo.EditProjectPost) + m.Post("/^:action(open|close)$", repo.ChangeProjectStatus) - m.Group("/:boardID", func() { - m.Put("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.EditProjectBoardTitle) - m.Delete("", repo.DeleteProjectBoard) + m.Group("/:boardID", func() { + m.Put("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.EditProjectBoardTitle) + m.Delete("", repo.DeleteProjectBoard) - m.Post("/:index", repo.MoveIssueAcrossBoards) + m.Post("/:index", repo.MoveIssueAcrossBoards) + }) }) - }) + }, reqRepoProjectsWriter, context.RepoMustNotBeArchived()) }, reqRepoProjectsReader, repo.MustEnableProjects) m.Group("/wiki", func() { diff --git a/templates/repo/projects/list.tmpl b/templates/repo/projects/list.tmpl index f48cf400b..6e98bd3fd 100644 --- a/templates/repo/projects/list.tmpl +++ b/templates/repo/projects/list.tmpl @@ -4,10 +4,10 @@
@@ -39,35 +39,35 @@
{{range .Projects}} -
  • - {{svg "octicon-project" 16}} {{.Title}} -
    - {{ $closedDate:= TimeSinceUnix .ClosedDateUnix $.Lang }} - {{if .IsClosed }} - {{svg "octicon-clock" 16}} {{$.i18n.Tr "repo.milestones.closed" $closedDate|Str2html}} +
  • + {{svg "octicon-project" 16}} {{.Title}} +
    + {{ $closedDate:= TimeSinceUnix .ClosedDateUnix $.Lang }} + {{if .IsClosed }} + {{svg "octicon-clock" 16}} {{$.i18n.Tr "repo.milestones.closed" $closedDate|Str2html}} + {{end}} + + {{svg "octicon-issue-opened" 16}} {{$.i18n.Tr "repo.issues.open_tab" .NumOpenIssues}} + {{svg "octicon-issue-closed" 16}} {{$.i18n.Tr "repo.issues.close_tab" .NumClosedIssues}} + +
    + {{if and (or $.CanWriteIssues $.CanWritePulls) (not $.Repository.IsArchived)}} + {{end}} - - {{svg "octicon-issue-opened" 16}} {{$.i18n.Tr "repo.issues.open_tab" .NumOpenIssues}} - {{svg "octicon-issue-closed" 16}} {{$.i18n.Tr "repo.issues.close_tab" .NumClosedIssues}} - -
  • - {{if and (or $.CanWriteIssues $.CanWritePulls) (not $.Repository.IsArchived)}} - - {{end}} - {{if .Description}} -
    - {{.RenderedContent|Str2html}} -
    - {{end}} - + {{end}} {{template "base/paginate" .}} diff --git a/templates/repo/projects/new.tmpl b/templates/repo/projects/new.tmpl index 2da722bf9..aabc09c80 100644 --- a/templates/repo/projects/new.tmpl +++ b/templates/repo/projects/new.tmpl @@ -4,7 +4,7 @@
    - {{if .PageIsProjects}} - {{.i18n.Tr "new_project_board"}} + {{if and .CanWriteProjects (not .Repository.IsArchived) .PageIsProjects}} + {{.i18n.Tr "new_project_board"}} {{end}} -