From e35791b2b2888979ba53b8a9a58e1cb132026914 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Sun, 31 Jan 2016 13:28:42 +0000 Subject: [PATCH] Only show teams the user has access to --- cmd/web.go | 5 ++- models/org.go | 39 ++++++++++++++++------- modules/middleware/context.go | 1 + modules/middleware/org.go | 60 +++++++++++++++++++++++++---------- routers/org/teams.go | 5 +-- routers/user/home.go | 9 ++---- 6 files changed, 81 insertions(+), 38 deletions(-) diff --git a/cmd/web.go b/cmd/web.go index cf47d5c53..394959546 100644 --- a/cmd/web.go +++ b/cmd/web.go @@ -350,11 +350,14 @@ func runWeb(ctx *cli.Context) { m.Get("/members/action/:action", org.MembersAction) m.Get("/teams", org.Teams) + }, middleware.OrgAssignment(true)) + + m.Group("/:org", func() { m.Get("/teams/:team", org.TeamMembers) m.Get("/teams/:team/repositories", org.TeamRepositories) m.Route("/teams/:team/action/:action", "GET,POST", org.TeamsAction) m.Route("/teams/:team/action/repo/:action", "GET,POST", org.TeamsRepoAction) - }, middleware.OrgAssignment(true)) + }, middleware.OrgAssignment(true, false, true)) m.Group("/:org", func() { m.Get("/teams/new", org.NewTeam) diff --git a/models/org.go b/models/org.go index c9d8f1196..839d26742 100644 --- a/models/org.go +++ b/models/org.go @@ -9,7 +9,6 @@ import ( "fmt" "os" "strings" - "strconv" "github.com/go-xorm/xorm" ) @@ -1037,31 +1036,49 @@ func (org *User) getUserRepositories(userID int64) (err error) { And("`team_user`.uid=?", userID). Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). Find(&teams); err != nil { - return fmt.Errorf("get team: %v", err) + return fmt.Errorf("getUserRepositories: get teams: %v", err) } - var teamIDs []string + var teamIDs []int64 for _, team := range teams { - s := strconv.FormatInt(team.ID, 32) - teamIDs = append(teamIDs, s) + teamIDs = append(teamIDs, team.ID) } - // The "in" clause it not vulnerable to SQL injection because we - // convert it from int64 a few lines above. Sadly, xorm does not support - // "in" clauses as a function, so we have to build our own (for now). if err := x.Cols("`repository`.*"). - Where("`team_repo`.team_id in (" + strings.Join(teamIDs, ",") + ")"). + In("`team_repo`.team_id", teamIDs). Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id"). GroupBy("`repository`.id"). Find(&org.Repos); err != nil { - return fmt.Errorf("get repositories: %v", err) + return fmt.Errorf("getUserRepositories: get repositories: %v", err) } + org.NumRepos = len(org.Repos) + return } // GetUserRepositories gets all repositories of an organization, // that the user with the given userID has access to. -func (org *User) GetUserRepositories(userID int64) (err error) { +func (org *User) GetUserRepositories(userID int64) error { return org.getUserRepositories(userID) } + +func (org *User) getUserTeams(userID int64) (err error) { + if err := x.Cols("`team`.*"). + Where("`team_user`.org_id=?", org.Id). + And("`team_user`.uid=?", userID). + Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). + Find(&org.Teams); err != nil { + return fmt.Errorf("getUserTeams: %v", err) + } + + org.NumTeams = len(org.Teams) + + return +} + +// GetTeams returns all teams that belong to organization, +// and that the user has joined. +func (org *User) GetUserTeams(userID int64) error { + return org.getUserTeams(userID) +} diff --git a/modules/middleware/context.go b/modules/middleware/context.go index d58967b89..59e95aada 100644 --- a/modules/middleware/context.go +++ b/modules/middleware/context.go @@ -65,6 +65,7 @@ type Context struct { Org struct { IsOwner bool IsMember bool + IsTeamMember bool // Is member of team. IsAdminTeam bool // In owner team or team that has admin permission level. Organization *models.User OrgLink string diff --git a/modules/middleware/org.go b/modules/middleware/org.go index 37ba4deb1..34ec90dc6 100644 --- a/modules/middleware/org.go +++ b/modules/middleware/org.go @@ -5,6 +5,8 @@ package middleware import ( + "strings" + "gopkg.in/macaron.v1" "github.com/gogits/gogs/models" @@ -13,9 +15,10 @@ import ( func HandleOrgAssignment(ctx *Context, args ...bool) { var ( - requireMember bool - requireOwner bool - requireAdminTeam bool + requireMember bool + requireOwner bool + requireTeamMember bool + requireAdminTeam bool ) if len(args) >= 1 { requireMember = args[0] @@ -24,7 +27,10 @@ func HandleOrgAssignment(ctx *Context, args ...bool) { requireOwner = args[1] } if len(args) >= 3 { - requireAdminTeam = args[2] + requireTeamMember = args[2] + } + if len(args) >= 4 { + requireAdminTeam = args[3] } orgName := ctx.Params(":org") @@ -52,11 +58,13 @@ func HandleOrgAssignment(ctx *Context, args ...bool) { if ctx.IsSigned && ctx.User.IsAdmin { ctx.Org.IsOwner = true ctx.Org.IsMember = true + ctx.Org.IsTeamMember = true ctx.Org.IsAdminTeam = true } else if ctx.IsSigned { ctx.Org.IsOwner = org.IsOwnedBy(ctx.User.Id) if ctx.Org.IsOwner { ctx.Org.IsMember = true + ctx.Org.IsTeamMember = true ctx.Org.IsAdminTeam = true } else { if org.IsOrgMember(ctx.User.Id) { @@ -79,25 +87,45 @@ func HandleOrgAssignment(ctx *Context, args ...bool) { ctx.Data["OrgLink"] = ctx.Org.OrgLink // Team. + if ctx.Org.IsMember { + if err := org.GetUserTeams(ctx.User.Id); err != nil { + ctx.Handle(500, "GetUserTeams", err) + return + } + } + teamName := ctx.Params(":team") if len(teamName) > 0 { - ctx.Org.Team, err = org.GetTeam(teamName) - if err != nil { - if err == models.ErrTeamNotExist { - ctx.Handle(404, "GetTeam", err) - } else { - ctx.Handle(500, "GetTeam", err) + teamExists := false + for _, team := range org.Teams { + if strings.ToLower(team.Name) == strings.ToLower(teamName) { + teamExists = true + ctx.Org.Team = team + ctx.Org.IsTeamMember = true + ctx.Data["Team"] = ctx.Org.Team + break } + } + + if !teamExists { + ctx.Handle(404, "OrgAssignment", err) + return + } + + ctx.Data["IsTeamMember"] = ctx.Org.IsTeamMember + if requireTeamMember && !ctx.Org.IsTeamMember { + ctx.Handle(404, "OrgAssignment", err) return } - ctx.Data["Team"] = ctx.Org.Team + ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.ACCESS_MODE_ADMIN + ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam + if requireAdminTeam && !ctx.Org.IsAdminTeam { + ctx.Handle(404, "OrgAssignment", err) + return + } } - ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam - if requireAdminTeam && !ctx.Org.IsAdminTeam { - ctx.Handle(404, "OrgAssignment", err) - return - } + } func OrgAssignment(args ...bool) macaron.Handler { diff --git a/routers/org/teams.go b/routers/org/teams.go index b2128baab..63618b985 100644 --- a/routers/org/teams.go +++ b/routers/org/teams.go @@ -28,10 +28,7 @@ func Teams(ctx *middleware.Context) { ctx.Data["Title"] = org.FullName ctx.Data["PageIsOrgTeams"] = true - if err := org.GetTeams(); err != nil { - ctx.Handle(500, "GetTeams", err) - return - } + // org.Teams is already loaded by middleware for _, t := range org.Teams { if err := t.GetMembers(); err != nil { ctx.Handle(500, "GetMembers", err) diff --git a/routers/user/home.go b/routers/user/home.go index b198e801d..fabe7b1f3 100644 --- a/routers/user/home.go +++ b/routers/user/home.go @@ -312,9 +312,10 @@ func showOrgProfile(ctx *middleware.Context) { } org := ctx.Org.Organization + userId := ctx.User.Id ctx.Data["Title"] = org.FullName - if err := org.GetUserRepositories(ctx.User.Id); err != nil { + if err := org.GetUserRepositories(userId); err != nil { ctx.Handle(500, "GetUserRepositories", err) return } @@ -326,11 +327,7 @@ func showOrgProfile(ctx *middleware.Context) { } ctx.Data["Members"] = org.Members - if err := org.GetTeams(); err != nil { - ctx.Handle(500, "GetTeams", err) - return - } - ctx.Data["Teams"] = org.Teams + ctx.Data["Teams"] = org.Teams // already loaded by middleware ctx.HTML(200, ORG_HOME) }