Closed
Description
Description
Steps to reproduce:
- Create a repository owned by an organization.
- Create a team in the org with the following permissions. Note: the team has read permission for at least one unit but not for pull requests
- Add a user to this team which is not a repo collaborator or part of any other team in the org. Notably, they do not have read permission for pull requests
- They will show up as an option in the reviewers list in a pull request within this org:
5. If selected, they will not be added and there is no error message
2024/10/31 13:34:51 ...rs/web/repo/issue.go:2532:UpdatePullReviewRequest() [W] UpdatePullReviewRequest: refusing to add invalid review request for <User 12:testsamluser> to <Repository 4:AuditOrg/Test-Repo>#1: Error: Reviewer can't read [user_id: 1, repo_id: 4]
Notes:
func GetReviewers(ctx context.Context, repo *Repository, doerID, posterID int64) ([]*user_model.User, error) {
...
cond = cond.And(builder.In("`user`.id",
builder.Select("user_id").From("access").Where(
builder.Eq{"repo_id": repo.ID}.
And(builder.Gte{"mode": perm.AccessModeRead}),
),
))The GetReviewers function checks the access table to determine review eligibility. However, this table explicit stores the highest level of access for a user within a repository:
// Access represents the highest access level of a user to the repository. The only access type
// that is not in this table is the real owner of a repository. In case of an organization
// repository, the members of the owners team are in this table.
type Access struct {
ID int64 `xorm:"pk autoincr"`
UserID int64 `xorm:"UNIQUE(s)"`
RepoID int64 `xorm:"UNIQUE(s)"`
Mode perm.AccessMode
}In this case, the access table will show the user as having read permission incorrectly.
Gitea Version
main
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
command-lin
Database
None