Skip to content

Fix minimum team access mode #24647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 5 commits into from
Closed

Fix minimum team access mode #24647

wants to merge 5 commits into from

Conversation

kdumontnu
Copy link
Contributor

Team access mode appears to be broken, leading to some suspect behavior. Specifically, we currently ignore "NoAccess" when getting the min access for a team in MinUnitAccessMode.

This means that if I set a team to only have write access for wiki page:
image
I will see the team has team.AccessMode = write:
image
But adding any read access:
image
Moves the team.AccessMode = read:
image

I ultimately suggest that we completely deprecate team.AccessMode, since it's not clear what that variable is used for now that team units exist. We should add team.IsAdmin and team.IsOwner flags instead, but I don't have the availability to take that on.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 10, 2023
delvh
delvh approved these changes May 10, 2023
View reviewed changes
models/unit/unit.go
func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
res := perm.AccessModeNone
res := perm.AccessModeWrite
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it be

Suggested change
res := perm.AccessModeWrite
res := perm.AccessModeOwner

and letting the for loop scale the variable down?
Or do we pass an empty map as parameter at any point?

Copy link
Contributor Author

@kdumontnu kdumontnu May 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have units with perm.AccessModeOwner?

I see here we return MaxPerm=perm.AccessModeAdmin:

gitea/models/unit/unit.go

Line 212 in 23ae939

return perm.AccessModeAdmin

But I don't know of any units that can have admin/owner access in practice (the UI does not allow it that I'm aware of).

So I can set the default to perm.AccessModeAdmin, but I didn't want to go higher than needed just for additional security.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, I have difficulty to understand the logic if I didn't read the chat history & PR description carefully.

And the new logic seems counterintuitive , could there be some detailed comments or some tests for this problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, comment and tests will be helpful regardless. I’ll work on adding those this weekend unless someone beats me to it.

Part of my issue is that I think this whole function should be deprecated. I’ll see how painful that will be.

I think I will just always set team.AccessMode=NoAccess whenever team.AccessMode < AdminAccess.

Essentially, every auth middleware should be checking unit permissions for anything less than admin.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 10, 2023
@kdumontnu kdumontnu added this to the 1.20.0 milestone May 10, 2023
@kdumontnu kdumontnu added the outdated/backport/v1.19 This PR should be backported to Gitea 1.19 label May 10, 2023
@silverwind silverwind marked this pull request as draft May 12, 2023 11:33
@silverwind
Copy link
Member

Marking WIP as per #24647 (comment).

@delvh delvh removed this from the 1.20.0 milestone Jun 7, 2023
@wxiaoguang
Copy link
Contributor

@yp05327

It seems that the last related change is from Fix admin team access mode value in team_unit table (#24012)

Do you have ideas about the problem?

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Apr 6, 2025
edited
Loading

A new fix: Fix team permission #34128

new screenshot

image

@wxiaoguang wxiaoguang closed this Apr 6, 2025
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 5, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

@delvh delvh delvh approved these changes

Assignees
No one assigned
Labels
lgtm/need 1 This PR needs approval from one additional maintainer to be merged. outdated/backport/v1.19 This PR should be backported to Gitea 1.19 type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kdumontnu @silverwind @wxiaoguang @delvh @GiteaBot