Skip to content

Fix minimum team access mode #24647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

Fix minimum team access mode #24647

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
39a4009
Fix minimum team access mode
kdumontnu May 10, 2023
409ebaf
Update team API test
kdumontnu May 10, 2023
2e84e80
Merge branch 'main' into kd/fix-team_accessmode
kdumontnu May 10, 2023
918e780
Merge branch 'main' into kd/fix-team_accessmode
kdumontnu May 11, 2023
57dc4ef
Merge branch 'main' into kd/fix-team_accessmode
kdumontnu May 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions models/unit/unit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,19 +353,23 @@ func AllUnitKeyNames() []string {
return res
}

// MinUnitAccessMode returns the minial permission of the permission map
// MinUnitAccessMode returns the minimum permission of the permission map
func MinUnitAccessMode(unitsMap map[Type]perm.AccessMode) perm.AccessMode {
res := perm.AccessModeNone
res := perm.AccessModeWrite
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it be

Suggested change
res := perm.AccessModeWrite
res := perm.AccessModeOwner

and letting the for loop scale the variable down?
Or do we pass an empty map as parameter at any point?

Copy link
Contributor Author

@kdumontnu kdumontnu May 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we have units with perm.AccessModeOwner?

I see here we return MaxPerm=perm.AccessModeAdmin:

gitea/models/unit/unit.go

Line 212 in 23ae939

return perm.AccessModeAdmin

But I don't know of any units that can have admin/owner access in practice (the UI does not allow it that I'm aware of).

So I can set the default to perm.AccessModeAdmin, but I didn't want to go higher than needed just for additional security.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, I have difficulty to understand the logic if I didn't read the chat history & PR description carefully.

And the new logic seems counterintuitive , could there be some detailed comments or some tests for this problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, comment and tests will be helpful regardless. I’ll work on adding those this weekend unless someone beats me to it.

Part of my issue is that I think this whole function should be deprecated. I’ll see how painful that will be.

I think I will just always set team.AccessMode=NoAccess whenever team.AccessMode < AdminAccess.

Essentially, every auth middleware should be checking unit permissions for anything less than admin.

for t, mode := range unitsMap {
// Don't allow `TypeExternal{Tracker,Wiki}` to influence this as they can only be set to READ perms.
if t == TypeExternalTracker || t == TypeExternalWiki {
continue
}

// get the minial permission great than AccessModeNone except all are AccessModeNone
if mode > perm.AccessModeNone && (res == perm.AccessModeNone || mode < res) {
// get the minimum permission
if mode < res {
res = mode
}
// There is no lower permission than AccessModeNone, so exit early
if res == perm.AccessModeNone {
break
}
}
return res
}
4 changes: 2 additions & 2 deletions routers/web/org/teams.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,7 +308,7 @@ func NewTeamPost(ctx *context.Context) {
unitPerms := getUnitPerms(ctx.Req.Form, p)
if p < perm.AccessModeAdmin {
// if p is less than admin accessmode, then it should be general accessmode,
// so we should calculate the minial accessmode from units accessmodes.
// so we should calculate the minimum accessmode from units accessmodes.
p = unit_model.MinUnitAccessMode(unitPerms)
}

Expand Down Expand Up @@ -459,7 +459,7 @@ func EditTeamPost(ctx *context.Context) {
unitPerms := getUnitPerms(ctx.Req.Form, newAccessMode)
if newAccessMode < perm.AccessModeAdmin {
// if newAccessMode is less than admin accessmode, then it should be general accessmode,
// so we should calculate the minial accessmode from units accessmodes.
// so we should calculate the minimum accessmode from units accessmodes.
newAccessMode = unit_model.MinUnitAccessMode(unitPerms)
}
isAuthChanged := false
Expand Down
2 changes: 1 addition & 1 deletion templates/org/team/new.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
<br>
<div class="field">
<div class="ui radio checkbox">
<input type="radio" name="permission" value="read" {{if or .PageIsOrgTeamsNew (eq .Team.AccessMode 1) (eq .Team.AccessMode 2)}}checked{{end}}>
<input type="radio" name="permission" value="read" {{if or .PageIsOrgTeamsNew (le .Team.AccessMode 2)}}checked{{end}}>
<label>{{.locale.Tr "org.teams.general_access"}}</label>
<span class="help">{{.locale.Tr "org.teams.general_access_helper"}}</span>
</div>
Expand Down
4 changes: 2 additions & 2 deletions tests/integration/api_team_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,9 +139,9 @@ func TestAPITeam(t *testing.T) {
apiTeam = api.Team{}
DecodeJSON(t, resp, &apiTeam)
checkTeamResponse(t, "CreateTeam2", &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
"read", nil, teamToCreate.UnitsMap)
"none", nil, teamToCreate.UnitsMap)
checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
"read", nil, teamToCreate.UnitsMap)
"none", nil, teamToCreate.UnitsMap)
teamID = apiTeam.ID

// Edit team.
Expand Down