Missing Permission Check in Team Unit Access #4
Description
Problem
Location: models/perm/access/repo_permission.go (lines 352-354)
teamMode, _ := team.UnitAccessModeEx(ctx, u.Type)
unitAccessMode := max(perm.unitsMode[u.Type], minAccessMode, teamMode)
perm.unitsMode[u.Type] = unitAccessModeProblem: The original code checked if the team had explicit permissions (exist variable). By removing this check and blindly using teamMode (which could be 0/AccessModeNone), you might be incorrectly setting permissions.
Original code:
unitAccessMode := minAccessMode
if teamMode, exist := team.UnitAccessModeEx(ctx, u.Type); exist {
unitAccessMode = max(perm.unitsMode[u.Type], unitAccessMode, teamMode)
}Solution
Fix: Restore the existence check:
for _, team := range teams {
if teamMode, exist := team.UnitAccessModeEx(ctx, u.Type); exist {
unitAccessMode := max(perm.unitsMode[u.Type], minAccessMode, teamMode)
perm.unitsMode[u.Type] = unitAccessMode
}
}Metadata
Metadata
Assignees
Labels
No labels