aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormrsdizzie2019-05-16 18:01:55 -0400
committertechknowlogick2019-05-16 18:01:55 -0400
commit21983965d0cc5e78704a1fea85920b46f2e2fbf5 (patch)
tree581354bfa5d9ce17d6984266daf12bbb4ed69219
parente069a758179cc94e56d96b1b97b55b8785a69e3e (diff)
Allow collaborators to view repo owned by private org (#6965) (#6968)
* Allow collaborators to view repo owned private org (#6965) Handle case where an orginization is private but a user who is not a member of the orgninization has been added as a collaborator of a repo within that org Fixes #6962 * Match release/v1.8 fixtures
-rw-r--r--integrations/org_test.go9
-rw-r--r--models/fixtures/collaboration.yml6
-rw-r--r--models/repo_permission.go16
3 files changed, 27 insertions, 4 deletions
diff --git a/integrations/org_test.go b/integrations/org_test.go
index 17b895848..d86c82989 100644
--- a/integrations/org_test.go
+++ b/integrations/org_test.go
@@ -92,6 +92,15 @@ func TestPrivateOrg(t *testing.T) {
req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
session.MakeRequest(t, req, http.StatusNotFound)
+ // non-org member who is collaborator on repo in private org
+ session = loginUser(t, "user4")
+ req = NewRequest(t, "GET", "/privated_org")
+ session.MakeRequest(t, req, http.StatusNotFound)
+ req = NewRequest(t, "GET", "/privated_org/public_repo_on_private_org") // colab of this repo
+ session.MakeRequest(t, req, http.StatusOK)
+ req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
+ session.MakeRequest(t, req, http.StatusNotFound)
+
// site admin
session = loginUser(t, "user1")
req = NewRequest(t, "GET", "/privated_org")
diff --git a/models/fixtures/collaboration.yml b/models/fixtures/collaboration.yml
index 18db9c36c..4e5508e71 100644
--- a/models/fixtures/collaboration.yml
+++ b/models/fixtures/collaboration.yml
@@ -9,3 +9,9 @@
repo_id: 4
user_id: 4
mode: 2 # write
+
+-
+ id: 3
+ repo_id: 38
+ user_id: 4
+ mode: 2 # write
diff --git a/models/repo_permission.go b/models/repo_permission.go
index edad25b75..e66fc3b53 100644
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -107,7 +107,17 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
repo.mustOwner(e)
}
- if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) {
+ var isCollaborator bool
+ if user != nil {
+ isCollaborator, err = repo.isCollaborator(e, user.ID)
+ if err != nil {
+ return perm, err
+ }
+ }
+
+ // Prevent strangers from checking out public repo of private orginization
+ // Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself
+ if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator {
perm.AccessMode = AccessModeNone
return
}
@@ -146,9 +156,7 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
perm.UnitsMode = make(map[UnitType]AccessMode)
// Collaborators on organization
- if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil {
- return perm, err
- } else if isCollaborator {
+ if isCollaborator {
for _, u := range repo.Units {
perm.UnitsMode[u.Type] = perm.AccessMode
}