diff options
author | mrsdizzie | 2019-05-16 18:01:55 -0400 |
---|---|---|
committer | techknowlogick | 2019-05-16 18:01:55 -0400 |
commit | 21983965d0cc5e78704a1fea85920b46f2e2fbf5 (patch) | |
tree | 581354bfa5d9ce17d6984266daf12bbb4ed69219 | |
parent | e069a758179cc94e56d96b1b97b55b8785a69e3e (diff) |
Allow collaborators to view repo owned by private org (#6965) (#6968)
* Allow collaborators to view repo owned private org (#6965)
Handle case where an orginization is private but a user who is not a
member of the orgninization has been added as a collaborator of a repo
within that org
Fixes #6962
* Match release/v1.8 fixtures
-rw-r--r-- | integrations/org_test.go | 9 | ||||
-rw-r--r-- | models/fixtures/collaboration.yml | 6 | ||||
-rw-r--r-- | models/repo_permission.go | 16 |
3 files changed, 27 insertions, 4 deletions
diff --git a/integrations/org_test.go b/integrations/org_test.go index 17b895848..d86c82989 100644 --- a/integrations/org_test.go +++ b/integrations/org_test.go @@ -92,6 +92,15 @@ func TestPrivateOrg(t *testing.T) { req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") session.MakeRequest(t, req, http.StatusNotFound) + // non-org member who is collaborator on repo in private org + session = loginUser(t, "user4") + req = NewRequest(t, "GET", "/privated_org") + session.MakeRequest(t, req, http.StatusNotFound) + req = NewRequest(t, "GET", "/privated_org/public_repo_on_private_org") // colab of this repo + session.MakeRequest(t, req, http.StatusOK) + req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") + session.MakeRequest(t, req, http.StatusNotFound) + // site admin session = loginUser(t, "user1") req = NewRequest(t, "GET", "/privated_org") diff --git a/models/fixtures/collaboration.yml b/models/fixtures/collaboration.yml index 18db9c36c..4e5508e71 100644 --- a/models/fixtures/collaboration.yml +++ b/models/fixtures/collaboration.yml @@ -9,3 +9,9 @@ repo_id: 4 user_id: 4 mode: 2 # write + +- + id: 3 + repo_id: 38 + user_id: 4 + mode: 2 # write diff --git a/models/repo_permission.go b/models/repo_permission.go index edad25b75..e66fc3b53 100644 --- a/models/repo_permission.go +++ b/models/repo_permission.go @@ -107,7 +107,17 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss repo.mustOwner(e) } - if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) { + var isCollaborator bool + if user != nil { + isCollaborator, err = repo.isCollaborator(e, user.ID) + if err != nil { + return perm, err + } + } + + // Prevent strangers from checking out public repo of private orginization + // Allow user if they are collaborator of a repo within a private orginization but not a member of the orginization itself + if repo.Owner.IsOrganization() && !HasOrgVisible(repo.Owner, user) && !isCollaborator { perm.AccessMode = AccessModeNone return } @@ -146,9 +156,7 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss perm.UnitsMode = make(map[UnitType]AccessMode) // Collaborators on organization - if isCollaborator, err := repo.isCollaborator(e, user.ID); err != nil { - return perm, err - } else if isCollaborator { + if isCollaborator { for _, u := range repo.Units { perm.UnitsMode[u.Type] = perm.AccessMode } |