afan
/
gitea
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
gitea源码
3 коммитов
2 веток
ветка: master
веток Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
gitea/models/perm/access/repo_permission.go

repo_permission.go 17KB
Постоянная ссылка История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package access

  5. 

  6. import (

  7. 	"context"

  8. 	"fmt"

  9. 	"slices"

  10. 

  11. 	"code.gitea.io/gitea/models/db"

  12. 	"code.gitea.io/gitea/models/organization"

  13. 	perm_model "code.gitea.io/gitea/models/perm"

  14. 	repo_model "code.gitea.io/gitea/models/repo"

  15. 	"code.gitea.io/gitea/models/unit"

  16. 	user_model "code.gitea.io/gitea/models/user"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/setting"

  19. 	"code.gitea.io/gitea/modules/util"

  20. )

  21. 

  22. // Permission contains all the permissions related variables to a repository for a user

  23. type Permission struct {

  24. 	AccessMode perm_model.AccessMode

  25. 

  26. 	units     []*repo_model.RepoUnit

  27. 	unitsMode map[unit.Type]perm_model.AccessMode

  28. 

  29. 	everyoneAccessMode  map[unit.Type]perm_model.AccessMode // the unit's minimal access mode for every signed-in user

  30. 	anonymousAccessMode map[unit.Type]perm_model.AccessMode // the unit's minimal access mode for anonymous (non-signed-in) user

  31. }

  32. 

  33. // IsOwner returns true if current user is the owner of repository.

  34. func (p *Permission) IsOwner() bool {

  35. 	return p.AccessMode >= perm_model.AccessModeOwner

  36. }

  37. 

  38. // IsAdmin returns true if current user has admin or higher access of repository.

  39. func (p *Permission) IsAdmin() bool {

  40. 	return p.AccessMode >= perm_model.AccessModeAdmin

  41. }

  42. 

  43. // HasAnyUnitAccess returns true if the user might have at least one access mode to any unit of this repository.

  44. // It doesn't count the "public(anonymous/everyone) access mode".

  45. // TODO: most calls to this function should be replaced with `HasAnyUnitAccessOrPublicAccess`

  46. func (p *Permission) HasAnyUnitAccess() bool {

  47. 	for _, v := range p.unitsMode {

  48. 		if v >= perm_model.AccessModeRead {

  49. 			return true

  50. 		}

  51. 	}

  52. 	return p.AccessMode >= perm_model.AccessModeRead

  53. }

  54. 

  55. func (p *Permission) HasAnyUnitPublicAccess() bool {

  56. 	for _, v := range p.anonymousAccessMode {

  57. 		if v >= perm_model.AccessModeRead {

  58. 			return true

  59. 		}

  60. 	}

  61. 	for _, v := range p.everyoneAccessMode {

  62. 		if v >= perm_model.AccessModeRead {

  63. 			return true

  64. 		}

  65. 	}

  66. 	return false

  67. }

  68. 

  69. func (p *Permission) HasAnyUnitAccessOrPublicAccess() bool {

  70. 	return p.HasAnyUnitPublicAccess() || p.HasAnyUnitAccess()

  71. }

  72. 

  73. // HasUnits returns true if the permission contains attached units

  74. func (p *Permission) HasUnits() bool {

  75. 	return len(p.units) > 0

  76. }

  77. 

  78. // GetFirstUnitRepoID returns the repo ID of the first unit, it is a fragile design and should NOT be used anymore

  79. // deprecated

  80. func (p *Permission) GetFirstUnitRepoID() int64 {

  81. 	if len(p.units) > 0 {

  82. 		return p.units[0].RepoID

  83. 	}

  84. 	return 0

  85. }

  86. 

  87. // UnitAccessMode returns current user access mode to the specify unit of the repository

  88. // It also considers "public (anonymous/everyone) access mode"

  89. func (p *Permission) UnitAccessMode(unitType unit.Type) perm_model.AccessMode {

  90. 	// if the units map contains the access mode, use it, but admin/owner mode could override it

  91. 	if m, ok := p.unitsMode[unitType]; ok {

  92. 		return util.Iif(p.AccessMode >= perm_model.AccessModeAdmin, p.AccessMode, m)

  93. 	}

  94. 	// if the units map does not contain the access mode, return the default access mode if the unit exists

  95. 	unitDefaultAccessMode := p.AccessMode

  96. 	unitDefaultAccessMode = max(unitDefaultAccessMode, p.anonymousAccessMode[unitType])

  97. 	unitDefaultAccessMode = max(unitDefaultAccessMode, p.everyoneAccessMode[unitType])

  98. 	hasUnit := slices.ContainsFunc(p.units, func(u *repo_model.RepoUnit) bool { return u.Type == unitType })

  99. 	return util.Iif(hasUnit, unitDefaultAccessMode, perm_model.AccessModeNone)

  100. }

  101. 

  102. func (p *Permission) SetUnitsWithDefaultAccessMode(units []*repo_model.RepoUnit, mode perm_model.AccessMode) {

  103. 	p.units = units

  104. 	p.unitsMode = make(map[unit.Type]perm_model.AccessMode)

  105. 	for _, u := range p.units {

  106. 		p.unitsMode[u.Type] = mode

  107. 	}

  108. }

  109. 

  110. // CanAccess returns true if user has mode access to the unit of the repository

  111. func (p *Permission) CanAccess(mode perm_model.AccessMode, unitType unit.Type) bool {

  112. 	return p.UnitAccessMode(unitType) >= mode

  113. }

  114. 

  115. // CanAccessAny returns true if user has mode access to any of the units of the repository

  116. func (p *Permission) CanAccessAny(mode perm_model.AccessMode, unitTypes ...unit.Type) bool {

  117. 	for _, u := range unitTypes {

  118. 		if p.CanAccess(mode, u) {

  119. 			return true

  120. 		}

  121. 	}

  122. 	return false

  123. }

  124. 

  125. // CanRead returns true if user could read to this unit

  126. func (p *Permission) CanRead(unitType unit.Type) bool {

  127. 	return p.CanAccess(perm_model.AccessModeRead, unitType)

  128. }

  129. 

  130. // CanReadAny returns true if user has read access to any of the units of the repository

  131. func (p *Permission) CanReadAny(unitTypes ...unit.Type) bool {

  132. 	return p.CanAccessAny(perm_model.AccessModeRead, unitTypes...)

  133. }

  134. 

  135. // CanReadIssuesOrPulls returns true if isPull is true and user could read pull requests and

  136. // returns true if isPull is false and user could read to issues

  137. func (p *Permission) CanReadIssuesOrPulls(isPull bool) bool {

  138. 	if isPull {

  139. 		return p.CanRead(unit.TypePullRequests)

  140. 	}

  141. 	return p.CanRead(unit.TypeIssues)

  142. }

  143. 

  144. // CanWrite returns true if user could write to this unit

  145. func (p *Permission) CanWrite(unitType unit.Type) bool {

  146. 	return p.CanAccess(perm_model.AccessModeWrite, unitType)

  147. }

  148. 

  149. // CanWriteIssuesOrPulls returns true if isPull is true and user could write to pull requests and

  150. // returns true if isPull is false and user could write to issues

  151. func (p *Permission) CanWriteIssuesOrPulls(isPull bool) bool {

  152. 	if isPull {

  153. 		return p.CanWrite(unit.TypePullRequests)

  154. 	}

  155. 	return p.CanWrite(unit.TypeIssues)

  156. }

  157. 

  158. func (p *Permission) ReadableUnitTypes() []unit.Type {

  159. 	types := make([]unit.Type, 0, len(p.units))

  160. 	for _, u := range p.units {

  161. 		if p.CanRead(u.Type) {

  162. 			types = append(types, u.Type)

  163. 		}

  164. 	}

  165. 	return types

  166. }

  167. 

  168. func (p *Permission) LogString() string {

  169. 	format := "<Permission AccessMode=%s, %d Units, %d UnitsMode(s): ["

  170. 	args := []any{p.AccessMode.ToString(), len(p.units), len(p.unitsMode)}

  171. 

  172. 	for i, u := range p.units {

  173. 		config := ""

  174. 		if u.Config != nil {

  175. 			configBytes, err := u.Config.ToDB()

  176. 			config = string(configBytes)

  177. 			if err != nil {

  178. 				config = err.Error()

  179. 			}

  180. 		}

  181. 		format += "\n\tunits[%d]: ID=%d RepoID=%d Type=%s Config=%s"

  182. 		args = append(args, i, u.ID, u.RepoID, u.Type.LogString(), config)

  183. 	}

  184. 	for key, value := range p.unitsMode {

  185. 		format += "\n\tunitsMode[%-v]: %-v"

  186. 		args = append(args, key.LogString(), value.LogString())

  187. 	}

  188. 	format += "\n\tanonymousAccessMode: %-v"

  189. 	args = append(args, p.anonymousAccessMode)

  190. 	format += "\n\teveryoneAccessMode: %-v"

  191. 	args = append(args, p.everyoneAccessMode)

  192. 	format += "\n\t]>"

  193. 	return fmt.Sprintf(format, args...)

  194. }

  195. 

  196. func applyPublicAccessPermission(unitType unit.Type, accessMode perm_model.AccessMode, modeMap *map[unit.Type]perm_model.AccessMode) {

  197. 	if setting.Repository.ForcePrivate {

  198. 		return

  199. 	}

  200. 	if accessMode >= perm_model.AccessModeRead && accessMode > (*modeMap)[unitType] {

  201. 		if *modeMap == nil {

  202. 			*modeMap = make(map[unit.Type]perm_model.AccessMode)

  203. 		}

  204. 		(*modeMap)[unitType] = accessMode

  205. 	}

  206. }

  207. 

  208. func finalProcessRepoUnitPermission(user *user_model.User, perm *Permission) {

  209. 	// apply public (anonymous) access permissions

  210. 	for _, u := range perm.units {

  211. 		applyPublicAccessPermission(u.Type, u.AnonymousAccessMode, &perm.anonymousAccessMode)

  212. 	}

  213. 

  214. 	if user == nil || user.ID <= 0 {

  215. 		// for anonymous access, it could be:

  216. 		// AccessMode is None or Read, units has repo units, unitModes is nil

  217. 		return

  218. 	}

  219. 

  220. 	// apply public (everyone) access permissions

  221. 	for _, u := range perm.units {

  222. 		applyPublicAccessPermission(u.Type, u.EveryoneAccessMode, &perm.everyoneAccessMode)

  223. 	}

  224. 

  225. 	if perm.unitsMode == nil {

  226. 		// if unitsMode is not set, then it means that the default p.AccessMode applies to all units

  227. 		return

  228. 	}

  229. 

  230. 	// remove no permission units

  231. 	origPermUnits := perm.units

  232. 	perm.units = make([]*repo_model.RepoUnit, 0, len(perm.units))

  233. 	for _, u := range origPermUnits {

  234. 		shouldKeep := false

  235. 		for t := range perm.unitsMode {

  236. 			if shouldKeep = u.Type == t; shouldKeep {

  237. 				break

  238. 			}

  239. 		}

  240. 		for t := range perm.anonymousAccessMode {

  241. 			if shouldKeep = shouldKeep || u.Type == t; shouldKeep {

  242. 				break

  243. 			}

  244. 		}

  245. 		for t := range perm.everyoneAccessMode {

  246. 			if shouldKeep = shouldKeep || u.Type == t; shouldKeep {

  247. 				break

  248. 			}

  249. 		}

  250. 		if shouldKeep {

  251. 			perm.units = append(perm.units, u)

  252. 		}

  253. 	}

  254. }

  255. 

  256. // GetUserRepoPermission returns the user permissions to the repository

  257. func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (perm Permission, err error) {

  258. 	defer func() {

  259. 		if err == nil {

  260. 			finalProcessRepoUnitPermission(user, &perm)

  261. 		}

  262. 		log.Trace("Permission Loaded for user %-v in repo %-v, permissions: %-+v", user, repo, perm)

  263. 	}()

  264. 

  265. 	if err = repo.LoadUnits(ctx); err != nil {

  266. 		return perm, err

  267. 	}

  268. 	perm.units = repo.Units

  269. 

  270. 	// anonymous user visit private repo.

  271. 	if user == nil && repo.IsPrivate {

  272. 		perm.AccessMode = perm_model.AccessModeNone

  273. 		return perm, nil

  274. 	}

  275. 

  276. 	var isCollaborator bool

  277. 	if user != nil {

  278. 		isCollaborator, err = repo_model.IsCollaborator(ctx, repo.ID, user.ID)

  279. 		if err != nil {

  280. 			return perm, err

  281. 		}

  282. 	}

  283. 

  284. 	if err = repo.LoadOwner(ctx); err != nil {

  285. 		return perm, err

  286. 	}

  287. 

  288. 	// Prevent strangers from checking out public repo of private organization/users

  289. 	// Allow user if they are a collaborator of a repo within a private user or a private organization but not a member of the organization itself

  290. 	// TODO: rename it to "IsOwnerVisibleToDoer"

  291. 	if !organization.HasOrgOrUserVisible(ctx, repo.Owner, user) && !isCollaborator {

  292. 		perm.AccessMode = perm_model.AccessModeNone

  293. 		return perm, nil

  294. 	}

  295. 

  296. 	// anonymous visit public repo

  297. 	if user == nil {

  298. 		perm.AccessMode = perm_model.AccessModeRead

  299. 		return perm, nil

  300. 	}

  301. 

  302. 	// Admin or the owner has super access to the repository

  303. 	if user.IsAdmin || user.ID == repo.OwnerID {

  304. 		perm.AccessMode = perm_model.AccessModeOwner

  305. 		return perm, nil

  306. 	}

  307. 

  308. 	// plain user TODO: this check should be replaced, only need to check collaborator access mode

  309. 	perm.AccessMode, err = accessLevel(ctx, user, repo)

  310. 	if err != nil {

  311. 		return perm, err

  312. 	}

  313. 

  314. 	if !repo.Owner.IsOrganization() {

  315. 		return perm, nil

  316. 	}

  317. 

  318. 	// now: the owner is visible to doer, if the repo is public, then the min access mode is read

  319. 	minAccessMode := util.Iif(!repo.IsPrivate && !user.IsRestricted, perm_model.AccessModeRead, perm_model.AccessModeNone)

  320. 	perm.AccessMode = max(perm.AccessMode, minAccessMode)

  321. 

  322. 	// get units mode from teams

  323. 	teams, err := organization.GetUserRepoTeams(ctx, repo.OwnerID, user.ID, repo.ID)

  324. 	if err != nil {

  325. 		return perm, err

  326. 	}

  327. 	if len(teams) == 0 {

  328. 		return perm, nil

  329. 	}

  330. 

  331. 	perm.unitsMode = make(map[unit.Type]perm_model.AccessMode)

  332. 

  333. 	// Collaborators on organization

  334. 	if isCollaborator {

  335. 		for _, u := range repo.Units {

  336. 			perm.unitsMode[u.Type] = perm.AccessMode

  337. 		}

  338. 	}

  339. 

  340. 	// if user in an owner team

  341. 	for _, team := range teams {

  342. 		if team.HasAdminAccess() {

  343. 			perm.AccessMode = perm_model.AccessModeOwner

  344. 			perm.unitsMode = nil

  345. 			return perm, nil

  346. 		}

  347. 	}

  348. 

  349. 	for _, u := range repo.Units {

  350. 		for _, team := range teams {

  351. 			teamMode, _ := team.UnitAccessModeEx(ctx, u.Type)

  352. 			unitAccessMode := max(perm.unitsMode[u.Type], minAccessMode, teamMode)

  353. 			perm.unitsMode[u.Type] = unitAccessMode

  354. 		}

  355. 	}

  356. 

  357. 	return perm, err

  358. }

  359. 

  360. // IsUserRealRepoAdmin check if this user is real repo admin

  361. func IsUserRealRepoAdmin(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (bool, error) {

  362. 	if repo.OwnerID == user.ID {

  363. 		return true, nil

  364. 	}

  365. 

  366. 	if err := repo.LoadOwner(ctx); err != nil {

  367. 		return false, err

  368. 	}

  369. 

  370. 	accessMode, err := accessLevel(ctx, user, repo)

  371. 	if err != nil {

  372. 		return false, err

  373. 	}

  374. 

  375. 	return accessMode >= perm_model.AccessModeAdmin, nil

  376. }

  377. 

  378. // IsUserRepoAdmin return true if user has admin right of a repo

  379. func IsUserRepoAdmin(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (bool, error) {

  380. 	if user == nil || repo == nil {

  381. 		return false, nil

  382. 	}

  383. 	if user.IsAdmin {

  384. 		return true, nil

  385. 	}

  386. 

  387. 	mode, err := accessLevel(ctx, user, repo)

  388. 	if err != nil {

  389. 		return false, err

  390. 	}

  391. 	if mode >= perm_model.AccessModeAdmin {

  392. 		return true, nil

  393. 	}

  394. 

  395. 	teams, err := organization.GetUserRepoTeams(ctx, repo.OwnerID, user.ID, repo.ID)

  396. 	if err != nil {

  397. 		return false, err

  398. 	}

  399. 

  400. 	for _, team := range teams {

  401. 		if team.HasAdminAccess() {

  402. 			return true, nil

  403. 		}

  404. 	}

  405. 	return false, nil

  406. }

  407. 

  408. // AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the

  409. // user does not have access.

  410. func AccessLevel(ctx context.Context, user *user_model.User, repo *repo_model.Repository) (perm_model.AccessMode, error) { //nolint:revive // export stutter

  411. 	return AccessLevelUnit(ctx, user, repo, unit.TypeCode)

  412. }

  413. 

  414. // AccessLevelUnit returns the Access a user has to a repository's. Will return NoneAccess if the

  415. // user does not have access.

  416. func AccessLevelUnit(ctx context.Context, user *user_model.User, repo *repo_model.Repository, unitType unit.Type) (perm_model.AccessMode, error) { //nolint:revive // export stutter

  417. 	perm, err := GetUserRepoPermission(ctx, repo, user)

  418. 	if err != nil {

  419. 		return perm_model.AccessModeNone, err

  420. 	}

  421. 	return perm.UnitAccessMode(unitType), nil

  422. }

  423. 

  424. // HasAccessUnit returns true if user has testMode to the unit of the repository

  425. func HasAccessUnit(ctx context.Context, user *user_model.User, repo *repo_model.Repository, unitType unit.Type, testMode perm_model.AccessMode) (bool, error) {

  426. 	mode, err := AccessLevelUnit(ctx, user, repo, unitType)

  427. 	return testMode <= mode, err

  428. }

  429. 

  430. // CanBeAssigned return true if user can be assigned to issue or pull requests in repo

  431. // Currently any write access (code, issues or pr's) is assignable, to match assignee list in user interface.

  432. func CanBeAssigned(ctx context.Context, user *user_model.User, repo *repo_model.Repository, _ bool) (bool, error) {

  433. 	if user.IsOrganization() {

  434. 		return false, fmt.Errorf("organization can't be added as assignee [user_id: %d, repo_id: %d]", user.ID, repo.ID)

  435. 	}

  436. 	perm, err := GetUserRepoPermission(ctx, repo, user)

  437. 	if err != nil {

  438. 		return false, err

  439. 	}

  440. 	return perm.CanAccessAny(perm_model.AccessModeWrite, unit.AllRepoUnitTypes...) ||

  441. 		perm.CanAccessAny(perm_model.AccessModeRead, unit.TypePullRequests), nil

  442. }

  443. 

  444. // HasAnyUnitAccess see the comment of "perm.HasAnyUnitAccess"

  445. func HasAnyUnitAccess(ctx context.Context, userID int64, repo *repo_model.Repository) (bool, error) {

  446. 	var user *user_model.User

  447. 	var err error

  448. 	if userID > 0 {

  449. 		user, err = user_model.GetUserByID(ctx, userID)

  450. 		if err != nil {

  451. 			return false, err

  452. 		}

  453. 	}

  454. 	perm, err := GetUserRepoPermission(ctx, repo, user)

  455. 	if err != nil {

  456. 		return false, err

  457. 	}

  458. 	return perm.HasAnyUnitAccess(), nil

  459. }

  460. 

  461. // getUsersWithAccessMode returns users that have at least given access mode to the repository.

  462. func getUsersWithAccessMode(ctx context.Context, repo *repo_model.Repository, mode perm_model.AccessMode) (_ []*user_model.User, err error) {

  463. 	if err = repo.LoadOwner(ctx); err != nil {

  464. 		return nil, err

  465. 	}

  466. 

  467. 	e := db.GetEngine(ctx)

  468. 	accesses := make([]*Access, 0, 10)

  469. 	if err = e.Where("repo_id = ? AND mode >= ?", repo.ID, mode).Find(&accesses); err != nil {

  470. 		return nil, err

  471. 	}

  472. 

  473. 	// Leave a seat for owner itself to append later, but if owner is an organization

  474. 	// and just waste 1 unit is cheaper than re-allocate memory once.

  475. 	users := make([]*user_model.User, 0, len(accesses)+1)

  476. 	if len(accesses) > 0 {

  477. 		userIDs := make([]int64, len(accesses))

  478. 		for i := 0; i < len(accesses); i++ {

  479. 			userIDs[i] = accesses[i].UserID

  480. 		}

  481. 

  482. 		if err = e.In("id", userIDs).Find(&users); err != nil {

  483. 			return nil, err

  484. 		}

  485. 	}

  486. 	if !repo.Owner.IsOrganization() {

  487. 		users = append(users, repo.Owner)

  488. 	}

  489. 

  490. 	return users, nil

  491. }

  492. 

  493. // GetRepoReaders returns all users that have explicit read access or higher to the repository.

  494. func GetRepoReaders(ctx context.Context, repo *repo_model.Repository) (_ []*user_model.User, err error) {

  495. 	return getUsersWithAccessMode(ctx, repo, perm_model.AccessModeRead)

  496. }

  497. 

  498. // GetRepoWriters returns all users that have write access to the repository.

  499. func GetRepoWriters(ctx context.Context, repo *repo_model.Repository) (_ []*user_model.User, err error) {

  500. 	return getUsersWithAccessMode(ctx, repo, perm_model.AccessModeWrite)

  501. }

  502. 

  503. // IsRepoReader returns true if user has explicit read access or higher to the repository.

  504. func IsRepoReader(ctx context.Context, repo *repo_model.Repository, userID int64) (bool, error) {

  505. 	if repo.OwnerID == userID {

  506. 		return true, nil

  507. 	}

  508. 	return db.GetEngine(ctx).Where("repo_id = ? AND user_id = ? AND mode >= ?", repo.ID, userID, perm_model.AccessModeRead).Get(&Access{})

  509. }

  510. 

  511. // CheckRepoUnitUser check whether user could visit the unit of this repository

  512. func CheckRepoUnitUser(ctx context.Context, repo *repo_model.Repository, user *user_model.User, unitType unit.Type) bool {

  513. 	if user != nil && user.IsAdmin {

  514. 		return true

  515. 	}

  516. 	perm, err := GetUserRepoPermission(ctx, repo, user)

  517. 	if err != nil {

  518. 		log.Error("GetUserRepoPermission: %w", err)

  519. 		return false

  520. 	}

  521. 

  522. 	return perm.CanRead(unitType)

  523. }

  524. 

  525. func PermissionNoAccess() Permission {

  526. 	return Permission{AccessMode: perm_model.AccessModeNone}

  527. }