afan
/
gitea
Seguir 1
Destacar 0
Cuchillo 0
Código Incidencias 0 Peticiones pull 0 Lanzamientos 0 Wiki Activity
gitea源码
1 Commit
2 Ramas
Árbol: 61128e8e94
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '61128e8e94'
${ noResults }
gitea/services/context/permission.go

permission.go 2.4KB
Histórico Original

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 
  1. // Copyright 2018 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package context

  5. 

  6. import (

  7. 	"net/http"

  8. 	"slices"

  9. 

  10. 	auth_model "code.gitea.io/gitea/models/auth"

  11. 	repo_model "code.gitea.io/gitea/models/repo"

  12. 	"code.gitea.io/gitea/models/unit"

  13. )

  14. 

  15. // RequireRepoAdmin returns a middleware for requiring repository admin permission

  16. func RequireRepoAdmin() func(ctx *Context) {

  17. 	return func(ctx *Context) {

  18. 		if !ctx.IsSigned || !ctx.Repo.IsAdmin() {

  19. 			ctx.NotFound(nil)

  20. 			return

  21. 		}

  22. 	}

  23. }

  24. 

  25. // CanWriteToBranch checks if the user is allowed to write to the branch of the repo

  26. func CanWriteToBranch() func(ctx *Context) {

  27. 	return func(ctx *Context) {

  28. 		if !ctx.Repo.CanWriteToBranch(ctx, ctx.Doer, ctx.Repo.BranchName) {

  29. 			ctx.NotFound(nil)

  30. 			return

  31. 		}

  32. 	}

  33. }

  34. 

  35. // RequireUnitWriter returns a middleware for requiring repository write to one of the unit permission

  36. func RequireUnitWriter(unitTypes ...unit.Type) func(ctx *Context) {

  37. 	return func(ctx *Context) {

  38. 		if slices.ContainsFunc(unitTypes, ctx.Repo.CanWrite) {

  39. 			return

  40. 		}

  41. 		ctx.NotFound(nil)

  42. 	}

  43. }

  44. 

  45. // RequireUnitReader returns a middleware for requiring repository write to one of the unit permission

  46. func RequireUnitReader(unitTypes ...unit.Type) func(ctx *Context) {

  47. 	return func(ctx *Context) {

  48. 		for _, unitType := range unitTypes {

  49. 			if ctx.Repo.CanRead(unitType) {

  50. 				return

  51. 			}

  52. 			if unitType == unit.TypeCode && canWriteAsMaintainer(ctx) {

  53. 				return

  54. 			}

  55. 		}

  56. 		ctx.NotFound(nil)

  57. 	}

  58. }

  59. 

  60. // CheckRepoScopedToken check whether personal access token has repo scope

  61. func CheckRepoScopedToken(ctx *Context, repo *repo_model.Repository, level auth_model.AccessTokenScopeLevel) {

  62. 	if !ctx.IsBasicAuth || ctx.Data["IsApiToken"] != true {

  63. 		return

  64. 	}

  65. 

  66. 	scope, ok := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)

  67. 	if ok { // it's a personal access token but not oauth2 token

  68. 		var scopeMatched bool

  69. 

  70. 		requiredScopes := auth_model.GetRequiredScopes(level, auth_model.AccessTokenScopeCategoryRepository)

  71. 

  72. 		// check if scope only applies to public resources

  73. 		publicOnly, err := scope.PublicOnly()

  74. 		if err != nil {

  75. 			ctx.ServerError("HasScope", err)

  76. 			return

  77. 		}

  78. 

  79. 		if publicOnly && repo.IsPrivate {

  80. 			ctx.HTTPError(http.StatusForbidden)

  81. 			return

  82. 		}

  83. 

  84. 		scopeMatched, err = scope.HasScope(requiredScopes...)

  85. 		if err != nil {

  86. 			ctx.ServerError("HasScope", err)

  87. 			return

  88. 		}

  89. 

  90. 		if !scopeMatched {

  91. 			ctx.HTTPError(http.StatusForbidden)

  92. 			return

  93. 		}

  94. 	}

  95. }