From e602914659589a3ead1e40b1f0a09c840f22b913 Mon Sep 17 00:00:00 2001 From: kolaente Date: Wed, 25 Jul 2018 00:49:44 +0200 Subject: [PATCH] Implemented proper check for team rights on namespaces --- models/list_rights.go | 2 +- models/namespace_rights.go | 42 +++++++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/models/list_rights.go b/models/list_rights.go index c58eacbbd4d..00221b69174 100644 --- a/models/list_rights.go +++ b/models/list_rights.go @@ -68,7 +68,7 @@ func (l *List) checkListTeamRight(user *User, r TeamRight) bool { Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id"). Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id"). Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.rights = ?)) AND l.id = ?", - user.ID, r, user.ID, r, l.ID). + user.ID, r, user.ID, r, l.ID). Get(&List{}) if err != nil { return false diff --git a/models/namespace_rights.go b/models/namespace_rights.go index 66cc48d8798..a090a296663 100644 --- a/models/namespace_rights.go +++ b/models/namespace_rights.go @@ -9,9 +9,7 @@ func (n *Namespace) IsAdmin(user *User) bool { } // Check if that user is in a team which has admin rights to that namespace - // TODO - - return false + return n.checkTeamRights(user, TeamRightAdmin) } // CanWrite checks if a user has write access to a namespace @@ -21,7 +19,13 @@ func (n *Namespace) CanWrite(user *User) bool { return true } - return true + // Admins always have write access + if n.IsAdmin(user) { + return true + } + + // Check if that user is in a team which has write rights to that namespace + return n.checkTeamRights(user, TeamRightWrite) } // CanRead checks if a user has read access to that namespace @@ -37,19 +41,7 @@ func (n *Namespace) CanRead(user *User) bool { } // Check if the user is in a team which has access to the namespace - all := Namespace{} - // TODO respect individual rights - exists, _ := x.Select("namespaces.*"). - Table("namespaces"). - Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id"). - Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id"). - Where("team_members.user_id = ?", user.ID). - Or("namespaces.owner_id = ?", user.ID). - And("namespaces.id = ?", n.ID). - GroupBy("namespaces.id"). - Get(&all) - - return exists + return n.checkTeamRights(user, TeamRightRead) } // CanUpdate checks if the user can update the namespace @@ -69,3 +61,19 @@ func (n *Namespace) CanCreate(user *User) bool { // This is currently a dummy function, later on we could imagine global limits etc. return true } + +func (n *Namespace) checkTeamRights(user *User, r TeamRight) bool { + exists, err := x.Select("namespaces.*"). + Table("namespaces"). + Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id"). + Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id"). + Where("team_members.user_id = ? AND team_namespaces.right = ?", user.ID, r). + Or("namespaces.owner_id = ?", user.ID). + Get(&Namespace{}) + + if err != nil { + return false + } + + return exists +}