From c43db9929be165c11845b2d185adee760613bb83 Mon Sep 17 00:00:00 2001
From: kolaente <konrad@kola-entertainments.de>
Date: Thu, 6 Sep 2018 08:46:34 +0200
Subject: [PATCH] Namespaces now respect user rights

---
 models/namespace_rights.go | 40 ++++++++++++++++++++++++++++----------
 models/namespaces.go       |  2 ++
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/models/namespace_rights.go b/models/namespace_rights.go
index 97d7a3d95..62485bb9d 100644
--- a/models/namespace_rights.go
+++ b/models/namespace_rights.go
@@ -2,25 +2,29 @@ package models
 
 // IsAdmin returns true or false if the user is admin on that namespace or not
 func (n *Namespace) IsAdmin(user *User) bool {
-
 	// Owners always have admin rights
 	if user.ID == n.Owner.ID {
 		return true
 	}
 
+	// Check user rights
+	if n.checkUserRights(user, UserRightAdmin){
+		return true
+	}
+
 	// Check if that user is in a team which has admin rights to that namespace
 	return n.checkTeamRights(user, TeamRightAdmin)
 }
 
 // CanWrite checks if a user has write access to a namespace
 func (n *Namespace) CanWrite(user *User) bool {
-	// Owners always have access
-	if user.ID == n.Owner.ID {
+	// Admins always have write access
+	if n.IsAdmin(user) {
 		return true
 	}
 
-	// Admins always have write access
-	if n.IsAdmin(user) {
+	// Check user rights
+	if n.checkUserRights(user, UserRightWrite){
 		return true
 	}
 
@@ -30,13 +34,13 @@ func (n *Namespace) CanWrite(user *User) bool {
 
 // CanRead checks if a user has read access to that namespace
 func (n *Namespace) CanRead(user *User) bool {
-	// Owners always have access
-	if user.ID == n.Owner.ID {
+	// Admins always have read access
+	if n.IsAdmin(user) {
 		return true
 	}
 
-	// Admins always have read access
-	if n.IsAdmin(user) {
+	// Check user rights
+	if n.checkUserRights(user, UserRightRead){
 		return true
 	}
 
@@ -69,7 +73,23 @@ func (n *Namespace) checkTeamRights(user *User, r TeamRight) bool {
 		Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id").
 		Where("namespaces.id = ? " +
 			"AND ((team_members.user_id = ?  AND team_namespaces.right = ?) " +
-			"OR namespaces.owner_id = ?)", n.ID, user.ID, r, user.ID).
+			"OR namespaces.owner_id = ? ", n.ID, user.ID, r, user.ID).
+		Get(&Namespace{})
+
+	if err != nil {
+		return false
+	}
+
+	return exists
+}
+
+func (n *Namespace) checkUserRights(user *User, r UserRight) bool {
+	exists, err := x.Select("namespaces.*").
+		Table("namespaces").
+		Join("LEFT", "users_namespace", "users_namespace.namespace_id = namespaces.id").
+		Where("namespaces.id = ? " +
+			"OR namespaces.owner_id = ? " +
+			"OR (users_namespace.user_id = ? AND users_namespace.right = ?))", n.ID, user.ID, user.ID, r).
 		Get(&Namespace{})
 
 	if err != nil {
diff --git a/models/namespaces.go b/models/namespaces.go
index 03863b37b..6c47a36b3 100644
--- a/models/namespaces.go
+++ b/models/namespaces.go
@@ -74,8 +74,10 @@ func (n *Namespace) ReadAll(doer *User) (interface{}, error) {
 		Table("namespaces").
 		Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id").
 		Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id").
+		Join("LEFT", "users_namespace", "users_namespace.namespace_id = namespaces.id").
 		Where("team_members.user_id = ?", doer.ID).
 		Or("namespaces.owner_id = ?", doer.ID).
+		Or("users_namespace.user_id = ?", doer.ID).
 		GroupBy("namespaces.id").
 		Find(&all)