Improve permission check of packages (#23879)

At first, we have one unified team unit permission which is called `Team.Authorize` in DB. But since https://github.com/go-gitea/gitea/pull/17811, we allowed different units to have different permission. The old code is only designed for the old version. So after #17811, if org users have write permission of other units, but have no permission of packages, they can also get write permission of packages. Co-authored-by: delvh <dev.lh@web.de>
2023-04-06 23:18:29 +09:00 · 2023-04-06 23:18:29 +09:00 · bbf83f5d4b
commit bbf83f5d4b
parent 5cb394ff2f
8 changed files with 63 additions and 26 deletions
--- a/models/fixtures/org_user.yml
+++ b/models/fixtures/org_user.yml
@ -75,3 +75,9 @@
  uid: 31
  org_id: 19
  is_public: true
+
+-
+  id: 14
+  uid: 5
+  org_id: 23
+  is_public: false
--- a/models/fixtures/team.yml
+++ b/models/fixtures/team.yml
@ -172,4 +172,15 @@
  num_repos: 0
  num_members: 0
  includes_all_repositories: false
-  can_create_org_repo: true
+  can_create_org_repo: true
+
+-
+  id: 17
+  org_id: 23
+  lower_name: team14writeauth
+  name: team14WriteAuth
+  authorize: 2 # write
+  num_repos: 0
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: true
--- a/models/fixtures/team_unit.yml
+++ b/models/fixtures/team_unit.yml
@ -268,3 +268,9 @@
  team_id: 9
  type: 1 # code
  access_mode: 1
+
+-
+  id: 46
+  team_id: 17
+  type: 9 # package
+  access_mode: 0
--- a/models/fixtures/team_user.yml
+++ b/models/fixtures/team_user.yml
@ -99,3 +99,9 @@
  org_id: 3
  team_id: 14
  uid: 2
+
+-
+  id: 18
+  org_id: 23
+  team_id: 17
+  uid: 5
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@ -844,8 +844,8 @@
  num_following: 0
  num_stars: 0
  num_repos: 2
-  num_teams: 1
-  num_members: 0
+  num_teams: 2
+  num_members: 1
  visibility: 2
  repo_admin_change_team_access: false
  theme: ""
--- a/models/organization/org_test.go
+++ b/models/organization/org_test.go
@ -212,25 +212,31 @@ func TestGetOrgUsersByUserID(t *testing.T) {

 	orgUsers, err := organization.GetOrgUsersByUserID(5, &organization.SearchOrganizationsOptions{All: true})
 	assert.NoError(t, err)
-	if assert.Len(t, orgUsers, 2) {
+	if assert.Len(t, orgUsers, 3) {
 		assert.Equal(t, organization.OrgUser{
 			ID:       orgUsers[0].ID,
-			OrgID:    6,
+			OrgID:    23,
 			UID:      5,
-			IsPublic: true,
+			IsPublic: false,
 		}, *orgUsers[0])
 		assert.Equal(t, organization.OrgUser{
 			ID:       orgUsers[1].ID,
+			OrgID:    6,
+			UID:      5,
+			IsPublic: true,
+		}, *orgUsers[1])
+		assert.Equal(t, organization.OrgUser{
+			ID:       orgUsers[2].ID,
 			OrgID:    7,
 			UID:      5,
 			IsPublic: false,
-		}, *orgUsers[1])
+		}, *orgUsers[2])
 	}

 	publicOrgUsers, err := organization.GetOrgUsersByUserID(5, &organization.SearchOrganizationsOptions{All: false})
 	assert.NoError(t, err)
 	assert.Len(t, publicOrgUsers, 1)
-	assert.Equal(t, *orgUsers[0], *publicOrgUsers[0])
+	assert.Equal(t, *orgUsers[1], *publicOrgUsers[0])

 	orgUsers, err = organization.GetOrgUsersByUserID(1, &organization.SearchOrganizationsOptions{All: true})
 	assert.NoError(t, err)