2022-03-30 14:12:47 +05:30
// Copyright 2021 The Gitea Authors. All rights reserved.
2022-11-27 23:50:29 +05:30
// SPDX-License-Identifier: MIT
2022-03-30 14:12:47 +05:30
package context
import (
2022-08-28 15:13:25 +05:30
gocontext "context"
2022-03-30 14:12:47 +05:30
"fmt"
"net/http"
"code.gitea.io/gitea/models/organization"
packages_model "code.gitea.io/gitea/models/packages"
"code.gitea.io/gitea/models/perm"
2022-07-28 18:34:03 +05:30
"code.gitea.io/gitea/models/unit"
2022-03-30 14:12:47 +05:30
user_model "code.gitea.io/gitea/models/user"
2022-09-21 18:31:18 +05:30
"code.gitea.io/gitea/modules/setting"
2022-05-19 21:26:45 +05:30
"code.gitea.io/gitea/modules/structs"
2022-08-28 15:13:25 +05:30
"code.gitea.io/gitea/modules/templates"
2023-05-04 12:06:34 +05:30
"code.gitea.io/gitea/modules/web/middleware"
2022-03-30 14:12:47 +05:30
)
// Package contains owner, access mode and optional the package descriptor
type Package struct {
Owner * user_model . User
AccessMode perm . AccessMode
Descriptor * packages_model . PackageDescriptor
}
// PackageAssignment returns a middleware to handle Context.Package assignment
func PackageAssignment ( ) func ( ctx * Context ) {
return func ( ctx * Context ) {
packageAssignment ( ctx , func ( status int , title string , obj interface { } ) {
err , ok := obj . ( error )
if ! ok {
err = fmt . Errorf ( "%s" , obj )
}
if status == http . StatusNotFound {
ctx . NotFound ( title , err )
} else {
ctx . ServerError ( title , err )
}
} )
}
}
// PackageAssignmentAPI returns a middleware to handle Context.Package assignment
func PackageAssignmentAPI ( ) func ( ctx * APIContext ) {
return func ( ctx * APIContext ) {
packageAssignment ( ctx . Context , ctx . Error )
}
}
func packageAssignment ( ctx * Context , errCb func ( int , string , interface { } ) ) {
ctx . Package = & Package {
Owner : ctx . ContextUser ,
}
2022-09-21 18:31:18 +05:30
var err error
ctx . Package . AccessMode , err = determineAccessMode ( ctx )
if err != nil {
errCb ( http . StatusInternalServerError , "determineAccessMode" , err )
return
}
packageType := ctx . Params ( "type" )
name := ctx . Params ( "name" )
version := ctx . Params ( "version" )
if packageType != "" && name != "" && version != "" {
pv , err := packages_model . GetVersionByNameAndVersion ( ctx , ctx . Package . Owner . ID , packages_model . Type ( packageType ) , name , version )
if err != nil {
if err == packages_model . ErrPackageNotExist {
errCb ( http . StatusNotFound , "GetVersionByNameAndVersion" , err )
} else {
errCb ( http . StatusInternalServerError , "GetVersionByNameAndVersion" , err )
}
return
}
ctx . Package . Descriptor , err = packages_model . GetPackageDescriptor ( ctx , pv )
if err != nil {
errCb ( http . StatusInternalServerError , "GetPackageDescriptor" , err )
return
}
}
}
func determineAccessMode ( ctx * Context ) ( perm . AccessMode , error ) {
if setting . Service . RequireSignInView && ctx . Doer == nil {
2022-10-25 00:53:25 +05:30
return perm . AccessModeNone , nil
2022-09-21 18:31:18 +05:30
}
2022-10-25 00:53:25 +05:30
if ctx . Doer != nil && ! ctx . Doer . IsGhost ( ) && ( ! ctx . Doer . IsActive || ctx . Doer . ProhibitLogin ) {
return perm . AccessModeNone , nil
}
2023-04-06 19:48:29 +05:30
// TODO: ActionUser permission check
2022-10-25 00:53:25 +05:30
accessMode := perm . AccessModeNone
2022-05-19 21:26:45 +05:30
if ctx . Package . Owner . IsOrganization ( ) {
2022-07-28 18:34:03 +05:30
org := organization . OrgFromUser ( ctx . Package . Owner )
2023-04-06 19:48:29 +05:30
if ctx . Doer != nil && ! ctx . Doer . IsGhost ( ) {
// 1. If user is logged in, check all team packages permissions
teams , err := organization . GetUserOrgTeams ( ctx , org . ID , ctx . Doer . ID )
2022-05-19 21:26:45 +05:30
if err != nil {
2022-09-21 18:31:18 +05:30
return accessMode , err
2022-05-19 21:26:45 +05:30
}
2023-04-06 19:48:29 +05:30
for _ , t := range teams {
perm := t . UnitAccessMode ( ctx , unit . TypePackages )
if accessMode < perm {
accessMode = perm
2022-07-28 18:34:03 +05:30
}
}
2023-04-06 19:48:29 +05:30
} else if organization . HasOrgOrUserVisible ( ctx , ctx . Package . Owner , ctx . Doer ) {
// 2. If user is non-login, check if org is visible to non-login user
2022-09-21 18:31:18 +05:30
accessMode = perm . AccessModeRead
2022-05-19 21:26:45 +05:30
}
2022-03-30 14:12:47 +05:30
} else {
2022-05-19 21:26:45 +05:30
if ctx . Doer != nil && ! ctx . Doer . IsGhost ( ) {
// 1. Check if user is package owner
if ctx . Doer . ID == ctx . Package . Owner . ID {
2022-09-21 18:31:18 +05:30
accessMode = perm . AccessModeOwner
2022-05-19 21:26:45 +05:30
} else if ctx . Package . Owner . Visibility == structs . VisibleTypePublic || ctx . Package . Owner . Visibility == structs . VisibleTypeLimited { // 2. Check if package owner is public or limited
2022-09-21 18:31:18 +05:30
accessMode = perm . AccessModeRead
2022-03-30 14:12:47 +05:30
}
2022-05-19 21:26:45 +05:30
} else if ctx . Package . Owner . Visibility == structs . VisibleTypePublic { // 3. Check if package owner is public
2022-09-21 18:31:18 +05:30
accessMode = perm . AccessModeRead
2022-03-30 14:12:47 +05:30
}
}
2022-09-21 18:31:18 +05:30
return accessMode , nil
2022-03-30 14:12:47 +05:30
}
// PackageContexter initializes a package context for a request.
2022-08-28 15:13:25 +05:30
func PackageContexter ( ctx gocontext . Context ) func ( next http . Handler ) http . Handler {
2023-04-30 17:52:23 +05:30
rnd := templates . HTMLRenderer ( )
2022-03-30 14:12:47 +05:30
return func ( next http . Handler ) http . Handler {
return http . HandlerFunc ( func ( resp http . ResponseWriter , req * http . Request ) {
ctx := Context {
2022-08-28 15:13:25 +05:30
Resp : NewResponse ( resp ) ,
2023-05-04 12:06:34 +05:30
Data : middleware . GetContextData ( req . Context ( ) ) ,
2022-08-28 15:13:25 +05:30
Render : rnd ,
2022-03-30 14:12:47 +05:30
}
2022-05-05 19:43:23 +05:30
defer ctx . Close ( )
2022-03-30 14:12:47 +05:30
ctx . Req = WithContext ( req , & ctx )
next . ServeHTTP ( ctx . Resp , ctx . Req )
} )
}
}