Team permission allow different unit has different permission

Author: lunny

models/migrations/migrations.go

@@ -359,6 +359,8 @@ var migrations = []Migration{
 	NewMigration("Drop table remote_version (if exists)", dropTableRemoteVersion),
 	// v202 -> v203
 	NewMigration("Create key/value table for user settings", createUserSettingsTable),
+	// v203 -> v204
+	NewMigration("Add column authorize column for team_unit table", addAuthorizeColForTeamUnit),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v203.go

@@ -0,0 +1,30 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"xorm.io/xorm"
+)
+
+func addAuthorizeColForTeamUnit(x *xorm.Engine) error {
+	type TeamUnit struct {
+		ID        int64 `xorm:"pk autoincr"`
+		OrgID     int64 `xorm:"INDEX"`
+		TeamID    int64 `xorm:"UNIQUE(s)"`
+		Type      int   `xorm:"UNIQUE(s)"`
+		Authorize int
+	}
+
+	if err := x.Sync2(new(TeamUnit)); err != nil {
+		return fmt.Errorf("sync2: %v", err)
+	}
+
+	// migrate old permission
+	_, err := x.Exec("UPDATE team_unit SET authorize = (SELECT authorize FROM team WHERE team.id = team_unit.team_id)")
+	return err
+
+}

models/org_team.go

@@ -441,6 +441,19 @@ func (t *Team) UnitEnabled(tp unit.Type) bool {
 	return t.unitEnabled(db.GetEngine(db.DefaultContext), tp)
 }
 
+func (t *Team) unitAccessMode(e db.Engine, tp unit.Type) AccessMode {
+	if err := t.getUnits(e); err != nil {
+		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
+	}
+
+	for _, unit := range t.Units {
+		if unit.Type == tp {
+			return unit.Authorize
+		}
+	}
+	return AccessModeNone
+}
+
 func (t *Team) unitEnabled(e db.Engine, tp unit.Type) bool {
 	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading team (ID: %d) units: %s", t.ID, err.Error())
@@ -1020,10 +1033,11 @@ func GetTeamsWithAccessToRepo(orgID, repoID int64, mode perm.AccessMode) ([]*Tea
 
 // TeamUnit describes all units of a repository
 type TeamUnit struct {
-	ID     int64     `xorm:"pk autoincr"`
-	OrgID  int64     `xorm:"INDEX"`
-	TeamID int64     `xorm:"UNIQUE(s)"`
-	Type   unit.Type `xorm:"UNIQUE(s)"`
+	ID        int64     `xorm:"pk autoincr"`
+	OrgID     int64     `xorm:"INDEX"`
+	TeamID    int64     `xorm:"UNIQUE(s)"`
+	Type      unit.Type `xorm:"UNIQUE(s)"`
+	Authorize AccessMode
 }
 
 // Unit returns Unit

models/repo_permission.go

@@ -245,10 +245,11 @@ func getUserRepoPermission(e db.Engine, repo *Repository, user *user_model.User)
 	for _, u := range repo.Units {
 		var found bool
 		for _, team := range teams {
-			if team.unitEnabled(e, u.Type) {
+			teamMode := team.unitAccessMode(e, u.Type)
+			if teamMode > AccessModeNone {
 				m := perm.UnitsMode[u.Type]
-				if m < team.Authorize {
-					perm.UnitsMode[u.Type] = team.Authorize
+				if m < teamMode {
+					perm.UnitsMode[u.Type] = teamMode
 				}
 				found = true
 			}

templates/org/team/new.tmpl

@@ -81,21 +81,44 @@
 							<div class="team-units required grouped field"{{if eq .Team.Authorize 3}} style="display: none"{{end}}>
 								<label>{{.i18n.Tr "org.team_unit_desc"}}</label>
 								<br>
-								{{range $t, $unit := $.Units}}
-								{{if $unit.Type.UnitGlobalDisabled}}
-								<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
-								{{else}}
-								<div class="field">
-								{{end}}
-									<div class="ui toggle checkbox">
-										<input type="checkbox" class="hidden" name="units" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
-										<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
-										<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
-									</div>
-								</div>
-								{{end}}
+								<table class="ui celled table">
+									<thead>
+										<tr><th>Unit</th><th>{{.i18n.Tr "org.teams.none_access"}}</th><th>{{.i18n.Tr "org.teams.read_access"}}</th><th>{{.i18n.Tr "org.teams.write_access"}}</th></tr>
+									</thead>
+									<tbody>
+										{{range $t, $unit := $.Units}}
+										<tr><td>
+										{{if $unit.Type.UnitGlobalDisabled}}
+										<div class="field tooltip" data-content="{{$.i18n.Tr "repo.unit_disabled"}}">
+										{{else}}
+										<div class="field">
+										{{end}}
+											<div class="ui">
+												<label>{{$.i18n.Tr $unit.NameKey}}{{if $unit.Type.UnitGlobalDisabled}} {{$.i18n.Tr "org.team_unit_disabled"}}{{end}}</label>
+												<span class="help">{{$.i18n.Tr $unit.DescKey}}</span>
+											</div>
+										</div>
+										</td>
+										<td>
+
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										<td>
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										<td>
+											<div class="ui radio checkbox">
+												<input type="radio" class="hidden" name="unit_{{$t}}" value="{{$unit.Type.Value}}"{{if or (eq $.Team.ID 0) ($.Team.UnitEnabled $unit.Type)}} checked{{end}}>
+											</div>
+										</td>
+										{{end}}
+									</tbody>
+								</table>
 							</div>
-							<div class="ui divider"></div>
 						{{end}}
 
 						<div class="field">