Add team permission setting to allow creating repo in organization.

davidsvantesson · davidsvantesson · commit 8d98450d7005 · 2019-09-24T22:21:56.000+02:00
Signed-off-by: David Svantesson &lt;davidsvantesson@gmail.com&gt;
diff --git a/models/org.go b/models/org.go
@@ -29,6 +29,10 @@ func (org *User) IsOrgMember(uid int64) (bool, error) {
 	return IsOrganizationMember(org.ID, uid)
 }
 
+func (org *User) CanCreateOrgRepo(uid int64) (bool, error) {
+	return CanCreateOrgRepo(org.ID, uid)
+}
+
 func (org *User) getTeam(e Engine, name string) (*Team, error) {
 	return getTeam(e, org.ID, name)
 }
@@ -149,11 +153,12 @@ func CreateOrganization(org, owner *User) (err error) {
 
 	// Create default owner team.
 	t := &Team{
-		OrgID:      org.ID,
-		LowerName:  strings.ToLower(ownerTeamName),
-		Name:       ownerTeamName,
-		Authorize:  AccessModeOwner,
-		NumMembers: 1,
+		OrgID:            org.ID,
+		LowerName:        strings.ToLower(ownerTeamName),
+		Name:             ownerTeamName,
+		Authorize:        AccessModeOwner,
+		NumMembers:       1,
+		CanCreateOrgRepo: true,
 	}
 	if _, err = sess.Insert(t); err != nil {
 		return fmt.Errorf("insert owner team: %v", err)
@@ -335,6 +340,18 @@ func IsPublicMembership(orgID, uid int64) (bool, error) {
 		Exist()
 }
 
+func CanCreateOrgRepo(orgID, uid int64) (bool, error) {
+	if owner, err := IsOrganizationOwner(orgID, uid); owner == true || err != nil {
+		return owner, err
+	}
+	return x.
+		Where("team.can_create_org_repo = true").
+		Join("INNER", "team_user", "team_user.team_id = team.id").
+		And("team_user.uid = ?", uid).
+		And("team_user.org_id = ?", orgID).
+		Exist(new(Team))
+}
+
 func getOrgsByUserID(sess *xorm.Session, userID int64, showAll bool) ([]*User, error) {
 	orgs := make([]*User, 0, 10)
 	if !showAll {
@@ -366,6 +383,17 @@ func getOwnedOrgsByUserID(sess *xorm.Session, userID int64) ([]*User, error) {
 		Find(&orgs)
 }
 
+func getOrgsCanCreateRepoByUserIDDesc(sess *xorm.Session, userID int64) ([]*User, error) {
+	orgs := make([]*User, 0, 10)
+	return orgs, sess.
+		Join("INNER", "`team_user`", "`team_user`.org_id=`user`.id").
+		Join("INNER", "`team`", "`team`.id=`team_user`.team_id").
+		Where("`team_user`.uid=?", userID).
+		And(builder.Eq{"`team`.authorize": AccessModeOwner}.Or(builder.Eq{"`team`.can_create_org_repo": true})).
+		Asc("`user`.name").
+		Find(&orgs)
+}
+
 // HasOrgVisible tells if the given user can see the given org
 func HasOrgVisible(org *User, user *User) bool {
 	return hasOrgVisible(x, org, user)
@@ -414,6 +442,12 @@ func GetOwnedOrgsByUserIDDesc(userID int64, desc string) ([]*User, error) {
 	return getOwnedOrgsByUserID(x.Desc(desc), userID)
 }
 
+// GetOrgsCanCreateRepoByUserIDDesc returns a list of organizations where given user ID
+// are allowed to create repos, ordered descending by the given condition.
+func GetOrgsCanCreateRepoByUserIDDesc(userID int64, desc string) ([]*User, error) {
+	return getOrgsCanCreateRepoByUserIDDesc(x.Desc(desc), userID)
+}
+
 // GetOrgUsersByUserID returns all organization-user relations by user ID.
 func GetOrgUsersByUserID(uid int64, all bool) ([]*OrgUser, error) {
 	ous := make([]*OrgUser, 0, 10)
diff --git a/models/org_team.go b/models/org_team.go
@@ -21,17 +21,18 @@ const ownerTeamName = "Owners"
 
 // Team represents a organization team.
 type Team struct {
-	ID          int64 `xorm:"pk autoincr"`
-	OrgID       int64 `xorm:"INDEX"`
-	LowerName   string
-	Name        string
-	Description string
-	Authorize   AccessMode
-	Repos       []*Repository `xorm:"-"`
-	Members     []*User       `xorm:"-"`
-	NumRepos    int
-	NumMembers  int
-	Units       []*TeamUnit `xorm:"-"`
+	ID               int64 `xorm:"pk autoincr"`
+	OrgID            int64 `xorm:"INDEX"`
+	LowerName        string
+	Name             string
+	Description      string
+	Authorize        AccessMode
+	Repos            []*Repository `xorm:"-"`
+	Members          []*User       `xorm:"-"`
+	NumRepos         int
+	NumMembers       int
+	Units            []*TeamUnit `xorm:"-"`
+	CanCreateOrgRepo bool        `xorm:"NOT NULL DEFAULT false"`
 }
 
 // ColorFormat provides a basic color format for a Team
diff --git a/models/repo.go b/models/repo.go
@@ -1326,7 +1326,18 @@ func createRepository(e *xorm.Session, doer, u *User, repo *Repository) (err err
 			return fmt.Errorf("getOwnerTeam: %v", err)
 		} else if err = t.addRepository(e, repo); err != nil {
 			return fmt.Errorf("addRepository: %v", err)
-		} else if err = prepareWebhooks(e, repo, HookEventRepository, &api.RepositoryPayload{
+		}
+
+		if !t.IsMember(doer.ID) {
+			// If creator not in owner team, make repo admin
+			if err = repo.addCollaborator(e, doer); err != nil {
+				return fmt.Errorf("AddCollaborator: %v", err)
+			} else if err = repo.changeCollaborationAccessMode(e, doer.ID, AccessModeAdmin); err != nil {
+				return fmt.Errorf("ChangeCollaborationAccessMode: %v", err)
+			}
+		}
+
+		if err = prepareWebhooks(e, repo, HookEventRepository, &api.RepositoryPayload{
 			Action:       api.HookRepoCreated,
 			Repository:   repo.innerAPIFormat(e, AccessModeOwner, false),
 			Organization: u.APIFormat(),
diff --git a/models/repo_collaboration.go b/models/repo_collaboration.go
@@ -16,41 +16,39 @@ type Collaboration struct {
 	Mode   AccessMode `xorm:"DEFAULT 2 NOT NULL"`
 }
 
-// AddCollaborator adds new collaboration to a repository with default access mode.
-func (repo *Repository) AddCollaborator(u *User) error {
+func (repo *Repository) addCollaborator(e Engine, u *User) error {
 	collaboration := &Collaboration{
 		RepoID: repo.ID,
 		UserID: u.ID,
 	}
 
-	has, err := x.Get(collaboration)
+	has, err := e.Get(collaboration)
 	if err != nil {
 		return err
 	} else if has {
 		return nil
 	}
 	collaboration.Mode = AccessModeWrite
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
-	if _, err = sess.InsertOne(collaboration); err != nil {
+	if _, err = e.InsertOne(collaboration); err != nil {
 		return err
 	}
 
 	if repo.Owner.IsOrganization() {
-		err = repo.recalculateTeamAccesses(sess, 0)
+		err = repo.recalculateTeamAccesses(e, 0)
 	} else {
-		err = repo.recalculateAccesses(sess)
+		err = repo.recalculateAccesses(e)
 	}
 	if err != nil {
 		return fmt.Errorf("recalculateAccesses 'team=%v': %v", repo.Owner.IsOrganization(), err)
 	}
 
-	return sess.Commit()
+	return nil
+}
+
+// AddCollaborator adds new collaboration to a repository with default access mode.
+func (repo *Repository) AddCollaborator(u *User) error {
+	return repo.addCollaborator(x, u)
 }
 
 func (repo *Repository) getCollaborations(e Engine) ([]*Collaboration, error) {
@@ -98,8 +96,7 @@ func (repo *Repository) IsCollaborator(userID int64) (bool, error) {
 	return repo.isCollaborator(x, userID)
 }
 
-// ChangeCollaborationAccessMode sets new access mode for the collaboration.
-func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode) error {
+func (repo *Repository) changeCollaborationAccessMode(e Engine, uid int64, mode AccessMode) error {
 	// Discard invalid input
 	if mode <= AccessModeNone || mode > AccessModeOwner {
 		return nil
@@ -109,7 +106,7 @@ func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode
 		RepoID: repo.ID,
 		UserID: uid,
 	}
-	has, err := x.Get(collaboration)
+	has, err := e.Get(collaboration)
 	if err != nil {
 		return fmt.Errorf("get collaboration: %v", err)
 	} else if !has {
@@ -121,22 +118,21 @@ func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode
 	}
 	collaboration.Mode = mode
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
-	if _, err = sess.
+	if _, err = e.
 		ID(collaboration.ID).
 		Cols("mode").
 		Update(collaboration); err != nil {
 		return fmt.Errorf("update collaboration: %v", err)
-	} else if _, err = sess.Exec("UPDATE access SET mode = ? WHERE user_id = ? AND repo_id = ?", mode, uid, repo.ID); err != nil {
+	} else if _, err = e.Exec("UPDATE access SET mode = ? WHERE user_id = ? AND repo_id = ?", mode, uid, repo.ID); err != nil {
 		return fmt.Errorf("update access table: %v", err)
 	}
 
-	return sess.Commit()
+	return nil
+}
+
+// ChangeCollaborationAccessMode sets new access mode for the collaboration.
+func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode) error {
+	return repo.changeCollaborationAccessMode(x, uid, mode)
 }
 
 // DeleteCollaboration removes collaboration relation between the user and repository.
diff --git a/modules/auth/org.go b/modules/auth/org.go
@@ -57,10 +57,11 @@ func (f *UpdateOrgSettingForm) Validate(ctx *macaron.Context, errs binding.Error
 
 // CreateTeamForm form for creating team
 type CreateTeamForm struct {
-	TeamName    string `binding:"Required;AlphaDashDot;MaxSize(30)"`
-	Description string `binding:"MaxSize(255)"`
-	Permission  string
-	Units       []models.UnitType
+	TeamName         string `binding:"Required;AlphaDashDot;MaxSize(30)"`
+	Description      string `binding:"MaxSize(255)"`
+	Permission       string
+	Units            []models.UnitType
+	CanCreateOrgRepo bool
 }
 
 // Validate validates the fields
diff --git a/modules/context/org.go b/modules/context/org.go
@@ -15,12 +15,13 @@ import (
 
 // Organization contains organization context
 type Organization struct {
-	IsOwner      bool
-	IsMember     bool
-	IsTeamMember bool // Is member of team.
-	IsTeamAdmin  bool // In owner team or team that has admin permission level.
-	Organization *models.User
-	OrgLink      string
+	IsOwner          bool
+	IsMember         bool
+	IsTeamMember     bool // Is member of team.
+	IsTeamAdmin      bool // In owner team or team that has admin permission level.
+	Organization     *models.User
+	OrgLink          string
+	CanCreateOrgRepo bool
 
 	Team *models.Team
 }
@@ -73,6 +74,7 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 		ctx.Org.IsMember = true
 		ctx.Org.IsTeamMember = true
 		ctx.Org.IsTeamAdmin = true
+		ctx.Org.CanCreateOrgRepo = true
 	} else if ctx.IsSigned {
 		ctx.Org.IsOwner, err = org.IsOwnedBy(ctx.User.ID)
 		if err != nil {
@@ -84,12 +86,18 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 			ctx.Org.IsMember = true
 			ctx.Org.IsTeamMember = true
 			ctx.Org.IsTeamAdmin = true
+			ctx.Org.CanCreateOrgRepo = true
 		} else {
 			ctx.Org.IsMember, err = org.IsOrgMember(ctx.User.ID)
 			if err != nil {
 				ctx.ServerError("IsOrgMember", err)
 				return
 			}
+			ctx.Org.CanCreateOrgRepo, err = org.CanCreateOrgRepo(ctx.User.ID)
+			if err != nil {
+				ctx.ServerError("CanCreateOrgRepo", err)
+				return
+			}
 		}
 	} else {
 		// Fake data.
@@ -102,6 +110,7 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 	}
 	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
 	ctx.Data["IsOrganizationMember"] = ctx.Org.IsMember
+	ctx.Data["CanCreateOrgRepo"] = ctx.Org.CanCreateOrgRepo
 
 	ctx.Org.OrgLink = setting.AppSubURL + "/org/" + org.Name
 	ctx.Data["OrgLink"] = ctx.Org.OrgLink
diff --git a/modules/structs/org_team.go b/modules/structs/org_team.go
@@ -14,7 +14,8 @@ type Team struct {
 	// enum: none,read,write,admin,owner
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.ext_wiki"]
-	Units []string `json:"units"`
+	Units            []string `json:"units"`
+	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
 }
 
 // CreateTeamOption options for creating a team
@@ -25,7 +26,8 @@ type CreateTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.ext_wiki"]
-	Units []string `json:"units"`
+	Units            []string `json:"units"`
+	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
 }
 
 // EditTeamOption options for editing a team
@@ -36,5 +38,6 @@ type EditTeamOption struct {
 	// enum: read,write,admin
 	Permission string `json:"permission"`
 	// example: ["repo.code","repo.issues","repo.ext_issues","repo.wiki","repo.pulls","repo.releases","repo.ext_wiki"]
-	Units []string `json:"units"`
+	Units            []string `json:"units"`
+	CanCreateOrgRepo bool     `json:"can_create_org_repo"`
 }
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -1516,6 +1516,8 @@ members.invite_now = Invite Now
 
 teams.join = Join
 teams.leave = Leave
+teams.can_create_org_repo = Create repository permission
+teams.can_create_org_repo_helper = Team members are allowed to create repositories in organization.
 teams.read_access = Read Access
 teams.read_access_helper = Members can view and clone team repositories.
 teams.write_access = Write Access
diff --git a/routers/api/v1/convert/convert.go b/routers/api/v1/convert/convert.go
@@ -221,11 +221,12 @@ func ToOrganization(org *models.User) *api.Organization {
 // ToTeam convert models.Team to api.Team
 func ToTeam(team *models.Team) *api.Team {
 	return &api.Team{
-		ID:          team.ID,
-		Name:        team.Name,
-		Description: team.Description,
-		Permission:  team.Authorize.String(),
-		Units:       team.GetUnitNames(),
+		ID:               team.ID,
+		Name:             team.Name,
+		Description:      team.Description,
+		Permission:       team.Authorize.String(),
+		Units:            team.GetUnitNames(),
+		CanCreateOrgRepo: team.CanCreateOrgRepo,
 	}
 }
 
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go
@@ -125,10 +125,11 @@ func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
 	//   "201":
 	//     "$ref": "#/responses/Team"
 	team := &models.Team{
-		OrgID:       ctx.Org.Organization.ID,
-		Name:        form.Name,
-		Description: form.Description,
-		Authorize:   models.ParseAccessMode(form.Permission),
+		OrgID:            ctx.Org.Organization.ID,
+		Name:             form.Name,
+		Description:      form.Description,
+		Authorize:        models.ParseAccessMode(form.Permission),
+		CanCreateOrgRepo: form.CanCreateOrgRepo,
 	}
 
 	unitTypes := models.FindUnitTypes(form.Units...)
@@ -183,6 +184,7 @@ func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
 	team.Description = form.Description
 	team.Authorize = models.ParseAccessMode(form.Permission)
 	unitTypes := models.FindUnitTypes(form.Units...)
+	team.CanCreateOrgRepo = form.CanCreateOrgRepo
 
 	if team.Authorize < models.AccessModeOwner {
 		var units = make([]*models.TeamUnit, 0, len(form.Units))
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
@@ -306,12 +306,12 @@ func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) {
 	}
 
 	if !ctx.User.IsAdmin {
-		isOwner, err := org.IsOwnedBy(ctx.User.ID)
+		canCreate, err := org.CanCreateOrgRepo(ctx.User.ID)
 		if err != nil {
-			ctx.ServerError("IsOwnedBy", err)
+			ctx.ServerError("CanCreateOrgRepo", err)
 			return
-		} else if !isOwner {
-			ctx.Error(403, "", "Given user is not owner of organization.")
+		} else if !canCreate {
+			ctx.Error(403, "", "Given user is not allowed to create repository in organization.")
 			return
 		}
 	}
diff --git a/routers/org/teams.go b/routers/org/teams.go
diff --git a/routers/repo/repo.go b/routers/repo/repo.go
diff --git a/templates/org/home.tmpl b/templates/org/home.tmpl
diff --git a/templates/org/team/new.tmpl b/templates/org/team/new.tmpl
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl

Original file line number	Diff line number	Diff line change
`@@ -306,12 +306,12 @@ func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) {`
`306`	`306`	`}`
`307`	`307`
`308`	`308`	`if !ctx.User.IsAdmin {`
`309`		`- isOwner, err := org.IsOwnedBy(ctx.User.ID)`
	`309`	`+ canCreate, err := org.CanCreateOrgRepo(ctx.User.ID)`
`310`	`310`	`if err != nil {`
`311`		`- ctx.ServerError("IsOwnedBy", err)`
	`311`	`+ ctx.ServerError("CanCreateOrgRepo", err)`
`312`	`312`	`return`
`313`		`- } else if !isOwner {`
`314`		`- ctx.Error(403, "", "Given user is not owner of organization.")`
	`313`	`+ } else if !canCreate {`
	`314`	`+ ctx.Error(403, "", "Given user is not allowed to create repository in organization.")`
`315`	`315`	`return`
`316`	`316`	`}`
`317`	`317`	`}`