update AccessibleGroupCondition function to take a minimum perm.AccessMode as a parameter

GamerGirlandCo · GamerGirlandCo · commit 1a4869492cc6 · 2025-08-13T22:04:26.000-04:00
diff --git a/models/group/group.go b/models/group/group.go
@@ -94,7 +94,7 @@ func (g *Group) LoadSubgroups(ctx context.Context, recursive bool) error {
 }
 
 func (g *Group) LoadAccessibleSubgroups(ctx context.Context, recursive bool, doer *user_model.User) error {
-	return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid), 0)
+	return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid, perm.AccessModeRead), 0)
 }
 
 func (g *Group) LoadAttributes(ctx context.Context) error {
@@ -129,13 +129,12 @@ func (g *Group) LoadOwner(ctx context.Context) error {
 	return err
 }
 
-func (g *Group) CanAccess(ctx context.Context, userID int64) (bool, error) {
-	return g.CanAccessAtLevel(ctx, userID, perm.AccessModeRead)
+func (g *Group) CanAccess(ctx context.Context, user *user_model.User) (bool, error) {
+	return g.CanAccessAtLevel(ctx, user, perm.AccessModeRead)
 }
 
-func (g *Group) CanAccessAtLevel(ctx context.Context, userID int64, level perm.AccessMode) (bool, error) {
-	return db.GetEngine(ctx).
-		Where(UserOrgTeamPermCond("id", userID, level)).Table("repo_group").Exist()
+func (g *Group) CanAccessAtLevel(ctx context.Context, user *user_model.User, level perm.AccessMode) (bool, error) {
+	return db.GetEngine(ctx).Where(AccessibleGroupCondition(user, unit.TypeInvalid, level).And(builder.Eq{"`repo_group`.id": g.ID})).Exist(&Group{})
 }
 
 func (g *Group) IsOwnedBy(ctx context.Context, userID int64) (bool, error) {
@@ -337,9 +336,10 @@ func UpdateGroup(ctx context.Context, group *Group) error {
 func MoveGroup(ctx context.Context, group *Group, newParent int64, newSortOrder int) error {
 	sess := db.GetEngine(ctx)
 	ng, err := GetGroupByID(ctx, newParent)
-	if !IsErrGroupNotExist(err) {
+	if err != nil && !IsErrGroupNotExist(err) {
 		return err
 	}
+
 	if ng != nil {
 		if ng.OwnerID != group.OwnerID {
 			return fmt.Errorf("group[%d]'s ownerID is not equal to new parent group[%d]'s owner ID", group.ID, ng.ID)
diff --git a/models/group/group_list.go b/models/group/group_list.go
@@ -33,6 +33,7 @@ func userOrgTeamGroupBuilder(userID int64) *builder.Builder {
 		Where(builder.Eq{"`team_user`.uid": userID})
 }
 
+// UserOrgTeamPermCond returns a condition to select ids of groups that a user can access at the level described by `level`
 func UserOrgTeamPermCond(idStr string, userID int64, level perm.AccessMode) builder.Cond {
 	selCond := userOrgTeamGroupBuilder(userID)
 	selCond = selCond.InnerJoin("team", "`team`.id = `repo_group_team`.team_id").
@@ -60,22 +61,23 @@ func userOrgTeamUnitGroupBuilder(userID int64, unitType unit.Type) *builder.Buil
 }
 
 // AccessibleGroupCondition returns a condition that matches groups which a user can access via the specified unit
-func AccessibleGroupCondition(user *user_model.User, unitType unit.Type) builder.Cond {
+func AccessibleGroupCondition(user *user_model.User, unitType unit.Type, minMode perm.AccessMode) builder.Cond {
 	cond := builder.NewCond()
 	if user == nil || !user.IsRestricted || user.ID <= 0 {
 		orgVisibilityLimit := []structs.VisibleType{structs.VisibleTypePrivate}
 		if user == nil || user.ID <= 0 {
 			orgVisibilityLimit = append(orgVisibilityLimit, structs.VisibleTypeLimited)
 		}
 		cond = cond.Or(builder.And(
-			builder.Eq{"`repo_group`.is_private": false},
+			builder.Eq{"`repo_group`.visibility": structs.VisibleTypePublic},
 			builder.NotIn("`repo_group`.owner_id", builder.Select("id").From("`user`").Where(
 				builder.And(
 					builder.Eq{"type": user_model.UserTypeOrganization},
 					builder.In("visibility", orgVisibilityLimit)),
 			))))
 	}
 	if user != nil {
+		cond = cond.Or(UserOrgTeamPermCond("`repo_group`.id", user.ID, minMode))
 		if unitType == unit.TypeInvalid {
 			cond = cond.Or(
 				UserOrgTeamGroupCond("`repo_group`.id", user.ID),
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -529,12 +529,8 @@ func reqGroupMembership(mode perm.AccessMode, needsCreatePerm bool) func(ctx *co
 			ctx.APIErrorInternal(err)
 			return
 		}
-		var canAccess bool
-		if ctx.IsSigned {
-			canAccess, err = g.CanAccessAtLevel(ctx, ctx.Doer.ID, mode)
-		} else {
-			canAccess, err = g.CanAccessAtLevel(ctx, 0, mode)
-		}
+		canAccess, err := g.CanAccessAtLevel(ctx, ctx.Doer, mode)
+
 		if err != nil {
 			ctx.APIErrorInternal(err)
 			return

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ func (g *Group) LoadSubgroups(ctx context.Context, recursive bool) error {`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`func (g Group) LoadAccessibleSubgroups(ctx context.Context, recursive bool, doer user_model.User) error {`
`97`		`- return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid), 0)`
	`97`	`+ return g.doLoadSubgroups(ctx, recursive, AccessibleGroupCondition(doer, unit.TypeInvalid, perm.AccessModeRead), 0)`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`func (g *Group) LoadAttributes(ctx context.Context) error {`
`@@ -129,13 +129,12 @@ func (g *Group) LoadOwner(ctx context.Context) error {`
`129`	`129`	`return err`
`130`	`130`	`}`
`131`	`131`
`132`		`-func (g *Group) CanAccess(ctx context.Context, userID int64) (bool, error) {`
`133`		`- return g.CanAccessAtLevel(ctx, userID, perm.AccessModeRead)`
	`132`	`+func (g Group) CanAccess(ctx context.Context, user user_model.User) (bool, error) {`
	`133`	`+ return g.CanAccessAtLevel(ctx, user, perm.AccessModeRead)`
`134`	`134`	`}`
`135`	`135`
`136`		`-func (g *Group) CanAccessAtLevel(ctx context.Context, userID int64, level perm.AccessMode) (bool, error) {`
`137`		`- return db.GetEngine(ctx).`
`138`		`- Where(UserOrgTeamPermCond("id", userID, level)).Table("repo_group").Exist()`
	`136`	`+func (g Group) CanAccessAtLevel(ctx context.Context, user user_model.User, level perm.AccessMode) (bool, error) {`
	`137`	+ return db.GetEngine(ctx).Where(AccessibleGroupCondition(user, unit.TypeInvalid, level).And(builder.Eq{"`repo_group`.id": g.ID})).Exist(&Group{})
`139`	`138`	`}`
`140`	`139`
`141`	`140`	`func (g *Group) IsOwnedBy(ctx context.Context, userID int64) (bool, error) {`
`@@ -337,9 +336,10 @@ func UpdateGroup(ctx context.Context, group *Group) error {`
`337`	`336`	`func MoveGroup(ctx context.Context, group *Group, newParent int64, newSortOrder int) error {`
`338`	`337`	`sess := db.GetEngine(ctx)`
`339`	`338`	`ng, err := GetGroupByID(ctx, newParent)`
`340`		`- if !IsErrGroupNotExist(err) {`
	`339`	`+ if err != nil && !IsErrGroupNotExist(err) {`
`341`	`340`	`return err`
`342`	`341`	`}`
	`342`	`+`
`343`	`343`	`if ng != nil {`
`344`	`344`	`if ng.OwnerID != group.OwnerID {`
`345`	`345`	`return fmt.Errorf("group[%d]'s ownerID is not equal to new parent group[%d]'s owner ID", group.ID, ng.ID)`