Move permission check to router layer

lunny · lunny · commit 7e073ec81195 · 2024-11-13T10:02:36.000-08:00
diff --git a/routers/api/v1/repo/collaborators.go b/routers/api/v1/repo/collaborators.go
@@ -17,6 +17,7 @@ import (
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	"code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/convert"
+	issue_service "code.gitea.io/gitea/services/issue"
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 )
@@ -321,6 +322,12 @@ func GetReviewers(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"
 
+	canChooseReviewer := issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, ctx.Repo.Repository, 0)
+	if !canChooseReviewer {
+		ctx.Error(http.StatusForbidden, "GetReviewers", errors.New("doer has no permission to get reviewers"))
+		return
+	}
+
 	reviewers, err := pull_service.GetReviewers(ctx, ctx.Repo.Repository, ctx.Doer.ID, 0)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "ListCollaborators", err)
diff --git a/routers/web/repo/issue_page_meta.go b/routers/web/repo/issue_page_meta.go
@@ -186,7 +186,7 @@ func (d *IssuePageMetaData) retrieveReviewersData(ctx *context.Context) {
 		if d.Issue == nil {
 			data.CanChooseReviewer = true
 		} else {
-			data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue)
+			data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue.PosterID)
 		}
 	}
 
diff --git a/services/issue/assignee.go b/services/issue/assignee.go
@@ -119,7 +119,7 @@ func isValidReviewRequest(ctx context.Context, reviewer, doer *user_model.User,
 		return err
 	}
 
-	canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue)
+	canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)
 
 	if isAdd {
 		if !permReviewer.CanAccessAny(perm.AccessModeRead, unit.TypePullRequests) {
@@ -178,7 +178,7 @@ func isValidTeamReviewRequest(ctx context.Context, reviewer *organization.Team,
 		}
 	}
 
-	canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue)
+	canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)
 
 	if isAdd {
 		if issue.Repo.IsPrivate {
@@ -276,12 +276,12 @@ func teamReviewRequestNotify(ctx context.Context, issue *issues_model.Issue, doe
 }
 
 // CanDoerChangeReviewRequests returns if the doer can add/remove review requests of a PR
-func CanDoerChangeReviewRequests(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, issue *issues_model.Issue) bool {
+func CanDoerChangeReviewRequests(ctx context.Context, doer *user_model.User, repo *repo_model.Repository, posterID int64) bool {
 	if repo.IsArchived {
 		return false
 	}
 	// The poster of the PR can change the reviewers
-	if doer.ID == issue.PosterID {
+	if doer.ID == posterID {
 		return true
 	}
 
diff --git a/services/pull/reviewer.go b/services/pull/reviewer.go
@@ -5,7 +5,6 @@ package pull
 
 import (
 	"context"
-	"fmt"
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/organization"
@@ -53,14 +52,6 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
 			return nil, err
 		}
 		uniqueUserIDs.AddMultiple(additionalUserIDs...)
-
-		if repo.Owner.Visibility.IsLimited() && doerID == 0 {
-			return nil, fmt.Errorf("permission denied")
-		}
-
-		if (repo.IsPrivate || repo.Owner.Visibility.IsPrivate()) && !uniqueUserIDs.Contains(doerID) {
-			return nil, fmt.Errorf("permission denied")
-		}
 	} else {
 		userIDs := make([]int64, 0, 10)
 		if err := e.Table("access").
@@ -70,9 +61,6 @@ func GetReviewers(ctx context.Context, repo *repo_model.Repository, doerID, post
 			return nil, err
 		}
 		uniqueUserIDs.AddMultiple(userIDs...)
-		if repo.IsPrivate && !uniqueUserIDs.Contains(doerID) && doerID != repo.OwnerID {
-			return nil, fmt.Errorf("permission denied")
-		}
 	}
 
 	uniqueUserIDs.Remove(posterID) // posterID should not be in the list of reviewers

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ func (d IssuePageMetaData) retrieveReviewersData(ctx context.Context) {`
`186`	`186`	`if d.Issue == nil {`
`187`	`187`	`data.CanChooseReviewer = true`
`188`	`188`	`} else {`
`189`		`- data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue)`
	`189`	`+ data.CanChooseReviewer = issue_service.CanDoerChangeReviewRequests(ctx, ctx.Doer, repo, d.Issue.PosterID)`
`190`	`190`	`}`
`191`	`191`	`}`
`192`	`192`
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ func isValidReviewRequest(ctx context.Context, reviewer, doer *user_model.User,`
`119`	`119`	`return err`
`120`	`120`	`}`
`121`	`121`
`122`		`- canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue)`
	`122`	`+ canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)`
`123`	`123`
`124`	`124`	`if isAdd {`
`125`	`125`	`if !permReviewer.CanAccessAny(perm.AccessModeRead, unit.TypePullRequests) {`
`@@ -178,7 +178,7 @@ func isValidTeamReviewRequest(ctx context.Context, reviewer *organization.Team,`
`178`	`178`	`}`
`179`	`179`	`}`
`180`	`180`
`181`		`- canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue)`
	`181`	`+ canDoerChangeReviewRequests := CanDoerChangeReviewRequests(ctx, doer, issue.Repo, issue.PosterID)`
`182`	`182`
`183`	`183`	`if isAdd {`
`184`	`184`	`if issue.Repo.IsPrivate {`
`@@ -276,12 +276,12 @@ func teamReviewRequestNotify(ctx context.Context, issue *issues_model.Issue, doe`
`276`	`276`	`}`
`277`	`277`
`278`	`278`	`// CanDoerChangeReviewRequests returns if the doer can add/remove review requests of a PR`
`279`		`-func CanDoerChangeReviewRequests(ctx context.Context, doer user_model.User, repo repo_model.Repository, issue *issues_model.Issue) bool {`
	`279`	`+func CanDoerChangeReviewRequests(ctx context.Context, doer user_model.User, repo repo_model.Repository, posterID int64) bool {`
`280`	`280`	`if repo.IsArchived {`
`281`	`281`	`return false`
`282`	`282`	`}`
`283`	`283`	`// The poster of the PR can change the reviewers`
`284`		`- if doer.ID == issue.PosterID {`
	`284`	`+ if doer.ID == posterID {`
`285`	`285`	`return true`
`286`	`286`	`}`
`287`	`287`