use visibility to alter permissions
This commit is contained in:
parent
9ed9f8f1c9
commit
b1cbe65985
5 changed files with 31 additions and 69 deletions
|
@ -25,3 +25,9 @@ const (
|
|||
RepoFossil = "fossil"
|
||||
RepoPerforce = "perforce"
|
||||
)
|
||||
|
||||
const (
|
||||
VisibilityPublic = "public"
|
||||
VisibilityPrivate = "private"
|
||||
VisibilityInternal = "internal"
|
||||
)
|
||||
|
|
|
@ -41,6 +41,7 @@ type RepoPatch struct {
|
|||
IsTrusted *bool `json:"trusted,omitempty"`
|
||||
IsGated *bool `json:"gated,omitempty"`
|
||||
Timeout *int64 `json:"timeout,omitempty"`
|
||||
Visibility *string `json:"visibility,omitempty"`
|
||||
AllowPull *bool `json:"allow_pr,omitempty"`
|
||||
AllowPush *bool `json:"allow_push,omitempty"`
|
||||
AllowDeploy *bool `json:"allow_deploy,omitempty"`
|
||||
|
|
|
@ -2,7 +2,6 @@ package session
|
|||
|
||||
import (
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"github.com/drone/drone/cache"
|
||||
"github.com/drone/drone/model"
|
||||
|
@ -79,7 +78,6 @@ func Perm(c *gin.Context) *model.Perm {
|
|||
}
|
||||
|
||||
func SetPerm() gin.HandlerFunc {
|
||||
PUBLIC_MODE := os.Getenv("PUBLIC_MODE")
|
||||
|
||||
return func(c *gin.Context) {
|
||||
user := User(c)
|
||||
|
@ -87,49 +85,24 @@ func SetPerm() gin.HandlerFunc {
|
|||
perm := &model.Perm{}
|
||||
|
||||
switch {
|
||||
// if the user is not authenticated, and the
|
||||
// repository is private, the user has NO permission
|
||||
// to view the repository.
|
||||
case user == nil && repo.IsPrivate == true:
|
||||
perm.Pull = false
|
||||
perm.Push = false
|
||||
perm.Admin = false
|
||||
|
||||
// if the user is not authenticated, but the repository
|
||||
// is public, the user has pull-rights only.
|
||||
case user == nil && repo.IsPrivate == false:
|
||||
perm.Pull = true
|
||||
perm.Push = false
|
||||
perm.Admin = false
|
||||
|
||||
case user.Admin:
|
||||
case user != nil && user.Admin:
|
||||
perm.Pull = true
|
||||
perm.Push = true
|
||||
perm.Admin = true
|
||||
|
||||
// otherwise if the user is authenticated we should
|
||||
// check the remote system to get the users permissiosn.
|
||||
default:
|
||||
case user != nil:
|
||||
var err error
|
||||
perm, err = cache.GetPerms(c, user, repo.Owner, repo.Name)
|
||||
if err != nil {
|
||||
perm.Pull = false
|
||||
perm.Push = false
|
||||
perm.Admin = false
|
||||
|
||||
// debug
|
||||
log.Errorf("Error fetching permission for %s %s",
|
||||
user.Login, repo.FullName)
|
||||
}
|
||||
// if we couldn't fetch permissions, but the repository
|
||||
// is public, we should grant the user pull access.
|
||||
if err != nil && repo.IsPrivate == false {
|
||||
perm.Pull = true
|
||||
}
|
||||
}
|
||||
|
||||
// all build logs are visible in public mode
|
||||
if PUBLIC_MODE != "" {
|
||||
switch {
|
||||
case repo.Visibility == model.VisibilityPublic:
|
||||
perm.Pull = true
|
||||
case repo.Visibility == model.VisibilityInternal && user != nil:
|
||||
perm.Pull = true
|
||||
}
|
||||
|
||||
|
|
|
@ -1,44 +1,9 @@
|
|||
package session
|
||||
|
||||
import (
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/drone/drone/model"
|
||||
"github.com/franela/goblin"
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
func TestSetPerm(t *testing.T) {
|
||||
g := goblin.Goblin(t)
|
||||
g.Describe("SetPerm", func() {
|
||||
g.BeforeEach(func() {
|
||||
os.Unsetenv("PUBLIC_MODE")
|
||||
})
|
||||
g.It("Should set pull to false (private repo, user not logged in)", func() {
|
||||
c := gin.Context{}
|
||||
c.Set("repo", &model.Repo{
|
||||
IsPrivate: true,
|
||||
})
|
||||
SetPerm()(&c)
|
||||
v, ok := c.Get("perm")
|
||||
g.Assert(ok).IsTrue("perm was not set")
|
||||
p, ok := v.(*model.Perm)
|
||||
g.Assert(ok).IsTrue("perm was the wrong type")
|
||||
g.Assert(p.Pull).IsFalse("pull should be false")
|
||||
})
|
||||
g.It("Should set pull to true (private repo, user not logged in, public mode)", func() {
|
||||
os.Setenv("PUBLIC_MODE", "true")
|
||||
c := gin.Context{}
|
||||
c.Set("repo", &model.Repo{
|
||||
IsPrivate: true,
|
||||
})
|
||||
SetPerm()(&c)
|
||||
v, ok := c.Get("perm")
|
||||
g.Assert(ok).IsTrue("perm was not set")
|
||||
p, ok := v.(*model.Perm)
|
||||
g.Assert(ok).IsTrue("perm was the wrong type")
|
||||
g.Assert(p.Pull).IsTrue("pull should be true")
|
||||
})
|
||||
})
|
||||
|
||||
}
|
||||
|
|
|
@ -55,11 +55,15 @@ func PostRepo(c *gin.Context) {
|
|||
r.UserID = user.ID
|
||||
r.AllowPush = true
|
||||
r.AllowPull = true
|
||||
r.Visibility = model.VisibilityPublic
|
||||
r.Config = ".drone.yml"
|
||||
r.Timeout = 60 // 1 hour default build time
|
||||
r.Hash = base32.StdEncoding.EncodeToString(
|
||||
securecookie.GenerateRandomKey(32),
|
||||
)
|
||||
if r.IsPrivate {
|
||||
r.Visibility = model.VisibilityPrivate
|
||||
}
|
||||
|
||||
// crates the jwt token used to verify the repository
|
||||
t := token.New(token.HookToken, r.FullName)
|
||||
|
@ -132,6 +136,19 @@ func PatchRepo(c *gin.Context) {
|
|||
if in.Config != nil {
|
||||
repo.Config = *in.Config
|
||||
}
|
||||
if in.Visibility != nil {
|
||||
switch *in.Visibility {
|
||||
case model.VisibilityInternal:
|
||||
repo.Visibility = model.VisibilityInternal
|
||||
case model.VisibilityPrivate:
|
||||
repo.Visibility = model.VisibilityPrivate
|
||||
case model.VisibilityPublic:
|
||||
repo.Visibility = model.VisibilityPublic
|
||||
default:
|
||||
c.String(400, "Invalid visibility type")
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
err := store.UpdateRepo(c, repo)
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in a new issue