Restricted users (#6274)

* Restricted users (#4334): initial implementation * Add User.IsRestricted & UI to edit it * Pass user object instead of user id to places where IsRestricted flag matters * Restricted users: maintain access rows for all referenced repos (incl public) * Take logged in user & IsRestricted flag into account in org/repo listings, searches and accesses * Add basic repo access tests for restricted users Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Mention restricted users in the faq Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert unnecessary change `.isUserPartOfOrg` -> `.IsUserPartOfOrg` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Remove unnecessary `org.IsOrganization()` call Signed-off-by: Manush Dodunekov <manush@stendahls.se> * Revert to an `int64` keyed `accessMap` * Add type `userAccess` * Add convenience func updateUserAccess() * Turn accessMap into a `map[int64]userAccess` Signed-off-by: Manush Dodunekov <manush@stendahls.se> * or even better: `map[int64]*userAccess` * updateUserAccess(): use tighter syntax as suggested by lafriks * even tighter * Avoid extra loop * Don't disclose limited orgs to unauthenticated users * Don't assume block only applies to orgs * Use an array of `VisibleType` for filtering * fix yet another thinko * Ok - no need for u * Revert "Ok - no need for u" This reverts commit 5c3e886aab. Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: Lauris BH <lauris@nix.lv>
2025-07-23 02:38:35 +00:00 · 2020-01-13 19:33:46 +02:00
parent 0b3aaa6196
commit 1751d5fcf2
31 changed files with 310 additions and 124 deletions
--- a/models/org.go
+++ b/models/org.go
@@ -432,7 +432,7 @@ func hasOrgVisible(e Engine, org *User, user *User) bool {
 		return true
 	}

-	if org.Visibility == structs.VisibleTypePrivate && !org.isUserPartOfOrg(e, user.ID) {
+	if (org.Visibility == structs.VisibleTypePrivate || user.IsRestricted) && !org.isUserPartOfOrg(e, user.ID) {
 		return false
 	}
 	return true
@@ -735,7 +735,7 @@ type AccessibleReposEnvironment interface {

 type accessibleReposEnv struct {
 	org     *User
-	userID  int64
+	user    *User
 	teamIDs []int64
 	e       Engine
 	keyword string
@@ -749,13 +749,23 @@ func (org *User) AccessibleReposEnv(userID int64) (AccessibleReposEnvironment, e
 }

 func (org *User) accessibleReposEnv(e Engine, userID int64) (AccessibleReposEnvironment, error) {
+	var user *User
+
+	if userID > 0 {
+		u, err := getUserByID(e, userID)
+		if err != nil {
+			return nil, err
+		}
+		user = u
+	}
+
 	teamIDs, err := org.getUserTeamIDs(e, userID)
 	if err != nil {
 		return nil, err
 	}
 	return &accessibleReposEnv{
 		org:     org,
-		userID:  userID,
+		user:    user,
 		teamIDs: teamIDs,
 		e:       e,
 		orderBy: SearchOrderByRecentUpdated,
@@ -763,9 +773,12 @@ func (org *User) accessibleReposEnv(e Engine, userID int64) (AccessibleReposEnvi
 }

 func (env *accessibleReposEnv) cond() builder.Cond {
-	var cond builder.Cond = builder.Eq{
-		"`repository`.owner_id":   env.org.ID,
-		"`repository`.is_private": false,
+	var cond = builder.NewCond()
+	if env.user == nil || !env.user.IsRestricted {
+		cond = cond.Or(builder.Eq{
+			"`repository`.owner_id":   env.org.ID,
+			"`repository`.is_private": false,
+		})
 	}
 	if len(env.teamIDs) > 0 {
 		cond = cond.Or(builder.In("team_repo.team_id", env.teamIDs))