mirror of
https://github.com/go-gitea/gitea
synced 2025-07-22 18:28:37 +00:00
Add anonymous access support for private/unlisted repositories (#34051)
Follow #33127 Fix #8649, fix #639 This is a complete solution. A repo unit could be set to: * Anonymous read (non-signed-in user) * Everyone read (signed-in user) * Everyone write (wiki-only)
This commit is contained in:
wxiaoguang
GitHub
155
routers/web/repo/setting/public_access.go
Normal file
155
routers/web/repo/setting/public_access.go
Normal file
@@ -0,0 +1,155 @@
|
||||
// Copyright 2025 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package setting
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"slices"
|
||||
"strconv"
|
||||
|
||||
"code.gitea.io/gitea/models/perm"
|
||||
"code.gitea.io/gitea/models/repo"
|
||||
"code.gitea.io/gitea/models/unit"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
"code.gitea.io/gitea/modules/templates"
|
||||
"code.gitea.io/gitea/services/context"
|
||||
)
|
||||
|
||||
const tplRepoSettingsPublicAccess templates.TplName = "repo/settings/public_access"
|
||||
|
||||
func parsePublicAccessMode(permission string, allowed []string) (ret struct {
|
||||
AnonymousAccessMode, EveryoneAccessMode perm.AccessMode
|
||||
},
|
||||
) {
|
||||
ret.AnonymousAccessMode = perm.AccessModeNone
|
||||
ret.EveryoneAccessMode = perm.AccessModeNone
|
||||
|
||||
// if site admin forces repositories to be private, then do not allow any other access mode,
|
||||
// otherwise the "force private" setting would be bypassed
|
||||
if setting.Repository.ForcePrivate {
|
||||
return ret
|
||||
}
|
||||
if !slices.Contains(allowed, permission) {
|
||||
return ret
|
||||
}
|
||||
switch permission {
|
||||
case paAnonymousRead:
|
||||
ret.AnonymousAccessMode = perm.AccessModeRead
|
||||
case paEveryoneRead:
|
||||
ret.EveryoneAccessMode = perm.AccessModeRead
|
||||
case paEveryoneWrite:
|
||||
ret.EveryoneAccessMode = perm.AccessModeWrite
|
||||
}
|
||||
return ret
|
||||
}
|
||||
|
||||
const (
|
||||
paNotSet = "not-set"
|
||||
paAnonymousRead = "anonymous-read"
|
||||
paEveryoneRead = "everyone-read"
|
||||
paEveryoneWrite = "everyone-write"
|
||||
)
|
||||
|
||||
type repoUnitPublicAccess struct {
|
||||
UnitType unit.Type
|
||||
FormKey string
|
||||
DisplayName string
|
||||
PublicAccessTypes []string
|
||||
UnitPublicAccess string
|
||||
}
|
||||
|
||||
func repoUnitPublicAccesses(ctx *context.Context) []*repoUnitPublicAccess {
|
||||
accesses := []*repoUnitPublicAccess{
|
||||
{
|
||||
UnitType: unit.TypeCode,
|
||||
DisplayName: ctx.Locale.TrString("repo.code"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypeIssues,
|
||||
DisplayName: ctx.Locale.TrString("issues"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypePullRequests,
|
||||
DisplayName: ctx.Locale.TrString("pull_requests"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypeReleases,
|
||||
DisplayName: ctx.Locale.TrString("repo.releases"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypeWiki,
|
||||
DisplayName: ctx.Locale.TrString("repo.wiki"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead, paEveryoneWrite},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypeProjects,
|
||||
DisplayName: ctx.Locale.TrString("repo.projects"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypePackages,
|
||||
DisplayName: ctx.Locale.TrString("repo.packages"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
{
|
||||
UnitType: unit.TypeActions,
|
||||
DisplayName: ctx.Locale.TrString("repo.actions"),
|
||||
PublicAccessTypes: []string{paAnonymousRead, paEveryoneRead},
|
||||
},
|
||||
}
|
||||
for _, ua := range accesses {
|
||||
ua.FormKey = "repo-unit-access-" + strconv.Itoa(int(ua.UnitType))
|
||||
for _, u := range ctx.Repo.Repository.Units {
|
||||
if u.Type == ua.UnitType {
|
||||
ua.UnitPublicAccess = paNotSet
|
||||
switch {
|
||||
case u.EveryoneAccessMode == perm.AccessModeWrite:
|
||||
ua.UnitPublicAccess = paEveryoneWrite
|
||||
case u.EveryoneAccessMode == perm.AccessModeRead:
|
||||
ua.UnitPublicAccess = paEveryoneRead
|
||||
case u.AnonymousAccessMode == perm.AccessModeRead:
|
||||
ua.UnitPublicAccess = paAnonymousRead
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
return slices.DeleteFunc(accesses, func(ua *repoUnitPublicAccess) bool {
|
||||
return ua.UnitPublicAccess == ""
|
||||
})
|
||||
}
|
||||
|
||||
func PublicAccess(ctx *context.Context) {
|
||||
ctx.Data["PageIsSettingsPublicAccess"] = true
|
||||
ctx.Data["RepoUnitPublicAccesses"] = repoUnitPublicAccesses(ctx)
|
||||
ctx.Data["GlobalForcePrivate"] = setting.Repository.ForcePrivate
|
||||
if setting.Repository.ForcePrivate {
|
||||
ctx.Flash.Error(ctx.Tr("form.repository_force_private"), true)
|
||||
}
|
||||
ctx.HTML(http.StatusOK, tplRepoSettingsPublicAccess)
|
||||
}
|
||||
|
||||
func PublicAccessPost(ctx *context.Context) {
|
||||
accesses := repoUnitPublicAccesses(ctx)
|
||||
for _, ua := range accesses {
|
||||
formVal := ctx.FormString(ua.FormKey)
|
||||
parsed := parsePublicAccessMode(formVal, ua.PublicAccessTypes)
|
||||
err := repo.UpdateRepoUnitPublicAccess(ctx, &repo.RepoUnit{
|
||||
RepoID: ctx.Repo.Repository.ID,
|
||||
Type: ua.UnitType,
|
||||
AnonymousAccessMode: parsed.AnonymousAccessMode,
|
||||
EveryoneAccessMode: parsed.EveryoneAccessMode,
|
||||
})
|
||||
if err != nil {
|
||||
ctx.ServerError("UpdateRepoUnitPublicAccess", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))
|
||||
ctx.Redirect(ctx.Repo.Repository.Link() + "/settings/public_access")
|
||||
}
|
||||
@@ -13,7 +13,6 @@ import (
|
||||
|
||||
"code.gitea.io/gitea/models/db"
|
||||
"code.gitea.io/gitea/models/organization"
|
||||
"code.gitea.io/gitea/models/perm"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
unit_model "code.gitea.io/gitea/models/unit"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
@@ -37,6 +36,8 @@ import (
|
||||
mirror_service "code.gitea.io/gitea/services/mirror"
|
||||
repo_service "code.gitea.io/gitea/services/repository"
|
||||
wiki_service "code.gitea.io/gitea/services/wiki"
|
||||
|
||||
"xorm.io/xorm/convert"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -48,15 +49,6 @@ const (
|
||||
tplDeployKeys templates.TplName = "repo/settings/deploy_keys"
|
||||
)
|
||||
|
||||
func parseEveryoneAccessMode(permission string, allowed ...perm.AccessMode) perm.AccessMode {
|
||||
// if site admin forces repositories to be private, then do not allow any other access mode,
|
||||
// otherwise the "force private" setting would be bypassed
|
||||
if setting.Repository.ForcePrivate {
|
||||
return perm.AccessModeNone
|
||||
}
|
||||
return perm.ParseAccessMode(permission, allowed...)
|
||||
}
|
||||
|
||||
// SettingsCtxData is a middleware that sets all the general context data for the
|
||||
// settings template.
|
||||
func SettingsCtxData(ctx *context.Context) {
|
||||
@@ -504,6 +496,17 @@ func handleSettingsPostPushMirrorAdd(ctx *context.Context) {
|
||||
ctx.Redirect(repo.Link() + "/settings")
|
||||
}
|
||||
|
||||
func newRepoUnit(repo *repo_model.Repository, unitType unit_model.Type, config convert.Conversion) repo_model.RepoUnit {
|
||||
repoUnit := repo_model.RepoUnit{RepoID: repo.ID, Type: unitType, Config: config}
|
||||
for _, u := range repo.Units {
|
||||
if u.Type == unitType {
|
||||
repoUnit.EveryoneAccessMode = u.EveryoneAccessMode
|
||||
repoUnit.AnonymousAccessMode = u.AnonymousAccessMode
|
||||
}
|
||||
}
|
||||
return repoUnit
|
||||
}
|
||||
|
||||
func handleSettingsPostAdvanced(ctx *context.Context) {
|
||||
form := web.GetForm(ctx).(*forms.RepoSettingForm)
|
||||
repo := ctx.Repo.Repository
|
||||
@@ -521,11 +524,7 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
|
||||
}
|
||||
|
||||
if form.EnableCode && !unit_model.TypeCode.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeCode,
|
||||
EveryoneAccessMode: parseEveryoneAccessMode(form.DefaultCodeEveryoneAccess, perm.AccessModeNone, perm.AccessModeRead),
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeCode, nil))
|
||||
} else if !unit_model.TypeCode.UnitGlobalDisabled() {
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeCode)
|
||||
}
|
||||
@@ -537,21 +536,12 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeExternalWiki,
|
||||
Config: &repo_model.ExternalWikiConfig{
|
||||
ExternalWikiURL: form.ExternalWikiURL,
|
||||
},
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeExternalWiki, &repo_model.ExternalWikiConfig{
|
||||
ExternalWikiURL: form.ExternalWikiURL,
|
||||
}))
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeWiki)
|
||||
} else if form.EnableWiki && !form.EnableExternalWiki && !unit_model.TypeWiki.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeWiki,
|
||||
Config: new(repo_model.UnitConfig),
|
||||
EveryoneAccessMode: parseEveryoneAccessMode(form.DefaultWikiEveryoneAccess, perm.AccessModeNone, perm.AccessModeRead, perm.AccessModeWrite),
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeWiki, new(repo_model.UnitConfig)))
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeExternalWiki)
|
||||
} else {
|
||||
if !unit_model.TypeExternalWiki.UnitGlobalDisabled() {
|
||||
@@ -580,28 +570,19 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
|
||||
ctx.Redirect(repo.Link() + "/settings")
|
||||
return
|
||||
}
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeExternalTracker,
|
||||
Config: &repo_model.ExternalTrackerConfig{
|
||||
ExternalTrackerURL: form.ExternalTrackerURL,
|
||||
ExternalTrackerFormat: form.TrackerURLFormat,
|
||||
ExternalTrackerStyle: form.TrackerIssueStyle,
|
||||
ExternalTrackerRegexpPattern: form.ExternalTrackerRegexpPattern,
|
||||
},
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeExternalTracker, &repo_model.ExternalTrackerConfig{
|
||||
ExternalTrackerURL: form.ExternalTrackerURL,
|
||||
ExternalTrackerFormat: form.TrackerURLFormat,
|
||||
ExternalTrackerStyle: form.TrackerIssueStyle,
|
||||
ExternalTrackerRegexpPattern: form.ExternalTrackerRegexpPattern,
|
||||
}))
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeIssues)
|
||||
} else if form.EnableIssues && !form.EnableExternalTracker && !unit_model.TypeIssues.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeIssues,
|
||||
Config: &repo_model.IssuesConfig{
|
||||
EnableTimetracker: form.EnableTimetracker,
|
||||
AllowOnlyContributorsToTrackTime: form.AllowOnlyContributorsToTrackTime,
|
||||
EnableDependencies: form.EnableIssueDependencies,
|
||||
},
|
||||
EveryoneAccessMode: parseEveryoneAccessMode(form.DefaultIssuesEveryoneAccess, perm.AccessModeNone, perm.AccessModeRead),
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeIssues, &repo_model.IssuesConfig{
|
||||
EnableTimetracker: form.EnableTimetracker,
|
||||
AllowOnlyContributorsToTrackTime: form.AllowOnlyContributorsToTrackTime,
|
||||
EnableDependencies: form.EnableIssueDependencies,
|
||||
}))
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeExternalTracker)
|
||||
} else {
|
||||
if !unit_model.TypeExternalTracker.UnitGlobalDisabled() {
|
||||
@@ -613,63 +594,46 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
|
||||
}
|
||||
|
||||
if form.EnableProjects && !unit_model.TypeProjects.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeProjects,
|
||||
Config: &repo_model.ProjectsConfig{
|
||||
ProjectsMode: repo_model.ProjectsMode(form.ProjectsMode),
|
||||
},
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeProjects, &repo_model.ProjectsConfig{
|
||||
ProjectsMode: repo_model.ProjectsMode(form.ProjectsMode),
|
||||
}))
|
||||
} else if !unit_model.TypeProjects.UnitGlobalDisabled() {
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeProjects)
|
||||
}
|
||||
|
||||
if form.EnableReleases && !unit_model.TypeReleases.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeReleases,
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeReleases, nil))
|
||||
} else if !unit_model.TypeReleases.UnitGlobalDisabled() {
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeReleases)
|
||||
}
|
||||
|
||||
if form.EnablePackages && !unit_model.TypePackages.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypePackages,
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypePackages, nil))
|
||||
} else if !unit_model.TypePackages.UnitGlobalDisabled() {
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypePackages)
|
||||
}
|
||||
|
||||
if form.EnableActions && !unit_model.TypeActions.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypeActions,
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypeActions, nil))
|
||||
} else if !unit_model.TypeActions.UnitGlobalDisabled() {
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypeActions)
|
||||
}
|
||||
|
||||
if form.EnablePulls && !unit_model.TypePullRequests.UnitGlobalDisabled() {
|
||||
units = append(units, repo_model.RepoUnit{
|
||||
RepoID: repo.ID,
|
||||
Type: unit_model.TypePullRequests,
|
||||
Config: &repo_model.PullRequestsConfig{
|
||||
IgnoreWhitespaceConflicts: form.PullsIgnoreWhitespace,
|
||||
AllowMerge: form.PullsAllowMerge,
|
||||
AllowRebase: form.PullsAllowRebase,
|
||||
AllowRebaseMerge: form.PullsAllowRebaseMerge,
|
||||
AllowSquash: form.PullsAllowSquash,
|
||||
AllowFastForwardOnly: form.PullsAllowFastForwardOnly,
|
||||
AllowManualMerge: form.PullsAllowManualMerge,
|
||||
AutodetectManualMerge: form.EnableAutodetectManualMerge,
|
||||
AllowRebaseUpdate: form.PullsAllowRebaseUpdate,
|
||||
DefaultDeleteBranchAfterMerge: form.DefaultDeleteBranchAfterMerge,
|
||||
DefaultMergeStyle: repo_model.MergeStyle(form.PullsDefaultMergeStyle),
|
||||
DefaultAllowMaintainerEdit: form.DefaultAllowMaintainerEdit,
|
||||
},
|
||||
})
|
||||
units = append(units, newRepoUnit(repo, unit_model.TypePullRequests, &repo_model.PullRequestsConfig{
|
||||
IgnoreWhitespaceConflicts: form.PullsIgnoreWhitespace,
|
||||
AllowMerge: form.PullsAllowMerge,
|
||||
AllowRebase: form.PullsAllowRebase,
|
||||
AllowRebaseMerge: form.PullsAllowRebaseMerge,
|
||||
AllowSquash: form.PullsAllowSquash,
|
||||
AllowFastForwardOnly: form.PullsAllowFastForwardOnly,
|
||||
AllowManualMerge: form.PullsAllowManualMerge,
|
||||
AutodetectManualMerge: form.EnableAutodetectManualMerge,
|
||||
AllowRebaseUpdate: form.PullsAllowRebaseUpdate,
|
||||
DefaultDeleteBranchAfterMerge: form.DefaultDeleteBranchAfterMerge,
|
||||
DefaultMergeStyle: repo_model.MergeStyle(form.PullsDefaultMergeStyle),
|
||||
DefaultAllowMaintainerEdit: form.DefaultAllowMaintainerEdit,
|
||||
}))
|
||||
} else if !unit_model.TypePullRequests.UnitGlobalDisabled() {
|
||||
deleteUnitTypes = append(deleteUnitTypes, unit_model.TypePullRequests)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user