Hide 'New Project board' button for users that are not signed in (#12547)

* hide: 'New Project board' button * there is no reason to show the button for users that are not signed in * update template: specifies the condition together with another one as per lafriks' suggestion in the comment * chore: add proper user authorization check * chore: also hide button if repo is archived * chore: show project board edit/delete menu to authorized users only * chore: drop the redundant IsSigned check * CanWriteIssues and CanWritePulls implies (and requires) signed in user * Add CanWriteProjects and properly assert permissions Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2025-11-03 21:08:25 +00:00 · 2020-08-22 08:58:59 +02:00
parent a0484890c1
commit d4e35b9dc6
5 changed files with 110 additions and 104 deletions
--- a/routers/repo/projects.go
+++ b/routers/repo/projects.go
@@ -95,6 +95,7 @@ func Projects(ctx *context.Context) {
 	pager.AddParam(ctx, "state", "State")
 	ctx.Data["Page"] = pager
 	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.Data["IsShowClosed"] = isShowClosed
 	ctx.Data["IsProjectsPage"] = true
 	ctx.Data["SortType"] = sortType
@@ -106,16 +107,17 @@ func Projects(ctx *context.Context) {
 func NewProject(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.new")
 	ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
-
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.HTML(200, tplProjectsNew)
 }
-// NewRepoProjectPost creates a new project
+// NewProjectPost creates a new project
-func NewRepoProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
+func NewProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.new")
 	if ctx.HasError() {
 		ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 		ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
 		ctx.HTML(200, tplProjectsNew)
 		return
 	}
@@ -192,6 +194,7 @@ func EditProject(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.edit")
 	ctx.Data["PageIsProjects"] = true
 	ctx.Data["PageIsEditProjects"] = true
 	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	p, err := models.GetProjectByID(ctx.ParamsInt64(":id"))
 	if err != nil {
@@ -218,9 +221,10 @@ func EditProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.edit")
 	ctx.Data["PageIsProjects"] = true
 	ctx.Data["PageIsEditProjects"] = true
 	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	if ctx.HasError() {
-		ctx.HTML(200, tplMilestoneNew)
+		ctx.HTML(200, tplProjectsNew)
 		return
 	}
@@ -287,6 +291,7 @@ func ViewProject(ctx *context.Context) {
 		return
 	}
 	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.Data["Project"] = project
 	ctx.Data["Boards"] = allBoards
 	ctx.Data["PageIsProjects"] = true
@@ -551,6 +556,7 @@ func MoveIssueAcrossBoards(ctx *context.Context) {
 func CreateProject(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.new")
 	ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
 	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.HTML(200, tplGenericProjectsNew)
 }
@@ -566,6 +572,7 @@ func CreateProjectPost(ctx *context.Context, form auth.UserCreateProjectForm) {
 	ctx.Data["ContextUser"] = user
 	if ctx.HasError() {
 		ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 		ctx.HTML(200, tplGenericProjectsNew)
 		return
 	}
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -535,6 +535,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 	reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests)
 	reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests)
 	reqRepoProjectsReader := context.RequireRepoReader(models.UnitTypeProjects)
 	reqRepoProjectsWriter := context.RequireRepoWriter(models.UnitTypeProjects)
 	// ***** START: Organization *****
 	m.Group("/org", func() {
@@ -858,10 +859,11 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Group("/projects", func() {
 			m.Get("", repo.Projects)
 			m.Get("/:id", repo.ViewProject)
 			m.Group("", func() {
 				m.Get("/new", repo.NewProject)
-			m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewRepoProjectPost)
+				m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewProjectPost)
 				m.Group("/:id", func() {
 				m.Get("", repo.ViewProject)
 					m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost)
 					m.Post("/delete", repo.DeleteProject)
@@ -876,6 +878,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 						m.Post("/:index", repo.MoveIssueAcrossBoards)
 					})
 				})
 			}, reqRepoProjectsWriter, context.RepoMustNotBeArchived())
 		}, reqRepoProjectsReader, repo.MustEnableProjects)
 		m.Group("/wiki", func() {
--- a/templates/repo/projects/list.tmpl
+++ b/templates/repo/projects/list.tmpl
@@ -4,7 +4,7 @@
 	<div class="ui container">
 		<div class="navbar">
 			{{template "repo/issue/navbar" .}}
-			{{if and (or .CanWriteIssues .CanWritePulls) (not .Repository.IsArchived)}}
+			{{if and .CanWriteProjects (not .Repository.IsArchived)}}
 				<div class="ui right">
 					<a class="ui green button" href="{{$.Link}}/new">{{.i18n.Tr "repo.projects.new"}}</a>
 				</div>
--- a/templates/repo/projects/new.tmpl
+++ b/templates/repo/projects/new.tmpl
@@ -4,7 +4,7 @@
 	<div class="ui container">
 		<div class="navbar">
 			{{template "repo/issue/navbar" .}}
-			{{if and (or .CanWriteIssues .CanWritePulls) .PageIsEditProject}}
+			{{if and .CanWriteProjects .PageIsEditProject}}
 			<div class="ui right floated secondary menu">
 				<a class="ui green button" href="{{$.RepoLink}}/projects/new">{{.i18n.Tr "repo.milestones.new"}}</a>
 			</div>
--- a/templates/repo/projects/view.tmpl
+++ b/templates/repo/projects/view.tmpl
@@ -10,10 +10,9 @@
 				{{template "repo/issue/search" .}}
 			</div>
 			<div class="column right aligned">
-				{{if .PageIsProjects}}
+				{{if and .CanWriteProjects (not .Repository.IsArchived) .PageIsProjects}}
 					<a class="ui green button show-modal item" data-modal="#new-board-item">{{.i18n.Tr "new_project_board"}}</a>
 				{{end}}
 				<div class="ui small modal" id="new-board-item">
 					<div class="header">
 						{{$.i18n.Tr "repo.projects.board.new"}}
@@ -45,9 +44,7 @@
 			<div class="ui segment board-column">
 				<div class="board-column-header">
 					<div class="ui large label board-label">{{.Title}}</div>
-
+					{{if and $.CanWriteProjects (not $.Repository.IsArchived) $.PageIsProjects (ne .ID 0)}}
 					{{ if $.IsSigned }}
 					{{ if not (eq .ID 0) }}
 						<div class="ui dropdown jump item poping up right" data-variation="tiny inverted">
 							<span class="ui text">
 								<img class="ui tiny avatar image" width="24" height="24">
@@ -104,7 +101,6 @@
 							</div>
 						</div>
 					{{ end }}
 					{{ end }}
 				</div>
 				<div class="ui divider"></div>