// Copyright 2018 The Gitea Authors. All rights reserved. // Copyright 2016 The Gogs Authors. All rights reserved. // SPDX-License-Identifier: MIT package models import ( "context" "fmt" "strings" "code.gitea.io/gitea/models/db" git_model "code.gitea.io/gitea/models/git" issues_model "code.gitea.io/gitea/models/issues" "code.gitea.io/gitea/models/organization" access_model "code.gitea.io/gitea/models/perm/access" repo_model "code.gitea.io/gitea/models/repo" user_model "code.gitea.io/gitea/models/user" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" "xorm.io/builder" ) func AddRepository(ctx context.Context, t *organization.Team, repo *repo_model.Repository) (err error) { if err = organization.AddTeamRepo(ctx, t.OrgID, t.ID, repo.ID); err != nil { return err } if err = organization.IncrTeamRepoNum(ctx, t.ID); err != nil { return fmt.Errorf("update team: %w", err) } t.NumRepos++ if err = access_model.RecalculateTeamAccesses(ctx, repo, 0); err != nil { return fmt.Errorf("recalculateAccesses: %w", err) } // Make all team members watch this repo if enabled in global settings if setting.Service.AutoWatchNewRepos { if err = t.LoadMembers(ctx); err != nil { return fmt.Errorf("getMembers: %w", err) } for _, u := range t.Members { if err = repo_model.WatchRepo(ctx, u, repo, true); err != nil { return fmt.Errorf("watchRepo: %w", err) } } } return nil } // addAllRepositories adds all repositories to the team. // If the team already has some repositories they will be left unchanged. func addAllRepositories(ctx context.Context, t *organization.Team) error { orgRepos, err := organization.GetOrgRepositories(ctx, t.OrgID) if err != nil { return fmt.Errorf("get org repos: %w", err) } for _, repo := range orgRepos { if !organization.HasTeamRepo(ctx, t.OrgID, t.ID, repo.ID) { if err := AddRepository(ctx, t, repo); err != nil { return fmt.Errorf("AddRepository: %w", err) } } } return nil } // AddAllRepositories adds all repositories to the team func AddAllRepositories(ctx context.Context, t *organization.Team) (err error) { ctx, committer, err := db.TxContext(ctx) if err != nil { return err } defer committer.Close() if err = addAllRepositories(ctx, t); err != nil { return err } return committer.Commit() } // RemoveAllRepositories removes all repositories from team and recalculates access func RemoveAllRepositories(ctx context.Context, t *organization.Team) (err error) { if t.IncludesAllRepositories { return nil } ctx, committer, err := db.TxContext(ctx) if err != nil { return err } defer committer.Close() if err = removeAllRepositories(ctx, t); err != nil { return err } return committer.Commit() } // removeAllRepositories removes all repositories from team and recalculates access // Note: Shall not be called if team includes all repositories func removeAllRepositories(ctx context.Context, t *organization.Team) (err error) { e := db.GetEngine(ctx) // Delete all accesses. for _, repo := range t.Repos { if err := access_model.RecalculateTeamAccesses(ctx, repo, t.ID); err != nil { return err } // Remove watches from all users and now unaccessible repos for _, user := range t.Members { has, err := access_model.HasAnyUnitAccess(ctx, user.ID, repo) if err != nil { return err } else if has { continue } if err = repo_model.WatchRepo(ctx, user, repo, false); err != nil { return err } // Remove all IssueWatches a user has subscribed to in the repositories if err = issues_model.RemoveIssueWatchersByRepoID(ctx, user.ID, repo.ID); err != nil { return err } } } // Delete team-repo if _, err := e. Where("team_id=?", t.ID). Delete(new(organization.TeamRepo)); err != nil { return err } t.NumRepos = 0 if _, err = e.ID(t.ID).Cols("num_repos").Update(t); err != nil { return err } return nil } // NewTeam creates a record of new team. // It's caller's responsibility to assign organization ID. func NewTeam(ctx context.Context, t *organization.Team) (err error) { if len(t.Name) == 0 { return util.NewInvalidArgumentErrorf("empty team name") } if err = organization.IsUsableTeamName(t.Name); err != nil { return err } has, err := db.ExistByID[user_model.User](ctx, t.OrgID) if err != nil { return err } if !has { return organization.ErrOrgNotExist{ID: t.OrgID} } t.LowerName = strings.ToLower(t.Name) has, err = db.Exist[organization.Team](ctx, builder.Eq{ "org_id": t.OrgID, "lower_name": t.LowerName, }) if err != nil { return err } if has { return organization.ErrTeamAlreadyExist{OrgID: t.OrgID, Name: t.LowerName} } ctx, committer, err := db.TxContext(ctx) if err != nil { return err } defer committer.Close() if err = db.Insert(ctx, t); err != nil { return err } // insert units for team if len(t.Units) > 0 { for _, unit := range t.Units { unit.TeamID = t.ID } if err = db.Insert(ctx, &t.Units); err != nil { return err } } // Add all repositories to the team if it has access to all of them. if t.IncludesAllRepositories { err = addAllRepositories(ctx, t) if err != nil { return fmt.Errorf("addAllRepositories: %w", err) } } // Update organization number of teams. if _, err = db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams+1 WHERE id = ?", t.OrgID); err != nil { return err } return committer.Commit() } // UpdateTeam updates information of team. func UpdateTeam(ctx context.Context, t *organization.Team, authChanged, includeAllChanged bool) (err error) { if len(t.Name) == 0 { return util.NewInvalidArgumentErrorf("empty team name") } if len(t.Description) > 255 { t.Description = t.Description[:255] } ctx, committer, err := db.TxContext(ctx) if err != nil { return err } defer committer.Close() t.LowerName = strings.ToLower(t.Name) has, err := db.Exist[organization.Team](ctx, builder.Eq{ "org_id": t.OrgID, "lower_name": t.LowerName, }.And(builder.Neq{"id": t.ID}), ) if err != nil { return err } else if has { return organization.ErrTeamAlreadyExist{OrgID: t.OrgID, Name: t.LowerName} } sess := db.GetEngine(ctx) if _, err = sess.ID(t.ID).Cols("name", "lower_name", "description", "can_create_org_repo", "authorize", "includes_all_repositories").Update(t); err != nil { return fmt.Errorf("update: %w", err) } // update units for team if len(t.Units) > 0 { for _, unit := range t.Units { unit.TeamID = t.ID } // Delete team-unit. if _, err := sess. Where("team_id=?", t.ID). Delete(new(organization.TeamUnit)); err != nil { return err } if _, err = sess.Cols("org_id", "team_id", "type", "access_mode").Insert(&t.Units); err != nil { return err } } // Update access for team members if needed. if authChanged { if err = t.LoadRepositories(ctx); err != nil { return fmt.Errorf("LoadRepositories: %w", err) } for _, repo := range t.Repos { if err = access_model.RecalculateTeamAccesses(ctx, repo, 0); err != nil { return fmt.Errorf("recalculateTeamAccesses: %w", err) } } } // Add all repositories to the team if it has access to all of them. if includeAllChanged && t.IncludesAllRepositories { err = addAllRepositories(ctx, t) if err != nil { return fmt.Errorf("addAllRepositories: %w", err) } } return committer.Commit() } // DeleteTeam deletes given team. // It's caller's responsibility to assign organization ID. func DeleteTeam(ctx context.Context, t *organization.Team) error { ctx, committer, err := db.TxContext(ctx) if err != nil { return err } defer committer.Close() if err := t.LoadRepositories(ctx); err != nil { return err } if err := t.LoadMembers(ctx); err != nil { return err } // update branch protections { protections := make([]*git_model.ProtectedBranch, 0, 10) err := db.GetEngine(ctx).In("repo_id", builder.Select("id").From("repository").Where(builder.Eq{"owner_id": t.OrgID})). Find(&protections) if err != nil { return fmt.Errorf("findProtectedBranches: %w", err) } for _, p := range protections { if err := git_model.RemoveTeamIDFromProtectedBranch(ctx, p, t.ID); err != nil { return err } } } if !t.IncludesAllRepositories { if err := removeAllRepositories(ctx, t); err != nil { return err } } if err := db.DeleteBeans(ctx, &organization.Team{ID: t.ID}, &organization.TeamUser{OrgID: t.OrgID, TeamID: t.ID}, &organization.TeamUnit{TeamID: t.ID}, &organization.TeamInvite{TeamID: t.ID}, &issues_model.Review{Type: issues_model.ReviewTypeRequest, ReviewerTeamID: t.ID}, // batch delete the binding relationship between team and PR (request review from team) ); err != nil { return err } for _, tm := range t.Members { if err := removeInvalidOrgUser(ctx, t.OrgID, tm); err != nil { return err } } // Update organization number of teams. if _, err := db.Exec(ctx, "UPDATE `user` SET num_teams=num_teams-1 WHERE id=?", t.OrgID); err != nil { return err } return committer.Commit() } // AddTeamMember adds new membership of given team to given organization, // the user will have membership to given organization automatically when needed. func AddTeamMember(ctx context.Context, team *organization.Team, user *user_model.User) error { if user_model.IsUserBlockedBy(ctx, user, team.OrgID) { return user_model.ErrBlockedUser } isAlreadyMember, err := organization.IsTeamMember(ctx, team.OrgID, team.ID, user.ID) if err != nil || isAlreadyMember { return err } if err := organization.AddOrgUser(ctx, team.OrgID, user.ID); err != nil { return err } err = db.WithTx(ctx, func(ctx context.Context) error { // check in transaction isAlreadyMember, err = organization.IsTeamMember(ctx, team.OrgID, team.ID, user.ID) if err != nil || isAlreadyMember { return err } sess := db.GetEngine(ctx) if err := db.Insert(ctx, &organization.TeamUser{ UID: user.ID, OrgID: team.OrgID, TeamID: team.ID, }); err != nil { return err } else if _, err := sess.Incr("num_members").ID(team.ID).Update(new(organization.Team)); err != nil { return err } team.NumMembers++ // Give access to team repositories. // update exist access if mode become bigger subQuery := builder.Select("repo_id").From("team_repo"). Where(builder.Eq{"team_id": team.ID}) if _, err := sess.Where("user_id=?", user.ID). In("repo_id", subQuery). And("mode < ?", team.AccessMode). SetExpr("mode", team.AccessMode). Update(new(access_model.Access)); err != nil { return fmt.Errorf("update user accesses: %w", err) } // for not exist access var repoIDs []int64 accessSubQuery := builder.Select("repo_id").From("access").Where(builder.Eq{"user_id": user.ID}) if err := sess.SQL(subQuery.And(builder.NotIn("repo_id", accessSubQuery))).Find(&repoIDs); err != nil { return fmt.Errorf("select id accesses: %w", err) } accesses := make([]*access_model.Access, 0, 100) for i, repoID := range repoIDs { accesses = append(accesses, &access_model.Access{RepoID: repoID, UserID: user.ID, Mode: team.AccessMode}) if (i%100 == 0 || i == len(repoIDs)-1) && len(accesses) > 0 { if err = db.Insert(ctx, accesses); err != nil { return fmt.Errorf("insert new user accesses: %w", err) } accesses = accesses[:0] } } return nil }) if err != nil { return err } // this behaviour may spend much time so run it in a goroutine // FIXME: Update watch repos batchly if setting.Service.AutoWatchNewRepos { // Get team and its repositories. if err := team.LoadRepositories(ctx); err != nil { log.Error("team.LoadRepositories failed: %v", err) } // FIXME: in the goroutine, it can't access the "ctx", it could only use db.DefaultContext at the moment go func(repos []*repo_model.Repository) { for _, repo := range repos { if err = repo_model.WatchRepo(db.DefaultContext, user, repo, true); err != nil { log.Error("watch repo failed: %v", err) } } }(team.Repos) } return nil } func removeTeamMember(ctx context.Context, team *organization.Team, user *user_model.User) error { e := db.GetEngine(ctx) isMember, err := organization.IsTeamMember(ctx, team.OrgID, team.ID, user.ID) if err != nil || !isMember { return err } // Check if the user to delete is the last member in owner team. if team.IsOwnerTeam() && team.NumMembers == 1 { return organization.ErrLastOrgOwner{UID: user.ID} } team.NumMembers-- if err := team.LoadRepositories(ctx); err != nil { return err } if _, err := e.Delete(&organization.TeamUser{ UID: user.ID, OrgID: team.OrgID, TeamID: team.ID, }); err != nil { return err } else if _, err = e. ID(team.ID). Cols("num_members"). Update(team); err != nil { return err } // Delete access to team repositories. for _, repo := range team.Repos { if err := access_model.RecalculateUserAccess(ctx, repo, user.ID); err != nil { return err } // Remove watches from now unaccessible if err := ReconsiderWatches(ctx, repo, user); err != nil { return err } // Remove issue assignments from now unaccessible if err := ReconsiderRepoIssuesAssignee(ctx, repo, user); err != nil { return err } } return removeInvalidOrgUser(ctx, team.OrgID, user) } func removeInvalidOrgUser(ctx context.Context, orgID int64, user *user_model.User) error { // Check if the user is a member of any team in the organization. if count, err := db.GetEngine(ctx).Count(&organization.TeamUser{ UID: user.ID, OrgID: orgID, }); err != nil { return err } else if count == 0 { org, err := organization.GetOrgByID(ctx, orgID) if err != nil { return err } return RemoveOrgUser(ctx, org, user) } return nil } // RemoveTeamMember removes member from given team of given organization. func RemoveTeamMember(ctx context.Context, team *organization.Team, user *user_model.User) error { ctx, committer, err := db.TxContext(ctx) if err != nil { return err } defer committer.Close() if err := removeTeamMember(ctx, team, user); err != nil { return err } return committer.Commit() } func ReconsiderRepoIssuesAssignee(ctx context.Context, repo *repo_model.Repository, user *user_model.User) error { if canAssigned, err := access_model.CanBeAssigned(ctx, user, repo, true); err != nil || canAssigned { return err } if _, err := db.GetEngine(ctx).Where(builder.Eq{"assignee_id": user.ID}). In("issue_id", builder.Select("id").From("issue").Where(builder.Eq{"repo_id": repo.ID})). Delete(&issues_model.IssueAssignees{}); err != nil { return fmt.Errorf("Could not delete assignee[%d] %w", user.ID, err) } return nil } func ReconsiderWatches(ctx context.Context, repo *repo_model.Repository, user *user_model.User) error { if has, err := access_model.HasAnyUnitAccess(ctx, user.ID, repo); err != nil || has { return err } if err := repo_model.WatchRepo(ctx, user, repo, false); err != nil { return err } // Remove all IssueWatches a user has subscribed to in the repository return issues_model.RemoveIssueWatchersByRepoID(ctx, user.ID, repo.ID) }