From b1cbe65985b0de3328a8a09af5e3c4f0e236d42e Mon Sep 17 00:00:00 2001 From: Brad Rydzewski Date: Tue, 23 May 2017 00:44:58 +0200 Subject: [PATCH] use visibility to alter permissions --- model/const.go | 6 ++++ model/repo.go | 1 + router/middleware/session/repo.go | 39 ++++---------------------- router/middleware/session/repo_test.go | 37 +----------------------- server/repo.go | 17 +++++++++++ 5 files changed, 31 insertions(+), 69 deletions(-) diff --git a/model/const.go b/model/const.go index dfc2f3086..2cfd2e994 100644 --- a/model/const.go +++ b/model/const.go @@ -25,3 +25,9 @@ const ( RepoFossil = "fossil" RepoPerforce = "perforce" ) + +const ( + VisibilityPublic = "public" + VisibilityPrivate = "private" + VisibilityInternal = "internal" +) diff --git a/model/repo.go b/model/repo.go index 81a81e74e..cab0c02e1 100644 --- a/model/repo.go +++ b/model/repo.go @@ -41,6 +41,7 @@ type RepoPatch struct { IsTrusted *bool `json:"trusted,omitempty"` IsGated *bool `json:"gated,omitempty"` Timeout *int64 `json:"timeout,omitempty"` + Visibility *string `json:"visibility,omitempty"` AllowPull *bool `json:"allow_pr,omitempty"` AllowPush *bool `json:"allow_push,omitempty"` AllowDeploy *bool `json:"allow_deploy,omitempty"` diff --git a/router/middleware/session/repo.go b/router/middleware/session/repo.go index d687ccce8..24c6d5790 100644 --- a/router/middleware/session/repo.go +++ b/router/middleware/session/repo.go @@ -2,7 +2,6 @@ package session import ( "net/http" - "os" "github.com/drone/drone/cache" "github.com/drone/drone/model" @@ -79,7 +78,6 @@ func Perm(c *gin.Context) *model.Perm { } func SetPerm() gin.HandlerFunc { - PUBLIC_MODE := os.Getenv("PUBLIC_MODE") return func(c *gin.Context) { user := User(c) @@ -87,49 +85,24 @@ func SetPerm() gin.HandlerFunc { perm := &model.Perm{} switch { - // if the user is not authenticated, and the - // repository is private, the user has NO permission - // to view the repository. - case user == nil && repo.IsPrivate == true: - perm.Pull = false - perm.Push = false - perm.Admin = false - - // if the user is not authenticated, but the repository - // is public, the user has pull-rights only. - case user == nil && repo.IsPrivate == false: - perm.Pull = true - perm.Push = false - perm.Admin = false - - case user.Admin: + case user != nil && user.Admin: perm.Pull = true perm.Push = true perm.Admin = true - // otherwise if the user is authenticated we should - // check the remote system to get the users permissiosn. - default: + case user != nil: var err error perm, err = cache.GetPerms(c, user, repo.Owner, repo.Name) if err != nil { - perm.Pull = false - perm.Push = false - perm.Admin = false - - // debug log.Errorf("Error fetching permission for %s %s", user.Login, repo.FullName) } - // if we couldn't fetch permissions, but the repository - // is public, we should grant the user pull access. - if err != nil && repo.IsPrivate == false { - perm.Pull = true - } } - // all build logs are visible in public mode - if PUBLIC_MODE != "" { + switch { + case repo.Visibility == model.VisibilityPublic: + perm.Pull = true + case repo.Visibility == model.VisibilityInternal && user != nil: perm.Pull = true } diff --git a/router/middleware/session/repo_test.go b/router/middleware/session/repo_test.go index 6d524a9b7..349b4e3ac 100644 --- a/router/middleware/session/repo_test.go +++ b/router/middleware/session/repo_test.go @@ -1,44 +1,9 @@ package session import ( - "os" "testing" - - "github.com/drone/drone/model" - "github.com/franela/goblin" - "github.com/gin-gonic/gin" ) func TestSetPerm(t *testing.T) { - g := goblin.Goblin(t) - g.Describe("SetPerm", func() { - g.BeforeEach(func() { - os.Unsetenv("PUBLIC_MODE") - }) - g.It("Should set pull to false (private repo, user not logged in)", func() { - c := gin.Context{} - c.Set("repo", &model.Repo{ - IsPrivate: true, - }) - SetPerm()(&c) - v, ok := c.Get("perm") - g.Assert(ok).IsTrue("perm was not set") - p, ok := v.(*model.Perm) - g.Assert(ok).IsTrue("perm was the wrong type") - g.Assert(p.Pull).IsFalse("pull should be false") - }) - g.It("Should set pull to true (private repo, user not logged in, public mode)", func() { - os.Setenv("PUBLIC_MODE", "true") - c := gin.Context{} - c.Set("repo", &model.Repo{ - IsPrivate: true, - }) - SetPerm()(&c) - v, ok := c.Get("perm") - g.Assert(ok).IsTrue("perm was not set") - p, ok := v.(*model.Perm) - g.Assert(ok).IsTrue("perm was the wrong type") - g.Assert(p.Pull).IsTrue("pull should be true") - }) - }) + } diff --git a/server/repo.go b/server/repo.go index f4cb1a6f9..b965ed052 100644 --- a/server/repo.go +++ b/server/repo.go @@ -55,11 +55,15 @@ func PostRepo(c *gin.Context) { r.UserID = user.ID r.AllowPush = true r.AllowPull = true + r.Visibility = model.VisibilityPublic r.Config = ".drone.yml" r.Timeout = 60 // 1 hour default build time r.Hash = base32.StdEncoding.EncodeToString( securecookie.GenerateRandomKey(32), ) + if r.IsPrivate { + r.Visibility = model.VisibilityPrivate + } // crates the jwt token used to verify the repository t := token.New(token.HookToken, r.FullName) @@ -132,6 +136,19 @@ func PatchRepo(c *gin.Context) { if in.Config != nil { repo.Config = *in.Config } + if in.Visibility != nil { + switch *in.Visibility { + case model.VisibilityInternal: + repo.Visibility = model.VisibilityInternal + case model.VisibilityPrivate: + repo.Visibility = model.VisibilityPrivate + case model.VisibilityPublic: + repo.Visibility = model.VisibilityPublic + default: + c.String(400, "Invalid visibility type") + return + } + } err := store.UpdateRepo(c, repo) if err != nil {