123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697 |
- // Copyright 2016 The Gogs Authors. All rights reserved.
- // Use of this source code is governed by a MIT-style
- // license that can be found in the LICENSE file.
- package db
- import (
- "context"
- "fmt"
- "strings"
- "github.com/pkg/errors"
- "xorm.io/xorm"
- dberrors "gogs.io/gogs/internal/db/errors"
- )
- const TeamNameOwners = "Owners"
- // Team represents a organization team.
- type Team struct {
- ID int64 `gorm:"primaryKey"`
- OrgID int64 `xorm:"INDEX" gorm:"index"`
- LowerName string
- Name string
- Description string
- Authorize AccessMode
- Repos []*Repository `xorm:"-" json:"-" gorm:"-"`
- Members []*User `xorm:"-" json:"-" gorm:"-"`
- NumRepos int
- NumMembers int
- }
- func (t *Team) AfterSet(colName string, _ xorm.Cell) {
- switch colName {
- case "num_repos":
- // LEGACY [1.0]: this is backward compatibility bug fix for https://gogs.io/gogs/issues/3671
- if t.NumRepos < 0 {
- t.NumRepos = 0
- }
- }
- }
- // IsOwnerTeam returns true if team is owner team.
- func (t *Team) IsOwnerTeam() bool {
- return t.Name == TeamNameOwners
- }
- // HasWriteAccess returns true if team has at least write level access mode.
- func (t *Team) HasWriteAccess() bool {
- return t.Authorize >= AccessModeWrite
- }
- // IsTeamMember returns true if given user is a member of team.
- func (t *Team) IsMember(userID int64) bool {
- return IsTeamMember(t.OrgID, t.ID, userID)
- }
- func (t *Team) getRepositories(e Engine) (err error) {
- teamRepos := make([]*TeamRepo, 0, t.NumRepos)
- if err = x.Where("team_id=?", t.ID).Find(&teamRepos); err != nil {
- return fmt.Errorf("get team-repos: %v", err)
- }
- t.Repos = make([]*Repository, 0, len(teamRepos))
- for i := range teamRepos {
- repo, err := getRepositoryByID(e, teamRepos[i].RepoID)
- if err != nil {
- return fmt.Errorf("getRepositoryById(%d): %v", teamRepos[i].RepoID, err)
- }
- t.Repos = append(t.Repos, repo)
- }
- return nil
- }
- // GetRepositories returns all repositories in team of organization.
- func (t *Team) GetRepositories() error {
- return t.getRepositories(x)
- }
- func (t *Team) getMembers(e Engine) (err error) {
- t.Members, err = getTeamMembers(e, t.ID)
- return err
- }
- // GetMembers returns all members in team of organization.
- func (t *Team) GetMembers() (err error) {
- return t.getMembers(x)
- }
- // AddMember adds new membership of the team to the organization,
- // the user will have membership to the organization automatically when needed.
- func (t *Team) AddMember(uid int64) error {
- return AddTeamMember(t.OrgID, t.ID, uid)
- }
- // RemoveMember removes member from team of organization.
- func (t *Team) RemoveMember(uid int64) error {
- return RemoveTeamMember(t.OrgID, t.ID, uid)
- }
- func (t *Team) hasRepository(e Engine, repoID int64) bool {
- return hasTeamRepo(e, t.OrgID, t.ID, repoID)
- }
- // HasRepository returns true if given repository belong to team.
- func (t *Team) HasRepository(repoID int64) bool {
- return t.hasRepository(x, repoID)
- }
- func (t *Team) addRepository(e Engine, repo *Repository) (err error) {
- if err = addTeamRepo(e, t.OrgID, t.ID, repo.ID); err != nil {
- return err
- }
- t.NumRepos++
- if _, err = e.ID(t.ID).AllCols().Update(t); err != nil {
- return fmt.Errorf("update team: %v", err)
- }
- if err = repo.recalculateTeamAccesses(e, 0); err != nil {
- return fmt.Errorf("recalculateAccesses: %v", err)
- }
- if err = t.getMembers(e); err != nil {
- return fmt.Errorf("getMembers: %v", err)
- }
- for _, u := range t.Members {
- if err = watchRepo(e, u.ID, repo.ID, true); err != nil {
- return fmt.Errorf("watchRepo: %v", err)
- }
- }
- return nil
- }
- // AddRepository adds new repository to team of organization.
- func (t *Team) AddRepository(repo *Repository) (err error) {
- if repo.OwnerID != t.OrgID {
- return dberrors.New("Repository does not belong to organization")
- } else if t.HasRepository(repo.ID) {
- return nil
- }
- sess := x.NewSession()
- defer sess.Close()
- if err = sess.Begin(); err != nil {
- return err
- }
- if err = t.addRepository(sess, repo); err != nil {
- return err
- }
- return sess.Commit()
- }
- func (t *Team) removeRepository(e Engine, repo *Repository, recalculate bool) (err error) {
- if err = removeTeamRepo(e, t.ID, repo.ID); err != nil {
- return err
- }
- t.NumRepos--
- if _, err = e.ID(t.ID).AllCols().Update(t); err != nil {
- return err
- }
- // Don't need to recalculate when delete a repository from organization.
- if recalculate {
- if err = repo.recalculateTeamAccesses(e, t.ID); err != nil {
- return err
- }
- }
- if err = t.getMembers(e); err != nil {
- return fmt.Errorf("get team members: %v", err)
- }
- // TODO: Delete me when this method is migrated to use GORM.
- userAccessMode := func(e Engine, userID int64, repo *Repository) (AccessMode, error) {
- mode := AccessModeNone
- // Everyone has read access to public repository
- if !repo.IsPrivate {
- mode = AccessModeRead
- }
- if userID <= 0 {
- return mode, nil
- }
- if userID == repo.OwnerID {
- return AccessModeOwner, nil
- }
- access := &Access{
- UserID: userID,
- RepoID: repo.ID,
- }
- if has, err := e.Get(access); !has || err != nil {
- return mode, err
- }
- return access.Mode, nil
- }
- hasAccess := func(e Engine, userID int64, repo *Repository, testMode AccessMode) (bool, error) {
- mode, err := userAccessMode(e, userID, repo)
- return mode >= testMode, err
- }
- for _, member := range t.Members {
- has, err := hasAccess(e, member.ID, repo, AccessModeRead)
- if err != nil {
- return err
- } else if has {
- continue
- }
- if err = watchRepo(e, member.ID, repo.ID, false); err != nil {
- return err
- }
- }
- return nil
- }
- // RemoveRepository removes repository from team of organization.
- func (t *Team) RemoveRepository(repoID int64) error {
- if !t.HasRepository(repoID) {
- return nil
- }
- repo, err := GetRepositoryByID(repoID)
- if err != nil {
- return err
- }
- sess := x.NewSession()
- defer sess.Close()
- if err = sess.Begin(); err != nil {
- return err
- }
- if err = t.removeRepository(sess, repo, true); err != nil {
- return err
- }
- return sess.Commit()
- }
- var reservedTeamNames = map[string]struct{}{
- "new": {},
- }
- // IsUsableTeamName return an error if given name is a reserved name or pattern.
- func IsUsableTeamName(name string) error {
- return isNameAllowed(reservedTeamNames, nil, name)
- }
- // NewTeam creates a record of new team.
- // It's caller's responsibility to assign organization ID.
- func NewTeam(t *Team) error {
- if t.Name == "" {
- return dberrors.New("empty team name")
- } else if t.OrgID == 0 {
- return dberrors.New("OrgID is not assigned")
- }
- if err := IsUsableTeamName(t.Name); err != nil {
- return err
- }
- has, err := x.Id(t.OrgID).Get(new(User))
- if err != nil {
- return err
- } else if !has {
- return errors.New("organization does not exist")
- }
- t.LowerName = strings.ToLower(t.Name)
- existingTeam := Team{}
- has, err = x.Where("org_id=?", t.OrgID).And("lower_name=?", t.LowerName).Get(&existingTeam)
- if err != nil {
- return err
- } else if has {
- return ErrTeamAlreadyExist{existingTeam.ID, t.OrgID, t.LowerName}
- }
- sess := x.NewSession()
- defer sess.Close()
- if err = sess.Begin(); err != nil {
- return err
- }
- if _, err = sess.Insert(t); err != nil {
- return err
- }
- // Update organization number of teams.
- if _, err = sess.Exec("UPDATE `user` SET num_teams=num_teams+1 WHERE id = ?", t.OrgID); err != nil {
- return err
- }
- return sess.Commit()
- }
- func getTeamByID(e Engine, teamID int64) (*Team, error) {
- t := new(Team)
- has, err := e.ID(teamID).Get(t)
- if err != nil {
- return nil, err
- } else if !has {
- return nil, ErrTeamNotExist{args: map[string]any{"teamID": teamID}}
- }
- return t, nil
- }
- // GetTeamByID returns team by given ID.
- func GetTeamByID(teamID int64) (*Team, error) {
- return getTeamByID(x, teamID)
- }
- // getTeamsByOrgID returns all teams belong to given organization.
- func getTeamsByOrgID(e Engine, orgID int64) ([]*Team, error) {
- teams := make([]*Team, 0, 3)
- return teams, e.Where("org_id = ?", orgID).Find(&teams)
- }
- // UpdateTeam updates information of team.
- func UpdateTeam(t *Team, authChanged bool) (err error) {
- if t.Name == "" {
- return dberrors.New("empty team name")
- }
- if len(t.Description) > 255 {
- t.Description = t.Description[:255]
- }
- sess := x.NewSession()
- defer sess.Close()
- if err = sess.Begin(); err != nil {
- return err
- }
- t.LowerName = strings.ToLower(t.Name)
- existingTeam := new(Team)
- has, err := x.Where("org_id=?", t.OrgID).And("lower_name=?", t.LowerName).And("id!=?", t.ID).Get(existingTeam)
- if err != nil {
- return err
- } else if has {
- return ErrTeamAlreadyExist{existingTeam.ID, t.OrgID, t.LowerName}
- }
- if _, err = sess.ID(t.ID).AllCols().Update(t); err != nil {
- return fmt.Errorf("update: %v", err)
- }
- // Update access for team members if needed.
- if authChanged {
- if err = t.getRepositories(sess); err != nil {
- return fmt.Errorf("getRepositories:%v", err)
- }
- for _, repo := range t.Repos {
- if err = repo.recalculateTeamAccesses(sess, 0); err != nil {
- return fmt.Errorf("recalculateTeamAccesses: %v", err)
- }
- }
- }
- return sess.Commit()
- }
- // DeleteTeam deletes given team.
- // It's caller's responsibility to assign organization ID.
- func DeleteTeam(t *Team) error {
- if err := t.GetRepositories(); err != nil {
- return err
- }
- // Get organization.
- org, err := Users.GetByID(context.TODO(), t.OrgID)
- if err != nil {
- return err
- }
- sess := x.NewSession()
- defer sess.Close()
- if err = sess.Begin(); err != nil {
- return err
- }
- // Delete all accesses.
- for _, repo := range t.Repos {
- if err = repo.recalculateTeamAccesses(sess, t.ID); err != nil {
- return err
- }
- }
- // Delete team-user.
- if _, err = sess.Where("org_id=?", org.ID).Where("team_id=?", t.ID).Delete(new(TeamUser)); err != nil {
- return err
- }
- // Delete team.
- if _, err = sess.ID(t.ID).Delete(new(Team)); err != nil {
- return err
- }
- // Update organization number of teams.
- if _, err = sess.Exec("UPDATE `user` SET num_teams=num_teams-1 WHERE id=?", t.OrgID); err != nil {
- return err
- }
- return sess.Commit()
- }
- // ___________ ____ ___
- // \__ ___/___ _____ _____ | | \______ ___________
- // | |_/ __ \\__ \ / \| | / ___// __ \_ __ \
- // | |\ ___/ / __ \| Y Y \ | /\___ \\ ___/| | \/
- // |____| \___ >____ /__|_| /______//____ >\___ >__|
- // \/ \/ \/ \/ \/
- // TeamUser represents an team-user relation.
- type TeamUser struct {
- ID int64 `gorm:"primaryKey"`
- OrgID int64 `xorm:"INDEX" gorm:"index"`
- TeamID int64 `xorm:"UNIQUE(s)" gorm:"uniqueIndex:team_user_unique"`
- UID int64 `xorm:"UNIQUE(s)" gorm:"uniqueIndex:team_user_unique"`
- }
- func isTeamMember(e Engine, orgID, teamID, uid int64) bool {
- has, _ := e.Where("org_id=?", orgID).And("team_id=?", teamID).And("uid=?", uid).Get(new(TeamUser))
- return has
- }
- // IsTeamMember returns true if given user is a member of team.
- func IsTeamMember(orgID, teamID, uid int64) bool {
- return isTeamMember(x, orgID, teamID, uid)
- }
- func getTeamMembers(e Engine, teamID int64) (_ []*User, err error) {
- teamUsers := make([]*TeamUser, 0, 10)
- if err = e.Sql("SELECT `id`, `org_id`, `team_id`, `uid` FROM `team_user` WHERE team_id = ?", teamID).
- Find(&teamUsers); err != nil {
- return nil, fmt.Errorf("get team-users: %v", err)
- }
- members := make([]*User, 0, len(teamUsers))
- for i := range teamUsers {
- member := new(User)
- if _, err = e.ID(teamUsers[i].UID).Get(member); err != nil {
- return nil, fmt.Errorf("get user '%d': %v", teamUsers[i].UID, err)
- }
- members = append(members, member)
- }
- return members, nil
- }
- // GetTeamMembers returns all members in given team of organization.
- func GetTeamMembers(teamID int64) ([]*User, error) {
- return getTeamMembers(x, teamID)
- }
- func getUserTeams(e Engine, orgID, userID int64) ([]*Team, error) {
- teamUsers := make([]*TeamUser, 0, 5)
- if err := e.Where("uid = ?", userID).And("org_id = ?", orgID).Find(&teamUsers); err != nil {
- return nil, err
- }
- teamIDs := make([]int64, len(teamUsers)+1)
- for i := range teamUsers {
- teamIDs[i] = teamUsers[i].TeamID
- }
- teamIDs[len(teamUsers)] = -1
- teams := make([]*Team, 0, len(teamIDs))
- return teams, e.Where("org_id = ?", orgID).In("id", teamIDs).Find(&teams)
- }
- // GetUserTeams returns all teams that user belongs to in given organization.
- func GetUserTeams(orgID, userID int64) ([]*Team, error) {
- return getUserTeams(x, orgID, userID)
- }
- // AddTeamMember adds new membership of given team to given organization,
- // the user will have membership to given organization automatically when needed.
- func AddTeamMember(orgID, teamID, userID int64) error {
- if IsTeamMember(orgID, teamID, userID) {
- return nil
- }
- if err := Organizations.AddMember(context.TODO(), orgID, userID); err != nil {
- return err
- }
- // Get team and its repositories.
- t, err := GetTeamByID(teamID)
- if err != nil {
- return err
- }
- t.NumMembers++
- if err = t.GetRepositories(); err != nil {
- return err
- }
- sess := x.NewSession()
- defer sess.Close()
- if err = sess.Begin(); err != nil {
- return err
- }
- tu := &TeamUser{
- UID: userID,
- OrgID: orgID,
- TeamID: teamID,
- }
- if _, err = sess.Insert(tu); err != nil {
- return err
- } else if _, err = sess.ID(t.ID).Update(t); err != nil {
- return err
- }
- // Give access to team repositories.
- for _, repo := range t.Repos {
- if err = repo.recalculateTeamAccesses(sess, 0); err != nil {
- return err
- }
- }
- // We make sure it exists before.
- ou := new(OrgUser)
- if _, err = sess.Where("uid = ?", userID).And("org_id = ?", orgID).Get(ou); err != nil {
- return err
- }
- ou.NumTeams++
- if t.IsOwnerTeam() {
- ou.IsOwner = true
- }
- if _, err = sess.ID(ou.ID).AllCols().Update(ou); err != nil {
- return err
- }
- return sess.Commit()
- }
- func removeTeamMember(e Engine, orgID, teamID, userID int64) error {
- if !isTeamMember(e, orgID, teamID, userID) {
- return nil
- }
- // Get team and its repositories.
- t, err := getTeamByID(e, teamID)
- if err != nil {
- return err
- }
- // Check if the user to delete is the last member in owner team.
- if t.IsOwnerTeam() && t.NumMembers == 1 {
- return ErrLastOrgOwner{args: map[string]any{"orgID": orgID, "userID": userID}}
- }
- t.NumMembers--
- if err = t.getRepositories(e); err != nil {
- return err
- }
- // Get organization.
- org, err := getUserByID(e, orgID)
- if err != nil {
- return err
- }
- tu := &TeamUser{
- UID: userID,
- OrgID: orgID,
- TeamID: teamID,
- }
- if _, err := e.Delete(tu); err != nil {
- return err
- } else if _, err = e.ID(t.ID).AllCols().Update(t); err != nil {
- return err
- }
- // Delete access to team repositories.
- for _, repo := range t.Repos {
- if err = repo.recalculateTeamAccesses(e, 0); err != nil {
- return err
- }
- }
- // This must exist.
- ou := new(OrgUser)
- _, err = e.Where("uid = ?", userID).And("org_id = ?", org.ID).Get(ou)
- if err != nil {
- return err
- }
- ou.NumTeams--
- if t.IsOwnerTeam() {
- ou.IsOwner = false
- }
- if _, err = e.ID(ou.ID).AllCols().Update(ou); err != nil {
- return err
- }
- return nil
- }
- // RemoveTeamMember removes member from given team of given organization.
- func RemoveTeamMember(orgID, teamID, uid int64) error {
- sess := x.NewSession()
- defer sess.Close()
- if err := sess.Begin(); err != nil {
- return err
- }
- if err := removeTeamMember(sess, orgID, teamID, uid); err != nil {
- return err
- }
- return sess.Commit()
- }
- // ___________ __________
- // \__ ___/___ _____ _____\______ \ ____ ______ ____
- // | |_/ __ \\__ \ / \| _// __ \\____ \ / _ \
- // | |\ ___/ / __ \| Y Y \ | \ ___/| |_> > <_> )
- // |____| \___ >____ /__|_| /____|_ /\___ > __/ \____/
- // \/ \/ \/ \/ \/|__|
- // TeamRepo represents an team-repository relation.
- type TeamRepo struct {
- ID int64
- OrgID int64 `xorm:"INDEX"`
- TeamID int64 `xorm:"UNIQUE(s)"`
- RepoID int64 `xorm:"UNIQUE(s)"`
- }
- // hasTeamRepo returns true if given team has access to the repository of the organization.
- func hasTeamRepo(e Engine, orgID, teamID, repoID int64) bool {
- has, _ := e.Where("org_id = ?", orgID).And("team_id = ?", teamID).And("repo_id = ?", repoID).Get(new(TeamRepo))
- return has
- }
- // addTeamRepo adds new repository relation to team.
- func addTeamRepo(e Engine, orgID, teamID, repoID int64) error {
- _, err := e.InsertOne(&TeamRepo{
- OrgID: orgID,
- TeamID: teamID,
- RepoID: repoID,
- })
- return err
- }
- // removeTeamRepo deletes repository relation to team.
- func removeTeamRepo(e Engine, teamID, repoID int64) error {
- _, err := e.Delete(&TeamRepo{
- TeamID: teamID,
- RepoID: repoID,
- })
- return err
- }
- // GetTeamsHaveAccessToRepo returns all teams in an organization that have given access level to the repository.
- func GetTeamsHaveAccessToRepo(orgID, repoID int64, mode AccessMode) ([]*Team, error) {
- teams := make([]*Team, 0, 5)
- return teams, x.Where("team.authorize >= ?", mode).
- Join("INNER", "team_repo", "team_repo.team_id = team.id").
- And("team_repo.org_id = ?", orgID).
- And("team_repo.repo_id = ?", repoID).
- Find(&teams)
- }
- func (u *User) getTeams(e Engine) (err error) {
- u.Teams, err = getTeamsByOrgID(e, u.ID)
- return err
- }
- // GetTeams returns all teams that belong to organization.
- func (u *User) GetTeams() error {
- return u.getTeams(x)
- }
- // TeamsHaveAccessToRepo returns all teams that have given access level to the repository.
- func (u *User) TeamsHaveAccessToRepo(repoID int64, mode AccessMode) ([]*Team, error) {
- return GetTeamsHaveAccessToRepo(u.ID, repoID, mode)
- }
- func (u *User) getUserTeams(e Engine, userID int64, cols ...string) ([]*Team, error) {
- teams := make([]*Team, 0, u.NumTeams)
- return teams, e.Where("team_user.org_id = ?", u.ID).
- And("team_user.uid = ?", userID).
- Join("INNER", "team_user", "team_user.team_id = team.id").
- Cols(cols...).Find(&teams)
- }
- // GetTeams returns all teams that belong to organization,
- // and that the user has joined.
- func (u *User) GetUserTeams(userID int64) ([]*Team, error) {
- return u.getUserTeams(x, userID)
- }
|