From fe0e093a1d6189e1ea9259921a4fd9e1c7e8dfde Mon Sep 17 00:00:00 2001 From: zouap Date: Wed, 4 Aug 2021 10:21:40 +0800 Subject: [PATCH 1/2] =?UTF-8?q?=E6=95=B0=E6=8D=AE=E9=9B=86=E6=98=BE?= =?UTF-8?q?=E7=A4=BA=E5=A2=9E=E5=8A=A0=E5=8D=8F=E4=BD=9C=E8=80=85=E5=8F=AF?= =?UTF-8?q?=E4=BB=A5=E6=9F=A5=E7=9C=8B=E5=8F=8A=E4=B8=8B=E8=BD=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zouap --- routers/repo/attachment.go | 11 ++++++++--- routers/repo/dataset.go | 25 +++++++++++++++++-------- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go index 3e92471bb..830f193ee 100755 --- a/routers/repo/attachment.go +++ b/routers/repo/attachment.go @@ -141,7 +141,7 @@ func DeleteAttachment(ctx *context.Context) { }) } -func DownloadUserIsOrg(ctx *context.Context, attach *models.Attachment) bool { +func DownloadUserIsOrgOrCollaboration(ctx *context.Context, attach *models.Attachment) bool { dataset, err := models.GetDatasetByID(attach.DatasetID) if err != nil { log.Info("query dataset error") @@ -154,10 +154,15 @@ func DownloadUserIsOrg(ctx *context.Context, attach *models.Attachment) bool { if repo.Owner.IsOrganization() { //log.Info("ower is org.") if repo.Owner.IsUserPartOfOrg(ctx.User.ID) { - log.Info("user may visit the attach.") + log.Info("org user may visit the attach.") return true } } + isCollaborator, _ := repo.IsCollaborator(ctx.User.ID) + if isCollaborator { + log.Info("Collaborator user may visit the attach.") + return true + } } } return false @@ -190,7 +195,7 @@ func GetAttachment(ctx *context.Context) { if repository == nil { //If not linked //if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && attach.IsPrivate { //We block if not the uploader - if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && !DownloadUserIsOrg(ctx, attach) { //We block if not the uploader + if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && !DownloadUserIsOrgOrCollaboration(ctx, attach) { //We block if not the uploader ctx.Error(http.StatusNotFound) return } diff --git a/routers/repo/dataset.go b/routers/repo/dataset.go index 53a2969fb..8b2f2abd3 100755 --- a/routers/repo/dataset.go +++ b/routers/repo/dataset.go @@ -28,19 +28,28 @@ func newFilterPrivateAttachments(ctx *context.Context, list []*models.Attachment log.Info("can write.") return list } else { + if repo.Owner == nil { + repo.GetOwner() + } + permission := false + if repo.Owner.IsOrganization() { + if repo.Owner.IsUserPartOfOrg(ctx.User.ID) { + log.Info("user is member of org.") + permission = true + } + } + isCollaborator, _ := repo.IsCollaborator(ctx.User.ID) + if isCollaborator { + log.Info("Collaborator user may visit the attach.") + permission = true + } var publicList []*models.Attachment for _, attach := range list { if !attach.IsPrivate { publicList = append(publicList, attach) } else { - if repo.Owner == nil { - repo.GetOwner() - } - if repo.Owner.IsOrganization() { - if repo.Owner.IsUserPartOfOrg(ctx.User.ID) { - log.Info("user is member of org.") - publicList = append(publicList, attach) - } + if permission { + publicList = append(publicList, attach) } } } From 555330464c6b9d8d68577bc8be6efc4c376d4b16 Mon Sep 17 00:00:00 2001 From: zouap Date: Wed, 4 Aug 2021 10:34:30 +0800 Subject: [PATCH 2/2] =?UTF-8?q?-m=E5=A2=9E=E5=8A=A0=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E9=9B=86=E5=8D=8F=E4=BD=9C=E8=80=85=E6=98=BE=E7=A4=BA=E5=8F=8A?= =?UTF-8?q?=E4=B8=8B=E8=BD=BD=E6=9D=83=E9=99=90=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zouap --- routers/repo/dataset.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/routers/repo/dataset.go b/routers/repo/dataset.go index 8b2f2abd3..bdadd2066 100755 --- a/routers/repo/dataset.go +++ b/routers/repo/dataset.go @@ -38,11 +38,14 @@ func newFilterPrivateAttachments(ctx *context.Context, list []*models.Attachment permission = true } } - isCollaborator, _ := repo.IsCollaborator(ctx.User.ID) - if isCollaborator { - log.Info("Collaborator user may visit the attach.") - permission = true + if !permission { + isCollaborator, _ := repo.IsCollaborator(ctx.User.ID) + if isCollaborator { + log.Info("Collaborator user may visit the attach.") + permission = true + } } + var publicList []*models.Attachment for _, attach := range list { if !attach.IsPrivate {