Merge branch 'V20210731.patch' into contributors

routers/repo/attachment.go

@@ -141,6 +141,28 @@ func DeleteAttachment(ctx *context.Context) {
 	})
 }
 
+func DownloadUserIsOrg(ctx *context.Context, attach *models.Attachment) bool {
+	dataset, err := models.GetDatasetByID(attach.DatasetID)
+	if err != nil {
+		log.Info("query dataset error")
+	} else {
+		repo, err := models.GetRepositoryByID(dataset.RepoID)
+		if err != nil {
+			log.Info("query repo error.")
+		} else {
+			repo.GetOwner()
+			if repo.Owner.IsOrganization() {
+				log.Info("ower is org.")
+				if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
+					log.Info("user may be visit the attach.")
+					return false
+				}
+			}
+		}
+	}
+	return true
+}
+
 // GetAttachment serve attachements
 func GetAttachment(ctx *context.Context) {
 	typeCloudBrain := ctx.QueryInt("type")
@@ -167,11 +189,14 @@ func GetAttachment(ctx *context.Context) {
 	}
 
 	if repository == nil { //If not linked
-		if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && attach.IsPrivate { //We block if not the uploader
+		//if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && attach.IsPrivate { //We block if not the uploader
+		if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && DownloadUserIsOrg(ctx, attach) { //We block if not the uploader
 			ctx.Error(http.StatusNotFound)
 			return
 		}
+
 	} else { //If we have the repository we check access
+
 		perm, err := models.GetUserRepoPermission(repository, ctx.User)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
@@ -205,7 +230,7 @@ func GetAttachment(ctx *context.Context) {
 	if setting.Attachment.StoreType == storage.MinioStorageType {
 		url := ""
 		if typeCloudBrain == models.TypeCloudBrainOne {
-			url, err = storage.Attachments.PresignedGetURL(setting.Attachment.Minio.BasePath + attach.RelativePath(), attach.Name)
+			url, err = storage.Attachments.PresignedGetURL(setting.Attachment.Minio.BasePath+attach.RelativePath(), attach.Name)
 			if err != nil {
 				ctx.ServerError("PresignedGetURL", err)
 				return

routers/repo/dataset.go

@@ -1,15 +1,13 @@
 package repo
 
 import (
-	"sort"
-
-	"code.gitea.io/gitea/modules/setting"
-
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"sort"
 )
 
 const (
@@ -36,7 +34,32 @@ func filterPrivateAttachments(ctx *context.Context, list []*models.Attachment) [
 		}
 		return publicList
 	}
+}
+
+func newFilterPrivateAttachments(ctx *context.Context, list []*models.Attachment, repo *models.Repository) []*models.Attachment {
 
+	if ctx.Repo.CanWrite(models.UnitTypeDatasets) {
+		log.Info("can write.")
+		return list
+	} else {
+		var publicList []*models.Attachment
+		for _, attach := range list {
+			if !attach.IsPrivate {
+				publicList = append(publicList, attach)
+			} else {
+				if repo.Owner == nil {
+					repo.GetOwner()
+				}
+				if repo.Owner.IsOrganization() {
+					if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
+						log.Info("user is member of org.")
+						publicList = append(publicList, attach)
+					}
+				}
+			}
+		}
+		return publicList
+	}
 }
 
 func DatasetIndex(ctx *context.Context) {
@@ -60,7 +83,7 @@ func DatasetIndex(ctx *context.Context) {
 		ctx.ServerError("GetDatasetAttachments", err)
 		return
 	}
-	attachments := filterPrivateAttachments(ctx, dataset.Attachments)
+	attachments := newFilterPrivateAttachments(ctx, dataset.Attachments, repo)
 
 	ctx.Data["SortType"] = ctx.Query("sort")
 	switch ctx.Query("sort") {

web_src/js/components/MinioUploader.vue

@@ -335,6 +335,7 @@ export default {
 
       async function uploadMinio(url, e) {
         const res = await axios.put(url, e.target.result);
+		delete e.target.result
         etags[currentChunk] = res.headers.etag;
       }