From d0e86b957eed0ec2e39987dae69b1c19ff1d2304 Mon Sep 17 00:00:00 2001
From: zouap <zouap@pcl.ac.cn>
Date: Tue, 3 Aug 2021 16:31:03 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=95=B0=E6=8D=AE=E9=9B=86?=
 =?UTF-8?q?=E5=9B=A2=E9=98=9F=E6=98=BE=E7=A4=BA=E5=8F=8A=E4=B8=8B=E8=BD=BD?=
 =?UTF-8?q?=E6=8E=A7=E5=88=B6=E9=80=BB=E8=BE=91=EF=BC=8C=E5=8F=A6=E5=A4=96?=
 =?UTF-8?q?=E5=B0=9D=E8=AF=95=E4=B8=8A=E4=BC=A0=E6=95=B0=E6=8D=AE=E9=9B=86?=
 =?UTF-8?q?=E6=97=B6=E5=8F=8A=E6=97=B6=E5=88=A0=E9=99=A4js=E5=AF=B9?=
 =?UTF-8?q?=E8=B1=A1=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: zouap <zouap@pcl.ac.cn>
---
 routers/repo/attachment.go              | 29 +++++++++++++++++++++++++++--
 routers/repo/dataset.go                 | 33 ++++++++++++++++++++++++++++-----
 web_src/js/components/MinioUploader.vue |  1 +
 3 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go
index b59f4ffc7..a79955e8c 100755
--- a/routers/repo/attachment.go
+++ b/routers/repo/attachment.go
@@ -141,6 +141,28 @@ func DeleteAttachment(ctx *context.Context) {
 	})
 }
 
+func DownloadUserIsOrg(ctx *context.Context, attach *models.Attachment) bool {
+	dataset, err := models.GetDatasetByID(attach.DatasetID)
+	if err != nil {
+		log.Info("query dataset error")
+	} else {
+		repo, err := models.GetRepositoryByID(dataset.RepoID)
+		if err != nil {
+			log.Info("query repo error.")
+		} else {
+			repo.GetOwner()
+			if repo.Owner.IsOrganization() {
+				log.Info("ower is org.")
+				if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
+					log.Info("user may be visit the attach.")
+					return false
+				}
+			}
+		}
+	}
+	return true
+}
+
 // GetAttachment serve attachements
 func GetAttachment(ctx *context.Context) {
 	typeCloudBrain := ctx.QueryInt("type")
@@ -167,11 +189,14 @@ func GetAttachment(ctx *context.Context) {
 	}
 
 	if repository == nil { //If not linked
-		if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && attach.IsPrivate { //We block if not the uploader
+		//if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && attach.IsPrivate { //We block if not the uploader
+		if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && DownloadUserIsOrg(ctx, attach) { //We block if not the uploader
 			ctx.Error(http.StatusNotFound)
 			return
 		}
+
 	} else { //If we have the repository we check access
+
 		perm, err := models.GetUserRepoPermission(repository, ctx.User)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
@@ -205,7 +230,7 @@ func GetAttachment(ctx *context.Context) {
 	if setting.Attachment.StoreType == storage.MinioStorageType {
 		url := ""
 		if typeCloudBrain == models.TypeCloudBrainOne {
-			url, err = storage.Attachments.PresignedGetURL(setting.Attachment.Minio.BasePath + attach.RelativePath(), attach.Name)
+			url, err = storage.Attachments.PresignedGetURL(setting.Attachment.Minio.BasePath+attach.RelativePath(), attach.Name)
 			if err != nil {
 				ctx.ServerError("PresignedGetURL", err)
 				return
diff --git a/routers/repo/dataset.go b/routers/repo/dataset.go
index 3be36fbe4..e5bc54b7d 100755
--- a/routers/repo/dataset.go
+++ b/routers/repo/dataset.go
@@ -1,15 +1,13 @@
 package repo
 
 import (
-	"sort"
-
-	"code.gitea.io/gitea/modules/setting"
-
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"sort"
 )
 
 const (
@@ -36,7 +34,32 @@ func filterPrivateAttachments(ctx *context.Context, list []*models.Attachment) [
 		}
 		return publicList
 	}
+}
+
+func newFilterPrivateAttachments(ctx *context.Context, list []*models.Attachment, repo *models.Repository) []*models.Attachment {
 
+	if ctx.Repo.CanWrite(models.UnitTypeDatasets) {
+		log.Info("can write.")
+		return list
+	} else {
+		var publicList []*models.Attachment
+		for _, attach := range list {
+			if !attach.IsPrivate {
+				publicList = append(publicList, attach)
+			} else {
+				if repo.Owner == nil {
+					repo.GetOwner()
+				}
+				if repo.Owner.IsOrganization() {
+					if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
+						log.Info("user is member of org.")
+						publicList = append(publicList, attach)
+					}
+				}
+			}
+		}
+		return publicList
+	}
 }
 
 func DatasetIndex(ctx *context.Context) {
@@ -60,7 +83,7 @@ func DatasetIndex(ctx *context.Context) {
 		ctx.ServerError("GetDatasetAttachments", err)
 		return
 	}
-	attachments := filterPrivateAttachments(ctx, dataset.Attachments)
+	attachments := newFilterPrivateAttachments(ctx, dataset.Attachments, repo)
 
 	ctx.Data["SortType"] = ctx.Query("sort")
 	switch ctx.Query("sort") {
diff --git a/web_src/js/components/MinioUploader.vue b/web_src/js/components/MinioUploader.vue
index 9d845650a..1dc92e4b3 100755
--- a/web_src/js/components/MinioUploader.vue
+++ b/web_src/js/components/MinioUploader.vue
@@ -335,6 +335,7 @@ export default {
 
       async function uploadMinio(url, e) {
         const res = await axios.put(url, e.target.result);
+		delete e.target.result
         etags[currentChunk] = res.headers.etag;
       }