repo permissions section is not functional
This commit is contained in:
@@ -1 +1,2 @@
|
||||
822b85a78b17deb9373a3f5a802e9db2a9893846 eed5dac1a3ac99a4e127a1b3b74acedc8c6b2945 devtest <dev@test.com> 1778145720 +0200 commit: Update README via editor
|
||||
eed5dac1a3ac99a4e127a1b3b74acedc8c6b2945 b8eb0c5e1ab3acc860bb55c75fcde31ab22b83dd testuser <testuser@http.[::1]:51142> 1778158078 +0200 push
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -1 +1 @@
|
||||
eed5dac1a3ac99a4e127a1b3b74acedc8c6b2945
|
||||
b8eb0c5e1ab3acc860bb55c75fcde31ab22b83dd
|
||||
|
||||
@@ -0,0 +1,65 @@
|
||||
import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
|
||||
import { z } from 'zod'
|
||||
import { api } from '../client'
|
||||
import type { RepoMember } from '../../types/api'
|
||||
|
||||
const memberSchema = z.object({
|
||||
userId: z.number(),
|
||||
username: z.string(),
|
||||
avatarUrl: z.string().default(''),
|
||||
permission: z.enum(['read', 'write', 'admin']),
|
||||
isOwner: z.boolean(),
|
||||
addedAt: z.string().default(''),
|
||||
})
|
||||
|
||||
const membersSchema = z.array(memberSchema)
|
||||
|
||||
export function useRepoMembers(owner: string, repo: string) {
|
||||
return useQuery({
|
||||
queryKey: ['repos', owner, repo, 'members'],
|
||||
queryFn: () =>
|
||||
api.get<RepoMember[]>(`/api/v1/repos/${owner}/${repo}/members`, membersSchema),
|
||||
enabled: Boolean(owner && repo),
|
||||
})
|
||||
}
|
||||
|
||||
export function useAddMember(owner: string, repo: string) {
|
||||
const queryClient = useQueryClient()
|
||||
return useMutation({
|
||||
mutationFn: (data: { username: string; permission: string }) =>
|
||||
api.post<RepoMember>(
|
||||
`/api/v1/repos/${owner}/${repo}/members`,
|
||||
memberSchema,
|
||||
data,
|
||||
),
|
||||
onSuccess: () =>
|
||||
queryClient.invalidateQueries({ queryKey: ['repos', owner, repo, 'members'] }),
|
||||
})
|
||||
}
|
||||
|
||||
export function useUpdateMember(owner: string, repo: string) {
|
||||
const queryClient = useQueryClient()
|
||||
return useMutation({
|
||||
mutationFn: ({ username, permission }: { username: string; permission: string }) =>
|
||||
api.patch<RepoMember>(
|
||||
`/api/v1/repos/${owner}/${repo}/members/${username}`,
|
||||
memberSchema,
|
||||
{ permission },
|
||||
),
|
||||
onSuccess: () =>
|
||||
queryClient.invalidateQueries({ queryKey: ['repos', owner, repo, 'members'] }),
|
||||
})
|
||||
}
|
||||
|
||||
export function useRemoveMember(owner: string, repo: string) {
|
||||
const queryClient = useQueryClient()
|
||||
return useMutation({
|
||||
mutationFn: (username: string) =>
|
||||
api.delete(
|
||||
`/api/v1/repos/${owner}/${repo}/members/${username}`,
|
||||
z.any(),
|
||||
),
|
||||
onSuccess: () =>
|
||||
queryClient.invalidateQueries({ queryKey: ['repos', owner, repo, 'members'] }),
|
||||
})
|
||||
}
|
||||
@@ -1,7 +1,9 @@
|
||||
import { useState, useEffect, useRef, useCallback } from 'react'
|
||||
import { useParams, Link, useNavigate, useSearchParams } from 'react-router-dom'
|
||||
import { useRepo, useUpdateRepo, useDeleteRepo, useUploadRepoAvatar } from '../api/queries/repos'
|
||||
import { useRepoMembers, useAddMember, useUpdateMember, useRemoveMember } from '../api/queries/members'
|
||||
import { useRecentRepos } from '../hooks/useRecentRepos'
|
||||
import { useAuth } from '../contexts/AuthContext'
|
||||
import { Skeleton } from '../ui/Skeleton'
|
||||
import { RepoAvatar } from '../ui/RepoAvatar'
|
||||
|
||||
@@ -128,10 +130,9 @@ export default function RepoSettingsPage() {
|
||||
{SIDEBAR.map(g => g.items.map(i => <option key={i.id} value={i.id}>{g.group} → {i.label}</option>))}
|
||||
</select>
|
||||
</div>
|
||||
{section === 'repository-details'
|
||||
? <RepositoryDetailsSection owner={owner} repo={repoName} />
|
||||
: <ComingSoon sectionId={section} />
|
||||
}
|
||||
{section === 'repository-details' && <RepositoryDetailsSection owner={owner} repo={repoName} />}
|
||||
{section === 'repository-permissions' && <RepositoryPermissionsSection owner={owner} repo={repoName} />}
|
||||
{section !== 'repository-details' && section !== 'repository-permissions' && <ComingSoon sectionId={section} />}
|
||||
</main>
|
||||
</div>
|
||||
)
|
||||
@@ -500,6 +501,214 @@ function RepositoryDetailsSection({ owner, repo }: { owner: string; repo: string
|
||||
)
|
||||
}
|
||||
|
||||
// ─── Repository permissions section ──────────────────────────────────────────
|
||||
|
||||
const PERMISSION_LABELS: Record<string, { label: string; description: string; color: string }> = {
|
||||
read: { label: 'Read', description: 'Can clone and pull', color: 'bg-[var(--c-surface-muted)] text-[var(--c-muted)]' },
|
||||
write: { label: 'Write', description: 'Can push branches and commits', color: 'bg-blue-100 text-blue-700 dark:bg-blue-900/40 dark:text-blue-300' },
|
||||
admin: { label: 'Admin', description: 'Can manage settings and members', color: 'bg-purple-100 text-purple-700 dark:bg-purple-900/40 dark:text-purple-300' },
|
||||
}
|
||||
|
||||
function PermissionBadge({ permission }: { permission: string }) {
|
||||
const p = PERMISSION_LABELS[permission] ?? PERMISSION_LABELS.read
|
||||
return (
|
||||
<span className={`text-[10px] font-semibold uppercase tracking-wide px-2 py-0.5 rounded-full ${p.color}`}>
|
||||
{p.label}
|
||||
</span>
|
||||
)
|
||||
}
|
||||
|
||||
function RepositoryPermissionsSection({ owner, repo }: { owner: string; repo: string }) {
|
||||
const { user } = useAuth()
|
||||
const { data: members, isLoading } = useRepoMembers(owner, repo)
|
||||
const addMember = useAddMember(owner, repo)
|
||||
const updateMember = useUpdateMember(owner, repo)
|
||||
const removeMember = useRemoveMember(owner, repo)
|
||||
|
||||
const [username, setUsername] = useState('')
|
||||
const [permission, setPermission] = useState('write')
|
||||
const [addError, setAddError] = useState('')
|
||||
|
||||
const isOwner = members?.find(m => m.isOwner)?.username === user?.username
|
||||
|
||||
async function handleAdd(e: React.FormEvent) {
|
||||
e.preventDefault()
|
||||
setAddError('')
|
||||
if (!username.trim()) return
|
||||
try {
|
||||
await addMember.mutateAsync({ username: username.trim(), permission })
|
||||
setUsername('')
|
||||
} catch (err) {
|
||||
setAddError((err as Error).message)
|
||||
}
|
||||
}
|
||||
|
||||
async function handlePermissionChange(memberUsername: string, newPermission: string) {
|
||||
await updateMember.mutateAsync({ username: memberUsername, permission: newPermission })
|
||||
}
|
||||
|
||||
async function handleRemove(memberUsername: string) {
|
||||
await removeMember.mutateAsync(memberUsername)
|
||||
}
|
||||
|
||||
return (
|
||||
<div className="max-w-2xl px-6 py-6 space-y-6">
|
||||
<div>
|
||||
<h1 className="text-xl font-semibold text-[var(--c-text)]">Repository permissions</h1>
|
||||
<p className="text-sm text-[var(--c-muted)] mt-1">
|
||||
Manage who has access to this repository and what they can do.
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div className="border-t border-[var(--c-border)]" />
|
||||
|
||||
{/* Permission level reference */}
|
||||
<div className="grid grid-cols-3 gap-3">
|
||||
{Object.entries(PERMISSION_LABELS).map(([key, val]) => (
|
||||
<div key={key} className="border border-[var(--c-border)] rounded-lg p-3 bg-[var(--c-surface)]">
|
||||
<PermissionBadge permission={key} />
|
||||
<p className="text-xs text-[var(--c-muted)] mt-2">{val.description}</p>
|
||||
</div>
|
||||
))}
|
||||
</div>
|
||||
|
||||
{/* Member list */}
|
||||
<div className="border border-[var(--c-border)] rounded-lg overflow-hidden bg-[var(--c-surface)]">
|
||||
<div className="px-4 py-3 border-b border-[var(--c-border)] bg-[var(--c-surface-raised)] flex items-center justify-between">
|
||||
<h2 className="text-sm font-semibold text-[var(--c-text)]">Members</h2>
|
||||
<span className="text-xs text-[var(--c-muted)]">{members?.length ?? 0} {members?.length === 1 ? 'person' : 'people'}</span>
|
||||
</div>
|
||||
|
||||
{isLoading ? (
|
||||
<div className="p-4 space-y-3">
|
||||
{[1,2].map(i => (
|
||||
<div key={i} className="flex items-center gap-3">
|
||||
<Skeleton className="w-8 h-8 rounded-full" />
|
||||
<Skeleton className="h-4 w-32" />
|
||||
<Skeleton className="h-4 w-16 ml-auto" />
|
||||
</div>
|
||||
))}
|
||||
</div>
|
||||
) : (
|
||||
<ul className="divide-y divide-[var(--c-border)]">
|
||||
{members?.map(member => (
|
||||
<li key={member.userId} className="flex items-center gap-3 px-4 py-3">
|
||||
{/* Avatar */}
|
||||
<div className="w-8 h-8 rounded-full overflow-hidden shrink-0 bg-[var(--c-brand)] flex items-center justify-center text-white text-sm font-bold">
|
||||
{member.avatarUrl
|
||||
? <img src={member.avatarUrl} alt={member.username} className="w-full h-full object-cover" />
|
||||
: member.username[0]?.toUpperCase()
|
||||
}
|
||||
</div>
|
||||
|
||||
{/* Name */}
|
||||
<div className="flex-1 min-w-0">
|
||||
<span className="text-sm font-medium text-[var(--c-text)]">{member.username}</span>
|
||||
{member.isOwner && (
|
||||
<span className="ml-2 text-[10px] text-[var(--c-muted)]">owner</span>
|
||||
)}
|
||||
</div>
|
||||
|
||||
{/* Permission selector or badge */}
|
||||
{member.isOwner ? (
|
||||
<PermissionBadge permission="admin" />
|
||||
) : isOwner ? (
|
||||
<div className="flex items-center gap-2">
|
||||
<select
|
||||
value={member.permission}
|
||||
onChange={e => handlePermissionChange(member.username, e.target.value)}
|
||||
disabled={updateMember.isPending}
|
||||
className="text-xs border border-[var(--c-border)] rounded px-2 py-1 bg-[var(--c-surface)] text-[var(--c-text)] focus:outline-none focus:border-[var(--c-brand-focus)]"
|
||||
>
|
||||
<option value="read">Read</option>
|
||||
<option value="write">Write</option>
|
||||
<option value="admin">Admin</option>
|
||||
</select>
|
||||
<button
|
||||
onClick={() => handleRemove(member.username)}
|
||||
disabled={removeMember.isPending}
|
||||
className="text-[var(--c-danger)] hover:text-[var(--c-danger-dark)] disabled:opacity-40 p-1 rounded hover:bg-[var(--c-danger-tint)] transition-colors"
|
||||
title="Remove member"
|
||||
>
|
||||
<svg width="14" height="14" fill="none" stroke="currentColor" strokeWidth="2" viewBox="0 0 24 24">
|
||||
<path strokeLinecap="round" strokeLinejoin="round" d="M6 18 18 6M6 6l12 12" />
|
||||
</svg>
|
||||
</button>
|
||||
</div>
|
||||
) : (
|
||||
<PermissionBadge permission={member.permission} />
|
||||
)}
|
||||
</li>
|
||||
))}
|
||||
</ul>
|
||||
)}
|
||||
</div>
|
||||
|
||||
{/* Add member form — only for owner/admin */}
|
||||
{isOwner && (
|
||||
<div className="border border-[var(--c-border)] rounded-lg overflow-hidden bg-[var(--c-surface)]">
|
||||
<div className="px-4 py-3 border-b border-[var(--c-border)] bg-[var(--c-surface-raised)]">
|
||||
<h2 className="text-sm font-semibold text-[var(--c-text)]">Add a member</h2>
|
||||
</div>
|
||||
<form onSubmit={handleAdd} className="p-4 space-y-4">
|
||||
<div className="flex gap-3 flex-wrap">
|
||||
<div className="flex-1 min-w-[180px]">
|
||||
<label className="block text-xs font-medium text-[var(--c-muted)] mb-1">Username</label>
|
||||
<input
|
||||
value={username}
|
||||
onChange={e => { setUsername(e.target.value); setAddError('') }}
|
||||
placeholder="e.g. alice"
|
||||
className="w-full border border-[var(--c-border)] rounded px-3 py-2 text-sm bg-[var(--c-surface)] text-[var(--c-text)] focus:outline-none focus:border-[var(--c-brand-focus)] focus:ring-1 focus:ring-[var(--c-brand-focus)]"
|
||||
/>
|
||||
</div>
|
||||
<div className="w-36">
|
||||
<label className="block text-xs font-medium text-[var(--c-muted)] mb-1">Permission</label>
|
||||
<select
|
||||
value={permission}
|
||||
onChange={e => setPermission(e.target.value)}
|
||||
className="w-full border border-[var(--c-border)] rounded px-3 py-2 text-sm bg-[var(--c-surface)] text-[var(--c-text)] focus:outline-none focus:border-[var(--c-brand-focus)]"
|
||||
>
|
||||
<option value="read">Read</option>
|
||||
<option value="write">Write</option>
|
||||
<option value="admin">Admin</option>
|
||||
</select>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div className="text-xs text-[var(--c-muted)]">
|
||||
{PERMISSION_LABELS[permission]?.description}
|
||||
</div>
|
||||
|
||||
{addError && (
|
||||
<p className="text-xs text-[var(--c-danger)]">{addError}</p>
|
||||
)}
|
||||
|
||||
<button
|
||||
type="submit"
|
||||
disabled={addMember.isPending || !username.trim()}
|
||||
className="px-4 py-2 rounded bg-[var(--c-brand)] text-white text-sm font-medium hover:bg-[var(--c-brand-hover)] disabled:opacity-50"
|
||||
>
|
||||
{addMember.isPending ? 'Adding…' : 'Add member'}
|
||||
</button>
|
||||
</form>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* Info for non-owners */}
|
||||
{!isOwner && !isLoading && (
|
||||
<div className="flex items-start gap-3 p-4 border border-[var(--c-border)] rounded-lg bg-[var(--c-surface-raised)]">
|
||||
<svg width="16" height="16" fill="none" stroke="var(--c-muted)" strokeWidth="1.5" viewBox="0 0 24 24" className="shrink-0 mt-0.5">
|
||||
<path strokeLinecap="round" strokeLinejoin="round" d="m11.25 11.25.041-.02a.75.75 0 0 1 1.063.852l-.708 2.836a.75.75 0 0 0 1.063.853l.041-.021M21 12a9 9 0 1 1-18 0 9 9 0 0 1 18 0Zm-9-3.75h.008v.008H12V8.25Z" />
|
||||
</svg>
|
||||
<p className="text-sm text-[var(--c-muted)]">
|
||||
Only the repository owner and admins can manage member permissions.
|
||||
</p>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
)
|
||||
}
|
||||
|
||||
// ─── Coming soon ──────────────────────────────────────────────────────────────
|
||||
|
||||
function ComingSoon({ sectionId }: { sectionId: SectionId }) {
|
||||
|
||||
@@ -92,6 +92,15 @@ export interface SSHKey {
|
||||
createdAt: string
|
||||
}
|
||||
|
||||
export interface RepoMember {
|
||||
userId: number
|
||||
username: string
|
||||
avatarUrl: string
|
||||
permission: 'read' | 'write' | 'admin'
|
||||
isOwner: boolean
|
||||
addedAt: string
|
||||
}
|
||||
|
||||
export interface ApiError {
|
||||
error: string
|
||||
status: number
|
||||
|
||||
@@ -59,11 +59,21 @@ func (h *GitHTTPHandler) ServeGit(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
// Require authentication for push; allow anonymous read for public repos
|
||||
// Authenticate and enforce permission checks.
|
||||
var authedUser string
|
||||
user, authed := h.basicAuth(r)
|
||||
if authed {
|
||||
authedUser = user
|
||||
// Push requires write or admin permission.
|
||||
if service == "git-receive-pack" && !HasPermission(h.db, &repo, user, "write") {
|
||||
http.Error(w, "forbidden: you do not have write access to this repository", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
// Pull on a private repo requires at least read permission.
|
||||
if repo.IsPrivate && !HasPermission(h.db, &repo, user, "read") {
|
||||
http.Error(w, "forbidden: you do not have read access to this repository", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
} else if service == "git-receive-pack" || repo.IsPrivate {
|
||||
w.Header().Set("WWW-Authenticate", `Basic realm="ForgeBucket"`)
|
||||
http.Error(w, "authentication required", http.StatusUnauthorized)
|
||||
|
||||
@@ -0,0 +1,250 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
|
||||
"github.com/go-chi/chi/v5"
|
||||
"xorm.io/xorm"
|
||||
|
||||
"github.com/forgeo/forgebucket/internal/api/middleware"
|
||||
"github.com/forgeo/forgebucket/internal/models"
|
||||
)
|
||||
|
||||
type MemberHandler struct {
|
||||
db *xorm.Engine
|
||||
}
|
||||
|
||||
func NewMemberHandler(db *xorm.Engine) *MemberHandler {
|
||||
return &MemberHandler{db: db}
|
||||
}
|
||||
|
||||
type memberResponse struct {
|
||||
UserID int64 `json:"userId"`
|
||||
Username string `json:"username"`
|
||||
AvatarURL string `json:"avatarUrl"`
|
||||
Permission string `json:"permission"`
|
||||
IsOwner bool `json:"isOwner"`
|
||||
AddedAt string `json:"addedAt"`
|
||||
}
|
||||
|
||||
// lookupRepoForMembers resolves the repo from URL params and returns the owner User.
|
||||
func (h *MemberHandler) lookupRepoAndOwner(w http.ResponseWriter, r *http.Request) (*models.Repository, *models.User, bool) {
|
||||
ownerName := chi.URLParam(r, "owner")
|
||||
repoName := chi.URLParam(r, "repo")
|
||||
|
||||
var owner models.User
|
||||
if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
|
||||
jsonError(w, "repository not found", http.StatusNotFound)
|
||||
return nil, nil, false
|
||||
}
|
||||
var repo models.Repository
|
||||
if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
|
||||
jsonError(w, "repository not found", http.StatusNotFound)
|
||||
return nil, nil, false
|
||||
}
|
||||
return &repo, &owner, true
|
||||
}
|
||||
|
||||
// callerCanManage returns true if callerID is the repo owner or has admin permission.
|
||||
func (h *MemberHandler) callerCanManage(repo *models.Repository, callerID int64) bool {
|
||||
if callerID == repo.OwnerID {
|
||||
return true
|
||||
}
|
||||
var m models.RepoMember
|
||||
found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
|
||||
return found
|
||||
}
|
||||
|
||||
// List returns all members (explicit + owner) for a repo.
|
||||
func (h *MemberHandler) List(w http.ResponseWriter, r *http.Request) {
|
||||
repo, owner, ok := h.lookupRepoAndOwner(w, r)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
|
||||
result := []memberResponse{
|
||||
{
|
||||
UserID: owner.ID,
|
||||
Username: owner.Username,
|
||||
AvatarURL: owner.AvatarURL,
|
||||
Permission: "admin",
|
||||
IsOwner: true,
|
||||
AddedAt: repo.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
|
||||
},
|
||||
}
|
||||
|
||||
var members []models.RepoMember
|
||||
h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at").Find(&members)
|
||||
|
||||
for _, m := range members {
|
||||
var u models.User
|
||||
if found, _ := h.db.ID(m.UserID).Get(&u); !found {
|
||||
continue
|
||||
}
|
||||
result = append(result, memberResponse{
|
||||
UserID: u.ID,
|
||||
Username: u.Username,
|
||||
AvatarURL: u.AvatarURL,
|
||||
Permission: m.Permission,
|
||||
IsOwner: false,
|
||||
AddedAt: m.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
|
||||
})
|
||||
}
|
||||
|
||||
jsonOK(w, result)
|
||||
}
|
||||
|
||||
// Add grants a user access to the repo.
|
||||
func (h *MemberHandler) Add(w http.ResponseWriter, r *http.Request) {
|
||||
repo, _, ok := h.lookupRepoAndOwner(w, r)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
callerID, _ := middleware.UserIDFromContext(r.Context())
|
||||
if !h.callerCanManage(repo, callerID) {
|
||||
jsonError(w, "only the owner or an admin can manage members", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
var body struct {
|
||||
Username string `json:"username"`
|
||||
Permission string `json:"permission"`
|
||||
}
|
||||
if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Username == "" {
|
||||
jsonError(w, "username is required", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if body.Permission != "read" && body.Permission != "write" && body.Permission != "admin" {
|
||||
jsonError(w, "permission must be read, write, or admin", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
var target models.User
|
||||
if found, _ := h.db.Where("username = ?", body.Username).Get(&target); !found {
|
||||
jsonError(w, "user not found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
if target.ID == repo.OwnerID {
|
||||
jsonError(w, "the repository owner always has admin access", http.StatusConflict)
|
||||
return
|
||||
}
|
||||
|
||||
// Upsert: if already a member, update permission.
|
||||
var existing models.RepoMember
|
||||
found, _ := h.db.Where("repo_id = ? AND user_id = ?", repo.ID, target.ID).Get(&existing)
|
||||
if found {
|
||||
existing.Permission = body.Permission
|
||||
h.db.ID(existing.ID).Cols("permission").Update(&existing)
|
||||
} else {
|
||||
m := &models.RepoMember{RepoID: repo.ID, UserID: target.ID, Permission: body.Permission}
|
||||
if _, err := h.db.Insert(m); err != nil {
|
||||
jsonError(w, "could not add member", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
jsonOK(w, memberResponse{
|
||||
UserID: target.ID,
|
||||
Username: target.Username,
|
||||
AvatarURL: target.AvatarURL,
|
||||
Permission: body.Permission,
|
||||
IsOwner: false,
|
||||
})
|
||||
}
|
||||
|
||||
// UpdatePermission changes an existing member's permission level.
|
||||
func (h *MemberHandler) UpdatePermission(w http.ResponseWriter, r *http.Request) {
|
||||
repo, owner, ok := h.lookupRepoAndOwner(w, r)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
callerID, _ := middleware.UserIDFromContext(r.Context())
|
||||
if !h.callerCanManage(repo, callerID) {
|
||||
jsonError(w, "only the owner or an admin can manage members", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
targetUsername := chi.URLParam(r, "username")
|
||||
var target models.User
|
||||
if found, _ := h.db.Where("username = ?", targetUsername).Get(&target); !found {
|
||||
jsonError(w, "user not found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
if target.ID == owner.ID {
|
||||
jsonError(w, "cannot change the owner's permission", http.StatusConflict)
|
||||
return
|
||||
}
|
||||
|
||||
var body struct {
|
||||
Permission string `json:"permission"`
|
||||
}
|
||||
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
||||
jsonError(w, "invalid body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if body.Permission != "read" && body.Permission != "write" && body.Permission != "admin" {
|
||||
jsonError(w, "permission must be read, write, or admin", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
var m models.RepoMember
|
||||
if found, _ := h.db.Where("repo_id = ? AND user_id = ?", repo.ID, target.ID).Get(&m); !found {
|
||||
jsonError(w, "user is not a member", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
m.Permission = body.Permission
|
||||
h.db.ID(m.ID).Cols("permission").Update(&m)
|
||||
|
||||
jsonOK(w, memberResponse{
|
||||
UserID: target.ID,
|
||||
Username: target.Username,
|
||||
Permission: body.Permission,
|
||||
IsOwner: false,
|
||||
})
|
||||
}
|
||||
|
||||
// Remove revokes a user's access to the repo.
|
||||
func (h *MemberHandler) Remove(w http.ResponseWriter, r *http.Request) {
|
||||
repo, owner, ok := h.lookupRepoAndOwner(w, r)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
callerID, _ := middleware.UserIDFromContext(r.Context())
|
||||
if !h.callerCanManage(repo, callerID) {
|
||||
jsonError(w, "only the owner or an admin can manage members", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
targetUsername := chi.URLParam(r, "username")
|
||||
var target models.User
|
||||
if found, _ := h.db.Where("username = ?", targetUsername).Get(&target); !found {
|
||||
jsonError(w, "user not found", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
if target.ID == owner.ID {
|
||||
jsonError(w, "cannot remove the repository owner", http.StatusConflict)
|
||||
return
|
||||
}
|
||||
|
||||
h.db.Where("repo_id = ? AND user_id = ?", repo.ID, target.ID).Delete(&models.RepoMember{})
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
|
||||
// HasPermission checks if a user (by username) has at least the given permission level on a repo.
|
||||
// Permission hierarchy: read < write < admin. Owner always passes.
|
||||
func HasPermission(db *xorm.Engine, repo *models.Repository, username, required string) bool {
|
||||
var u models.User
|
||||
if found, _ := db.Where("username = ?", username).Get(&u); !found {
|
||||
return false
|
||||
}
|
||||
if u.ID == repo.OwnerID {
|
||||
return true
|
||||
}
|
||||
var m models.RepoMember
|
||||
if found, _ := db.Where("repo_id = ? AND user_id = ?", repo.ID, u.ID).Get(&m); !found {
|
||||
return false
|
||||
}
|
||||
rank := map[string]int{"read": 1, "write": 2, "admin": 3}
|
||||
return rank[m.Permission] >= rank[required]
|
||||
}
|
||||
@@ -43,6 +43,7 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
|
||||
gitH := handlers.NewGitHTTPHandler(engine, cfg)
|
||||
issueH := handlers.NewIssueHandler(engine)
|
||||
sshKeyH := handlers.NewSSHKeyHandler(engine)
|
||||
memberH := handlers.NewMemberHandler(engine)
|
||||
|
||||
// ── Git smart-HTTP transport ───────────────────────────────────────────────
|
||||
// These routes MUST be registered before the SPA catch-all and outside CSRF.
|
||||
@@ -134,6 +135,12 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
|
||||
r.Get("/", pipeH.List)
|
||||
r.Get("/{runID}", pipeH.Get)
|
||||
})
|
||||
r.Route("/members", func(r chi.Router) {
|
||||
r.Get("/", memberH.List)
|
||||
r.With(csrf).Post("/", memberH.Add)
|
||||
r.With(csrf).Patch("/{username}", memberH.UpdatePermission)
|
||||
r.With(csrf).Delete("/{username}", memberH.Remove)
|
||||
})
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
@@ -0,0 +1,13 @@
|
||||
package models
|
||||
|
||||
import "time"
|
||||
|
||||
// RepoMember stores the explicit permission a user has been granted on a repository.
|
||||
// The repository owner always has implicit admin access and is never stored here.
|
||||
type RepoMember struct {
|
||||
ID int64 `xorm:"'id' pk autoincr"`
|
||||
RepoID int64 `xorm:"'repo_id' notnull index"`
|
||||
UserID int64 `xorm:"'user_id' notnull index"`
|
||||
Permission string `xorm:"'permission' notnull"` // read | write | admin
|
||||
CreatedAt time.Time `xorm:"'created_at' created"`
|
||||
}
|
||||
@@ -16,5 +16,8 @@ func Run(engine *xorm.Engine) error {
|
||||
); err != nil {
|
||||
return err
|
||||
}
|
||||
return Run002(engine)
|
||||
if err := Run002(engine); err != nil {
|
||||
return err
|
||||
}
|
||||
return Run003(engine)
|
||||
}
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
package migrations
|
||||
|
||||
import (
|
||||
"github.com/forgeo/forgebucket/internal/models"
|
||||
"xorm.io/xorm"
|
||||
)
|
||||
|
||||
func Run003(engine *xorm.Engine) error {
|
||||
return engine.Sync2(&models.RepoMember{})
|
||||
}
|
||||
Reference in New Issue
Block a user