repo permissions section is not functional

2026-05-07 14:49:47 +02:00
parent 8cb918b064
commit 5e60b814ed
14 changed files with 584 additions and 7 deletions
@@ -59,11 +59,21 @@ func (h *GitHTTPHandler) ServeGit(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	// Require authentication for push; allow anonymous read for public repos
+	// Authenticate and enforce permission checks.
 	var authedUser string
 	user, authed := h.basicAuth(r)
 	if authed {
 		authedUser = user
+		// Push requires write or admin permission.
+		if service == "git-receive-pack" && !HasPermission(h.db, &repo, user, "write") {
+			http.Error(w, "forbidden: you do not have write access to this repository", http.StatusForbidden)
+			return
+		}
+		// Pull on a private repo requires at least read permission.
+		if repo.IsPrivate && !HasPermission(h.db, &repo, user, "read") {
+			http.Error(w, "forbidden: you do not have read access to this repository", http.StatusForbidden)
+			return
+		}
 	} else if service == "git-receive-pack" || repo.IsPrivate {
 		w.Header().Set("WWW-Authenticate", `Basic realm="ForgeBucket"`)
 		http.Error(w, "authentication required", http.StatusUnauthorized)
@@ -0,0 +1,250 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+	"xorm.io/xorm"
+
+	"github.com/forgeo/forgebucket/internal/api/middleware"
+	"github.com/forgeo/forgebucket/internal/models"
+)
+
+type MemberHandler struct {
+	db *xorm.Engine
+}
+
+func NewMemberHandler(db *xorm.Engine) *MemberHandler {
+	return &MemberHandler{db: db}
+}
+
+type memberResponse struct {
+	UserID     int64  `json:"userId"`
+	Username   string `json:"username"`
+	AvatarURL  string `json:"avatarUrl"`
+	Permission string `json:"permission"`
+	IsOwner    bool   `json:"isOwner"`
+	AddedAt    string `json:"addedAt"`
+}
+
+// lookupRepoForMembers resolves the repo from URL params and returns the owner User.
+func (h *MemberHandler) lookupRepoAndOwner(w http.ResponseWriter, r *http.Request) (*models.Repository, *models.User, bool) {
+	ownerName := chi.URLParam(r, "owner")
+	repoName := chi.URLParam(r, "repo")
+
+	var owner models.User
+	if found, _ := h.db.Where("username = ?", ownerName).Get(&owner); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, nil, false
+	}
+	var repo models.Repository
+	if found, _ := h.db.Where("owner_id = ? AND name = ?", owner.ID, repoName).Get(&repo); !found {
+		jsonError(w, "repository not found", http.StatusNotFound)
+		return nil, nil, false
+	}
+	return &repo, &owner, true
+}
+
+// callerCanManage returns true if callerID is the repo owner or has admin permission.
+func (h *MemberHandler) callerCanManage(repo *models.Repository, callerID int64) bool {
+	if callerID == repo.OwnerID {
+		return true
+	}
+	var m models.RepoMember
+	found, _ := h.db.Where("repo_id = ? AND user_id = ? AND permission = 'admin'", repo.ID, callerID).Get(&m)
+	return found
+}
+
+// List returns all members (explicit + owner) for a repo.
+func (h *MemberHandler) List(w http.ResponseWriter, r *http.Request) {
+	repo, owner, ok := h.lookupRepoAndOwner(w, r)
+	if !ok {
+		return
+	}
+
+	result := []memberResponse{
+		{
+			UserID:     owner.ID,
+			Username:   owner.Username,
+			AvatarURL:  owner.AvatarURL,
+			Permission: "admin",
+			IsOwner:    true,
+			AddedAt:    repo.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		},
+	}
+
+	var members []models.RepoMember
+	h.db.Where("repo_id = ?", repo.ID).OrderBy("created_at").Find(&members)
+
+	for _, m := range members {
+		var u models.User
+		if found, _ := h.db.ID(m.UserID).Get(&u); !found {
+			continue
+		}
+		result = append(result, memberResponse{
+			UserID:     u.ID,
+			Username:   u.Username,
+			AvatarURL:  u.AvatarURL,
+			Permission: m.Permission,
+			IsOwner:    false,
+			AddedAt:    m.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		})
+	}
+
+	jsonOK(w, result)
+}
+
+// Add grants a user access to the repo.
+func (h *MemberHandler) Add(w http.ResponseWriter, r *http.Request) {
+	repo, _, ok := h.lookupRepoAndOwner(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.callerCanManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage members", http.StatusForbidden)
+		return
+	}
+
+	var body struct {
+		Username   string `json:"username"`
+		Permission string `json:"permission"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || body.Username == "" {
+		jsonError(w, "username is required", http.StatusBadRequest)
+		return
+	}
+	if body.Permission != "read" && body.Permission != "write" && body.Permission != "admin" {
+		jsonError(w, "permission must be read, write, or admin", http.StatusBadRequest)
+		return
+	}
+
+	var target models.User
+	if found, _ := h.db.Where("username = ?", body.Username).Get(&target); !found {
+		jsonError(w, "user not found", http.StatusNotFound)
+		return
+	}
+	if target.ID == repo.OwnerID {
+		jsonError(w, "the repository owner always has admin access", http.StatusConflict)
+		return
+	}
+
+	// Upsert: if already a member, update permission.
+	var existing models.RepoMember
+	found, _ := h.db.Where("repo_id = ? AND user_id = ?", repo.ID, target.ID).Get(&existing)
+	if found {
+		existing.Permission = body.Permission
+		h.db.ID(existing.ID).Cols("permission").Update(&existing)
+	} else {
+		m := &models.RepoMember{RepoID: repo.ID, UserID: target.ID, Permission: body.Permission}
+		if _, err := h.db.Insert(m); err != nil {
+			jsonError(w, "could not add member", http.StatusInternalServerError)
+			return
+		}
+	}
+
+	jsonOK(w, memberResponse{
+		UserID:     target.ID,
+		Username:   target.Username,
+		AvatarURL:  target.AvatarURL,
+		Permission: body.Permission,
+		IsOwner:    false,
+	})
+}
+
+// UpdatePermission changes an existing member's permission level.
+func (h *MemberHandler) UpdatePermission(w http.ResponseWriter, r *http.Request) {
+	repo, owner, ok := h.lookupRepoAndOwner(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.callerCanManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage members", http.StatusForbidden)
+		return
+	}
+
+	targetUsername := chi.URLParam(r, "username")
+	var target models.User
+	if found, _ := h.db.Where("username = ?", targetUsername).Get(&target); !found {
+		jsonError(w, "user not found", http.StatusNotFound)
+		return
+	}
+	if target.ID == owner.ID {
+		jsonError(w, "cannot change the owner's permission", http.StatusConflict)
+		return
+	}
+
+	var body struct {
+		Permission string `json:"permission"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		jsonError(w, "invalid body", http.StatusBadRequest)
+		return
+	}
+	if body.Permission != "read" && body.Permission != "write" && body.Permission != "admin" {
+		jsonError(w, "permission must be read, write, or admin", http.StatusBadRequest)
+		return
+	}
+
+	var m models.RepoMember
+	if found, _ := h.db.Where("repo_id = ? AND user_id = ?", repo.ID, target.ID).Get(&m); !found {
+		jsonError(w, "user is not a member", http.StatusNotFound)
+		return
+	}
+	m.Permission = body.Permission
+	h.db.ID(m.ID).Cols("permission").Update(&m)
+
+	jsonOK(w, memberResponse{
+		UserID:     target.ID,
+		Username:   target.Username,
+		Permission: body.Permission,
+		IsOwner:    false,
+	})
+}
+
+// Remove revokes a user's access to the repo.
+func (h *MemberHandler) Remove(w http.ResponseWriter, r *http.Request) {
+	repo, owner, ok := h.lookupRepoAndOwner(w, r)
+	if !ok {
+		return
+	}
+	callerID, _ := middleware.UserIDFromContext(r.Context())
+	if !h.callerCanManage(repo, callerID) {
+		jsonError(w, "only the owner or an admin can manage members", http.StatusForbidden)
+		return
+	}
+
+	targetUsername := chi.URLParam(r, "username")
+	var target models.User
+	if found, _ := h.db.Where("username = ?", targetUsername).Get(&target); !found {
+		jsonError(w, "user not found", http.StatusNotFound)
+		return
+	}
+	if target.ID == owner.ID {
+		jsonError(w, "cannot remove the repository owner", http.StatusConflict)
+		return
+	}
+
+	h.db.Where("repo_id = ? AND user_id = ?", repo.ID, target.ID).Delete(&models.RepoMember{})
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// HasPermission checks if a user (by username) has at least the given permission level on a repo.
+// Permission hierarchy: read < write < admin. Owner always passes.
+func HasPermission(db *xorm.Engine, repo *models.Repository, username, required string) bool {
+	var u models.User
+	if found, _ := db.Where("username = ?", username).Get(&u); !found {
+		return false
+	}
+	if u.ID == repo.OwnerID {
+		return true
+	}
+	var m models.RepoMember
+	if found, _ := db.Where("repo_id = ? AND user_id = ?", repo.ID, u.ID).Get(&m); !found {
+		return false
+	}
+	rank := map[string]int{"read": 1, "write": 2, "admin": 3}
+	return rank[m.Permission] >= rank[required]
+}
@@ -43,6 +43,7 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 	gitH     := handlers.NewGitHTTPHandler(engine, cfg)
 	issueH   := handlers.NewIssueHandler(engine)
 	sshKeyH  := handlers.NewSSHKeyHandler(engine)
+	memberH  := handlers.NewMemberHandler(engine)

 	// ── Git smart-HTTP transport ───────────────────────────────────────────────
 	// These routes MUST be registered before the SPA catch-all and outside CSRF.
@@ -134,6 +135,12 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 						r.Get("/", pipeH.List)
 						r.Get("/{runID}", pipeH.Get)
 					})
+					r.Route("/members", func(r chi.Router) {
+						r.Get("/", memberH.List)
+						r.With(csrf).Post("/", memberH.Add)
+						r.With(csrf).Patch("/{username}", memberH.UpdatePermission)
+						r.With(csrf).Delete("/{username}", memberH.Remove)
+					})
 				})
 			})
 		})
@@ -0,0 +1,13 @@
+package models
+
+import "time"
+
+// RepoMember stores the explicit permission a user has been granted on a repository.
+// The repository owner always has implicit admin access and is never stored here.
+type RepoMember struct {
+	ID         int64     `xorm:"'id' pk autoincr"`
+	RepoID     int64     `xorm:"'repo_id' notnull index"`
+	UserID     int64     `xorm:"'user_id' notnull index"`
+	Permission string    `xorm:"'permission' notnull"` // read | write | admin
+	CreatedAt  time.Time `xorm:"'created_at' created"`
+}
@@ -16,5 +16,8 @@ func Run(engine *xorm.Engine) error {
 	); err != nil {
 		return err
 	}
-	return Run002(engine)
+	if err := Run002(engine); err != nil {
+		return err
+	}
+	return Run003(engine)
 }
@@ -0,0 +1,10 @@
+package migrations
+
+import (
+	"github.com/forgeo/forgebucket/internal/models"
+	"xorm.io/xorm"
+)
+
+func Run003(engine *xorm.Engine) error {
+	return engine.Sync2(&models.RepoMember{})
+}