Backport #37479 by wxiaoguang Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
+52
-21
@@ -71,38 +71,69 @@ func GetUnmergedPullRequestsByHeadInfo(ctx context.Context, repoID int64, branch
|
||||
}
|
||||
|
||||
// CanMaintainerWriteToBranch check whether user is a maintainer and could write to the branch
|
||||
func CanMaintainerWriteToBranch(ctx context.Context, p access_model.Permission, branch string, user *user_model.User) bool {
|
||||
if p.CanWrite(unit.TypeCode) {
|
||||
return true
|
||||
func CanMaintainerWriteToBranch(ctx context.Context, headPerm access_model.Permission, headBranch string, doer *user_model.User) bool {
|
||||
can, err := canMaintainerWriteToBranch(ctx, headPerm, headBranch, doer)
|
||||
if err != nil {
|
||||
log.Error("CanMaintainerWriteToBranch: %v", err)
|
||||
return false
|
||||
}
|
||||
return can
|
||||
}
|
||||
|
||||
func canMaintainerWriteToBranch(ctx context.Context, headPerm access_model.Permission, headBranch string, doer *user_model.User) (bool, error) {
|
||||
if headPerm.CanWrite(unit.TypeCode) {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// the code below depends on units to get the repository ID, not ideal but just keep it for now
|
||||
firstUnitRepoID := p.GetFirstUnitRepoID()
|
||||
firstUnitRepoID := headPerm.GetFirstUnitRepoID()
|
||||
if firstUnitRepoID == 0 {
|
||||
return false
|
||||
return false, nil
|
||||
}
|
||||
|
||||
prs, err := GetUnmergedPullRequestsByHeadInfo(ctx, firstUnitRepoID, branch)
|
||||
prs, err := GetUnmergedPullRequestsByHeadInfo(ctx, firstUnitRepoID, headBranch)
|
||||
if err != nil {
|
||||
return false
|
||||
return false, err
|
||||
}
|
||||
if _, err := prs.LoadIssues(ctx); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
for _, pr := range prs {
|
||||
if pr.AllowMaintainerEdit {
|
||||
err = pr.LoadBaseRepo(ctx)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
prPerm, err := access_model.GetIndividualUserRepoPermission(ctx, pr.BaseRepo, user)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if prPerm.CanWrite(unit.TypeCode) {
|
||||
return true
|
||||
}
|
||||
if !pr.AllowMaintainerEdit {
|
||||
continue
|
||||
}
|
||||
|
||||
// check the PR's poster's permissions
|
||||
// If a "reader" poster created the PR in base repo from head repo, even if it is allowed to be edited by maintainers,
|
||||
// the maintainers should not be allowed to write, because they don't really have "write" permission in the head repo
|
||||
if err := pr.Issue.LoadPoster(ctx); err != nil {
|
||||
return false, err
|
||||
}
|
||||
if err := pr.LoadHeadRepo(ctx); err != nil {
|
||||
return false, err
|
||||
}
|
||||
posterHeadPerm, err := access_model.GetIndividualUserRepoPermission(ctx, pr.HeadRepo, pr.Issue.Poster)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if !posterHeadPerm.CanWrite(unit.TypeCode) {
|
||||
continue
|
||||
}
|
||||
|
||||
// check the doer's permission
|
||||
// Only allow the doer to edit the PR if they have write access to the base repository
|
||||
if err := pr.LoadBaseRepo(ctx); err != nil {
|
||||
return false, err
|
||||
}
|
||||
doerBasePerm, err := access_model.GetIndividualUserRepoPermission(ctx, pr.BaseRepo, doer)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if doerBasePerm.CanWrite(unit.TypeCode) {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
return false
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// HasUnmergedPullRequestsByHeadInfo checks if there are open and not merged pull request
|
||||
|
||||
Reference in New Issue
Block a user