feat: implement fine-grained access tokens in /teams/{id}/repos

**Breaking*: /teams/{id}/repos previously allowed read access to private repositories even if a "public-only" access token was in-use. This has been restricted to only return public repositories in this case.
2026-05-12 22:10:25 +00:00 · 2026-02-24 19:00:25 -07:00 · 2026-02-24 19:00:25 -07:00 · 0eca229d15
commit 0eca229d15
parent cac675bc21
6 changed files with 116 additions and 5 deletions
--- a/models/organization/team_repo.go
+++ b/models/organization/team_repo.go
@ -34,6 +34,8 @@ func HasTeamRepo(ctx context.Context, orgID, teamID, repoID int64) bool {
 type SearchTeamRepoOptions struct {
 	db.ListOptions
 	TeamID int64
+	// Filters repositories based upon optional authorization restrictions.
+	AuthorizationReducer repo_model.RepositoryAuthorizationReducer
 }

 // GetRepositories returns paginated repositories in team of organization.
@ -46,6 +48,9 @@ func GetTeamRepositories(ctx context.Context, opts *SearchTeamRepoOptions) (repo
 				Where(builder.Eq{"team_id": opts.TeamID}),
 		)
 	}
+	if opts.AuthorizationReducer != nil {
+		sess = sess.Where(opts.AuthorizationReducer.RepoReadAccessFilter())
+	}
 	if opts.PageSize > 0 {
 		sess.Limit(opts.PageSize, (opts.Page-1)*opts.PageSize)
 	}