feat: add GetUserRepoPermissionWithReducer

2026-05-12 22:10:25 +00:00 · 2026-02-15 13:35:00 -07:00 · 2026-02-15 13:35:00 -07:00 · 2f19237a14
commit 2f19237a14
parent 635f13a07e
6 changed files with 203 additions and 1 deletions
--- a/models/perm/access/repo_permission.go
+++ b/models/perm/access/repo_permission.go
@ -15,6 +15,7 @@ import (
 	"forgejo.org/models/unit"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/services/authz"
 )

 // Permission contains all the permissions related variables to a repository for a user
@ -164,7 +165,28 @@ func GetActionRepoPermission(ctx context.Context, repo *repo_model.Repository, t
 	return GetUserRepoPermission(ctx, repo, user_model.NewActionsUser())
 }

-// GetUserRepoPermission returns the user permissions to the repository
+// GetUserRepoPermission returns the user permissions to the repository, where the user's permissions may be
+// artificially restricted by a an authorization reducer.
+func GetUserRepoPermissionWithReducer(ctx context.Context, repo *repo_model.Repository, user *user_model.User, reducer authz.AuthorizationReducer) (Permission, error) {
+	perm, err := GetUserRepoPermission(ctx, repo, user)
+	if err != nil {
+		return perm, err
+	}
+	perm.AccessMode, err = reducer.ReduceRepoAccess(ctx, repo, perm.AccessMode)
+	if err != nil {
+		return perm, fmt.Errorf("failure in ReduceRepoAccess: %w", err)
+	}
+	for unit, currentAccessMode := range perm.UnitsMode {
+		reduced, err := reducer.ReduceRepoAccess(ctx, repo, currentAccessMode)
+		if err != nil {
+			return perm, fmt.Errorf("failure in ReduceRepoAccess: %w", err)
+		}
+		perm.UnitsMode[unit] = reduced
+	}
+	return perm, nil
+}
+
+// GetUserRepoPermission returns the user permissions to the repository.
 func GetUserRepoPermission(ctx context.Context, repo *repo_model.Repository, user *user_model.User) (Permission, error) {
 	var perm Permission
 	if log.IsTrace() {
--- a/models/perm/access/repo_permission_test.go
+++ b/models/perm/access/repo_permission_test.go
@ -8,9 +8,13 @@ import (
 	perm_model "forgejo.org/models/perm"
 	"forgejo.org/models/perm/access"
 	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unit"
 	"forgejo.org/models/unittest"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/services/authz"

 	"github.com/stretchr/testify/assert"
+	mock "github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 )

@ -76,3 +80,73 @@ func TestActionTaskNoAccessPrivateRepo(t *testing.T) {
 	require.NoError(t, err)
 	assertAccess(t, perm_model.AccessModeNone, &perm)
 }
+
+func TestGetUserRepoPermissionWithReducer(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	t.Run("no unit-level overrides", func(t *testing.T) {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+
+		// Baseline check that without a reducer, we get AccessModeOwner...
+		permWithoutReducer, err := access.GetUserRepoPermission(t.Context(), repo, user)
+		require.NoError(t, err)
+		require.NotNil(t, permWithoutReducer)
+		assert.True(t, permWithoutReducer.IsOwner())
+		assert.True(t, permWithoutReducer.IsAdmin())
+		assert.True(t, permWithoutReducer.HasAccess())
+		assert.True(t, permWithoutReducer.CanWrite(unit.TypeIssues))
+
+		reducer := authz.NewMockAuthorizationReducer(t)
+		reducer.On(
+			"ReduceRepoAccess",
+			mock.Anything, // context
+			mock.MatchedBy(func(repo *repo_model.Repository) bool { // repo
+				return repo.ID == 1
+			}),
+			perm_model.AccessModeOwner, // incoming access mode
+		).Return(perm_model.AccessModeNone, nil)
+
+		permWithReducer, err := access.GetUserRepoPermissionWithReducer(t.Context(), repo, user, reducer)
+		require.NoError(t, err)
+		require.NotNil(t, permWithReducer)
+		assert.False(t, permWithReducer.IsOwner())
+		assert.False(t, permWithReducer.IsAdmin())
+		assert.False(t, permWithReducer.HasAccess())
+		assert.False(t, permWithReducer.CanWrite(unit.TypeIssues))
+	})
+
+	t.Run("team unit-level overrides", func(t *testing.T) {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 15})
+		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 32})
+
+		// Baseline check that without a reducer, we get mixed access for different units...
+		permWithoutReducer, err := access.GetUserRepoPermission(t.Context(), repo, user)
+		require.NoError(t, err)
+		require.NotNil(t, permWithoutReducer)
+		require.NotEmpty(t, permWithoutReducer.UnitsMode) // unit-specific access modes loaded
+		assert.True(t, permWithoutReducer.CanRead(unit.TypeCode))
+		assert.False(t, permWithoutReducer.CanWrite(unit.TypeCode))
+		assert.True(t, permWithoutReducer.CanRead(unit.TypeIssues))
+		assert.True(t, permWithoutReducer.CanWrite(unit.TypeIssues))
+
+		reducer := authz.NewMockAuthorizationReducer(t)
+		reducer.On(
+			"ReduceRepoAccess",
+			mock.Anything, // context
+			mock.MatchedBy(func(repo *repo_model.Repository) bool { // repo
+				return repo.ID == 32
+			}),
+			mock.Anything, // incoming access mode - will vary for each unit
+		).Return(perm_model.AccessModeRead, nil)
+
+		permWithReducer, err := access.GetUserRepoPermissionWithReducer(t.Context(), repo, user, reducer)
+		require.NoError(t, err)
+		require.NotNil(t, permWithReducer)
+		require.NotEmpty(t, permWithReducer.UnitsMode) // unit-specific access modes loaded
+		assert.True(t, permWithReducer.CanRead(unit.TypeCode))
+		assert.False(t, permWithReducer.CanWrite(unit.TypeCode))
+		assert.True(t, permWithReducer.CanRead(unit.TypeIssues))
+		assert.False(t, permWithReducer.CanWrite(unit.TypeIssues))
+	})
+}