mirror of
https://github.com/go-gitea/gitea
synced 2024-12-22 12:07:50 +01:00
rework heatmap permissions (#14080)
* now uses the same permission model as for the activity feed: only include activities in repos, that the doer has access to. this might be somewhat slower. * also improves handling of user.KeepActivityPrivate (still shows the heatmap to self & admins) * extend tests * adjust integration test to new behaviour * add access to actions for admins * extend heatmap unit tests
This commit is contained in:
parent
2c9dd71140
commit
f6bec85296
@ -388,7 +388,7 @@ func TestPrivateActivityYesHeatmapHasNoContentForUserItself(t *testing.T) {
|
|||||||
session := loginUser(t, privateActivityTestUser)
|
session := loginUser(t, privateActivityTestUser)
|
||||||
hasContent := testPrivateActivityHelperHasHeatmapContentFromSession(t, session)
|
hasContent := testPrivateActivityHelperHasHeatmapContentFromSession(t, session)
|
||||||
|
|
||||||
assert.False(t, hasContent, "user should have no heatmap content")
|
assert.True(t, hasContent, "user should see their own heatmap content")
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestPrivateActivityYesHeatmapHasNoContentForOtherUser(t *testing.T) {
|
func TestPrivateActivityYesHeatmapHasNoContentForOtherUser(t *testing.T) {
|
||||||
@ -399,7 +399,7 @@ func TestPrivateActivityYesHeatmapHasNoContentForOtherUser(t *testing.T) {
|
|||||||
session := loginUser(t, privateActivityTestOtherUser)
|
session := loginUser(t, privateActivityTestOtherUser)
|
||||||
hasContent := testPrivateActivityHelperHasHeatmapContentFromSession(t, session)
|
hasContent := testPrivateActivityHelperHasHeatmapContentFromSession(t, session)
|
||||||
|
|
||||||
assert.False(t, hasContent, "user should have no heatmap content")
|
assert.False(t, hasContent, "other user should not see heatmap content")
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestPrivateActivityYesHeatmapHasNoContentForAdmin(t *testing.T) {
|
func TestPrivateActivityYesHeatmapHasNoContentForAdmin(t *testing.T) {
|
||||||
@ -410,5 +410,5 @@ func TestPrivateActivityYesHeatmapHasNoContentForAdmin(t *testing.T) {
|
|||||||
session := loginUser(t, privateActivityTestAdmin)
|
session := loginUser(t, privateActivityTestAdmin)
|
||||||
hasContent := testPrivateActivityHelperHasHeatmapContentFromSession(t, session)
|
hasContent := testPrivateActivityHelperHasHeatmapContentFromSession(t, session)
|
||||||
|
|
||||||
assert.False(t, hasContent, "user should have no heatmap content")
|
assert.True(t, hasContent, "heatmap should show content for admin")
|
||||||
}
|
}
|
||||||
|
@ -298,46 +298,13 @@ type GetFeedsOptions struct {
|
|||||||
|
|
||||||
// GetFeeds returns actions according to the provided options
|
// GetFeeds returns actions according to the provided options
|
||||||
func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
|
func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
|
||||||
cond := builder.NewCond()
|
if !activityReadable(opts.RequestedUser, opts.Actor) {
|
||||||
|
return make([]*Action, 0), nil
|
||||||
var repoIDs []int64
|
|
||||||
var actorID int64
|
|
||||||
|
|
||||||
if opts.Actor != nil {
|
|
||||||
actorID = opts.Actor.ID
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if opts.RequestedUser.IsOrganization() {
|
cond, err := activityQueryCondition(opts)
|
||||||
env, err := opts.RequestedUser.AccessibleReposEnv(actorID)
|
if err != nil {
|
||||||
if err != nil {
|
return nil, err
|
||||||
return nil, fmt.Errorf("AccessibleReposEnv: %v", err)
|
|
||||||
}
|
|
||||||
if repoIDs, err = env.RepoIDs(1, opts.RequestedUser.NumRepos); err != nil {
|
|
||||||
return nil, fmt.Errorf("GetUserRepositories: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
cond = cond.And(builder.In("repo_id", repoIDs))
|
|
||||||
} else {
|
|
||||||
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
|
|
||||||
}
|
|
||||||
|
|
||||||
if opts.Actor == nil || !opts.Actor.IsAdmin {
|
|
||||||
if opts.RequestedUser.KeepActivityPrivate && actorID != opts.RequestedUser.ID {
|
|
||||||
return make([]*Action, 0), nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
|
|
||||||
|
|
||||||
if opts.OnlyPerformedBy {
|
|
||||||
cond = cond.And(builder.Eq{"act_user_id": opts.RequestedUser.ID})
|
|
||||||
}
|
|
||||||
if !opts.IncludePrivate {
|
|
||||||
cond = cond.And(builder.Eq{"is_private": false})
|
|
||||||
}
|
|
||||||
|
|
||||||
if !opts.IncludeDeleted {
|
|
||||||
cond = cond.And(builder.Eq{"is_deleted": false})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
actions := make([]*Action, 0, setting.UI.FeedPagingNum)
|
actions := make([]*Action, 0, setting.UI.FeedPagingNum)
|
||||||
@ -352,3 +319,56 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {
|
|||||||
|
|
||||||
return actions, nil
|
return actions, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func activityReadable(user *User, doer *User) bool {
|
||||||
|
var doerID int64
|
||||||
|
if doer != nil {
|
||||||
|
doerID = doer.ID
|
||||||
|
}
|
||||||
|
if doer == nil || !doer.IsAdmin {
|
||||||
|
if user.KeepActivityPrivate && doerID != user.ID {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func activityQueryCondition(opts GetFeedsOptions) (builder.Cond, error) {
|
||||||
|
cond := builder.NewCond()
|
||||||
|
|
||||||
|
var repoIDs []int64
|
||||||
|
var actorID int64
|
||||||
|
if opts.Actor != nil {
|
||||||
|
actorID = opts.Actor.ID
|
||||||
|
}
|
||||||
|
|
||||||
|
// check readable repositories by doer/actor
|
||||||
|
if opts.Actor == nil || !opts.Actor.IsAdmin {
|
||||||
|
if opts.RequestedUser.IsOrganization() {
|
||||||
|
env, err := opts.RequestedUser.AccessibleReposEnv(actorID)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("AccessibleReposEnv: %v", err)
|
||||||
|
}
|
||||||
|
if repoIDs, err = env.RepoIDs(1, opts.RequestedUser.NumRepos); err != nil {
|
||||||
|
return nil, fmt.Errorf("GetUserRepositories: %v", err)
|
||||||
|
}
|
||||||
|
cond = cond.And(builder.In("repo_id", repoIDs))
|
||||||
|
} else {
|
||||||
|
cond = cond.And(builder.In("repo_id", AccessibleRepoIDsQuery(opts.Actor)))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
cond = cond.And(builder.Eq{"user_id": opts.RequestedUser.ID})
|
||||||
|
|
||||||
|
if opts.OnlyPerformedBy {
|
||||||
|
cond = cond.And(builder.Eq{"act_user_id": opts.RequestedUser.ID})
|
||||||
|
}
|
||||||
|
if !opts.IncludePrivate {
|
||||||
|
cond = cond.And(builder.Eq{"is_private": false})
|
||||||
|
}
|
||||||
|
if !opts.IncludeDeleted {
|
||||||
|
cond = cond.And(builder.Eq{"is_deleted": false})
|
||||||
|
}
|
||||||
|
|
||||||
|
return cond, nil
|
||||||
|
}
|
||||||
|
@ -23,3 +23,12 @@
|
|||||||
act_user_id: 11
|
act_user_id: 11
|
||||||
repo_id: 9
|
repo_id: 9
|
||||||
is_private: false
|
is_private: false
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 4
|
||||||
|
user_id: 16
|
||||||
|
op_type: 12 # close issue
|
||||||
|
act_user_id: 16
|
||||||
|
repo_id: 22
|
||||||
|
is_private: true
|
||||||
|
created_unix: 1603267920
|
||||||
|
@ -16,10 +16,10 @@ type UserHeatmapData struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// GetUserHeatmapDataByUser returns an array of UserHeatmapData
|
// GetUserHeatmapDataByUser returns an array of UserHeatmapData
|
||||||
func GetUserHeatmapDataByUser(user *User) ([]*UserHeatmapData, error) {
|
func GetUserHeatmapDataByUser(user *User, doer *User) ([]*UserHeatmapData, error) {
|
||||||
hdata := make([]*UserHeatmapData, 0)
|
hdata := make([]*UserHeatmapData, 0)
|
||||||
|
|
||||||
if user.KeepActivityPrivate {
|
if !activityReadable(user, doer) {
|
||||||
return hdata, nil
|
return hdata, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -37,22 +37,26 @@ func GetUserHeatmapDataByUser(user *User) ([]*UserHeatmapData, error) {
|
|||||||
groupByName = groupBy
|
groupByName = groupBy
|
||||||
}
|
}
|
||||||
|
|
||||||
sess := x.Select(groupBy+" AS timestamp, count(user_id) as contributions").
|
cond, err := activityQueryCondition(GetFeedsOptions{
|
||||||
Table("action").
|
RequestedUser: user,
|
||||||
Where("user_id = ?", user.ID).
|
Actor: doer,
|
||||||
And("created_unix > ?", (timeutil.TimeStampNow() - 31536000))
|
IncludePrivate: true, // don't filter by private, as we already filter by repo access
|
||||||
|
IncludeDeleted: true,
|
||||||
// * Heatmaps for individual users only include actions that the user themself
|
// * Heatmaps for individual users only include actions that the user themself did.
|
||||||
// did.
|
// * For organizations actions by all users that were made in owned
|
||||||
// * For organizations actions by all users that were made in owned
|
// repositories are counted.
|
||||||
// repositories are counted.
|
OnlyPerformedBy: !user.IsOrganization(),
|
||||||
if user.Type == UserTypeIndividual {
|
})
|
||||||
sess = sess.And("act_user_id = ?", user.ID)
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := sess.GroupBy(groupByName).
|
return hdata, x.
|
||||||
|
Select(groupBy+" AS timestamp, count(user_id) as contributions").
|
||||||
|
Table("action").
|
||||||
|
Where(cond).
|
||||||
|
And("created_unix > ?", (timeutil.TimeStampNow() - 31536000)).
|
||||||
|
GroupBy(groupByName).
|
||||||
OrderBy("timestamp").
|
OrderBy("timestamp").
|
||||||
Find(&hdata)
|
Find(&hdata)
|
||||||
|
|
||||||
return hdata, err
|
|
||||||
}
|
}
|
||||||
|
@ -6,6 +6,7 @@ package models
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
@ -14,35 +15,45 @@ import (
|
|||||||
func TestGetUserHeatmapDataByUser(t *testing.T) {
|
func TestGetUserHeatmapDataByUser(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
userID int64
|
userID int64
|
||||||
|
doerID int64
|
||||||
CountResult int
|
CountResult int
|
||||||
JSONResult string
|
JSONResult string
|
||||||
}{
|
}{
|
||||||
{2, 1, `[{"timestamp":1603152000,"contributions":1}]`},
|
{2, 2, 1, `[{"timestamp":1603152000,"contributions":1}]`}, // self looks at action in private repo
|
||||||
{3, 0, `[]`},
|
{2, 1, 1, `[{"timestamp":1603152000,"contributions":1}]`}, // admin looks at action in private repo
|
||||||
|
{2, 3, 0, `[]`}, // other user looks at action in private repo
|
||||||
|
{2, 0, 0, `[]`}, // nobody looks at action in private repo
|
||||||
|
{16, 15, 1, `[{"timestamp":1603238400,"contributions":1}]`}, // collaborator looks at action in private repo
|
||||||
|
{3, 3, 0, `[]`}, // no action action not performed by target user
|
||||||
}
|
}
|
||||||
// Prepare
|
// Prepare
|
||||||
assert.NoError(t, PrepareTestDatabase())
|
assert.NoError(t, PrepareTestDatabase())
|
||||||
|
|
||||||
for _, tc := range testCases {
|
for i, tc := range testCases {
|
||||||
|
|
||||||
// Insert some action
|
|
||||||
user := AssertExistsAndLoadBean(t, &User{ID: tc.userID}).(*User)
|
user := AssertExistsAndLoadBean(t, &User{ID: tc.userID}).(*User)
|
||||||
|
|
||||||
|
doer := &User{ID: tc.doerID}
|
||||||
|
_, err := loadBeanIfExists(doer)
|
||||||
|
assert.NoError(t, err)
|
||||||
|
if tc.doerID == 0 {
|
||||||
|
doer = nil
|
||||||
|
}
|
||||||
|
|
||||||
// get the action for comparison
|
// get the action for comparison
|
||||||
actions, err := GetFeeds(GetFeedsOptions{
|
actions, err := GetFeeds(GetFeedsOptions{
|
||||||
RequestedUser: user,
|
RequestedUser: user,
|
||||||
Actor: user,
|
Actor: doer,
|
||||||
IncludePrivate: true,
|
IncludePrivate: true,
|
||||||
OnlyPerformedBy: false,
|
OnlyPerformedBy: true,
|
||||||
IncludeDeleted: true,
|
IncludeDeleted: true,
|
||||||
})
|
})
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
|
|
||||||
// Get the heatmap and compare
|
// Get the heatmap and compare
|
||||||
heatmap, err := GetUserHeatmapDataByUser(user)
|
heatmap, err := GetUserHeatmapDataByUser(user, doer)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
assert.Equal(t, len(actions), len(heatmap), "invalid action count: did the test data became too old?")
|
assert.Equal(t, len(actions), len(heatmap), "invalid action count: did the test data became too old?")
|
||||||
assert.Equal(t, tc.CountResult, len(heatmap))
|
assert.Equal(t, tc.CountResult, len(heatmap), fmt.Sprintf("testcase %d", i))
|
||||||
|
|
||||||
//Test JSON rendering
|
//Test JSON rendering
|
||||||
jsonData, err := json.Marshal(heatmap)
|
jsonData, err := json.Marshal(heatmap)
|
||||||
|
@ -166,7 +166,7 @@ func GetUserHeatmapData(ctx *context.APIContext) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
heatmap, err := models.GetUserHeatmapDataByUser(user)
|
heatmap, err := models.GetUserHeatmapDataByUser(user, ctx.User)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.Error(http.StatusInternalServerError, "GetUserHeatmapDataByUser", err)
|
ctx.Error(http.StatusInternalServerError, "GetUserHeatmapDataByUser", err)
|
||||||
return
|
return
|
||||||
|
@ -115,7 +115,7 @@ func Dashboard(ctx *context.Context) {
|
|||||||
// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
|
// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
|
||||||
// so everyone would get the same empty heatmap
|
// so everyone would get the same empty heatmap
|
||||||
if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
|
if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
|
||||||
data, err := models.GetUserHeatmapDataByUser(ctxUser)
|
data, err := models.GetUserHeatmapDataByUser(ctxUser, ctx.User)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.ServerError("GetUserHeatmapDataByUser", err)
|
ctx.ServerError("GetUserHeatmapDataByUser", err)
|
||||||
return
|
return
|
||||||
|
@ -98,7 +98,7 @@ func Profile(ctx *context.Context) {
|
|||||||
// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
|
// no heatmap access for admins; GetUserHeatmapDataByUser ignores the calling user
|
||||||
// so everyone would get the same empty heatmap
|
// so everyone would get the same empty heatmap
|
||||||
if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
|
if setting.Service.EnableUserHeatmap && !ctxUser.KeepActivityPrivate {
|
||||||
data, err := models.GetUserHeatmapDataByUser(ctxUser)
|
data, err := models.GetUserHeatmapDataByUser(ctxUser, ctx.User)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.ServerError("GetUserHeatmapDataByUser", err)
|
ctx.ServerError("GetUserHeatmapDataByUser", err)
|
||||||
return
|
return
|
||||||
|
Loading…
Reference in New Issue
Block a user