From 5eafe2b17eb9a1cf1068e7a3ed7a57a2730f04b0 Mon Sep 17 00:00:00 2001 From: Florian Kaiser Date: Sun, 31 Jan 2016 10:46:04 +0000 Subject: [PATCH] Only show repositories the user has access to, on the organization home --- models/org.go | 37 +++++++++++++++++++++++++++++++++++++ routers/user/home.go | 11 +++++------ 2 files changed, 42 insertions(+), 6 deletions(-) diff --git a/models/org.go b/models/org.go index b8836c349f..c9d8f11964 100644 --- a/models/org.go +++ b/models/org.go @@ -9,6 +9,7 @@ import ( "fmt" "os" "strings" + "strconv" "github.com/go-xorm/xorm" ) @@ -1028,3 +1029,39 @@ func removeOrgRepo(e Engine, orgID, repoID int64) error { func RemoveOrgRepo(orgID, repoID int64) error { return removeOrgRepo(x, orgID, repoID) } + +func (org *User) getUserRepositories(userID int64) (err error) { + teams := make([]*Team, 0, 10) + if err := x.Cols("`team`.id"). + Where("`team_user`.org_id=?", org.Id). + And("`team_user`.uid=?", userID). + Join("INNER", "`team_user`", "`team_user`.team_id=`team`.id"). + Find(&teams); err != nil { + return fmt.Errorf("get team: %v", err) + } + + var teamIDs []string + for _, team := range teams { + s := strconv.FormatInt(team.ID, 32) + teamIDs = append(teamIDs, s) + } + + // The "in" clause it not vulnerable to SQL injection because we + // convert it from int64 a few lines above. Sadly, xorm does not support + // "in" clauses as a function, so we have to build our own (for now). + if err := x.Cols("`repository`.*"). + Where("`team_repo`.team_id in (" + strings.Join(teamIDs, ",") + ")"). + Join("INNER", "`team_repo`", "`team_repo`.repo_id=`repository`.id"). + GroupBy("`repository`.id"). + Find(&org.Repos); err != nil { + return fmt.Errorf("get repositories: %v", err) + } + + return +} + +// GetUserRepositories gets all repositories of an organization, +// that the user with the given userID has access to. +func (org *User) GetUserRepositories(userID int64) (err error) { + return org.getUserRepositories(userID) +} diff --git a/routers/user/home.go b/routers/user/home.go index b5df5e3679..b198e801d2 100644 --- a/routers/user/home.go +++ b/routers/user/home.go @@ -314,20 +314,19 @@ func showOrgProfile(ctx *middleware.Context) { org := ctx.Org.Organization ctx.Data["Title"] = org.FullName - repos, err := models.GetRepositories(org.Id, ctx.IsSigned && (ctx.User.IsAdmin || org.IsOrgMember(ctx.User.Id))) - if err != nil { - ctx.Handle(500, "GetRepositories", err) + if err := org.GetUserRepositories(ctx.User.Id); err != nil { + ctx.Handle(500, "GetUserRepositories", err) return } - ctx.Data["Repos"] = repos + ctx.Data["Repos"] = org.Repos - if err = org.GetMembers(); err != nil { + if err := org.GetMembers(); err != nil { ctx.Handle(500, "GetMembers", err) return } ctx.Data["Members"] = org.Members - if err = org.GetTeams(); err != nil { + if err := org.GetTeams(); err != nil { ctx.Handle(500, "GetTeams", err) return }