Hide 'New Project board' button for users that are not signed in (#12547)

* hide: 'New Project board' button

* there is no reason to show the button for users that are not signed in

* update template: specifies the condition together with another one

as per lafriks' suggestion in the comment

* chore: add proper user authorization check

* chore: also hide button if repo is archived

* chore: show project board edit/delete menu to authorized users only

* chore: drop the redundant IsSigned check

* CanWriteIssues and CanWritePulls implies (and requires) signed in user

* Add CanWriteProjects and properly assert permissions

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf 2020-08-22 08:58:59 +02:00 committed by GitHub
parent a0484890c1
commit d4e35b9dc6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 110 additions and 104 deletions

View File

@ -95,6 +95,7 @@ func Projects(ctx *context.Context) {
pager.AddParam(ctx, "state", "State") pager.AddParam(ctx, "state", "State")
ctx.Data["Page"] = pager ctx.Data["Page"] = pager
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
ctx.Data["IsShowClosed"] = isShowClosed ctx.Data["IsShowClosed"] = isShowClosed
ctx.Data["IsProjectsPage"] = true ctx.Data["IsProjectsPage"] = true
ctx.Data["SortType"] = sortType ctx.Data["SortType"] = sortType
@ -106,16 +107,17 @@ func Projects(ctx *context.Context) {
func NewProject(ctx *context.Context) { func NewProject(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.projects.new") ctx.Data["Title"] = ctx.Tr("repo.projects.new")
ctx.Data["ProjectTypes"] = models.GetProjectsConfig() ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
ctx.HTML(200, tplProjectsNew) ctx.HTML(200, tplProjectsNew)
} }
// NewRepoProjectPost creates a new project // NewProjectPost creates a new project
func NewRepoProjectPost(ctx *context.Context, form auth.CreateProjectForm) { func NewProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
ctx.Data["Title"] = ctx.Tr("repo.projects.new") ctx.Data["Title"] = ctx.Tr("repo.projects.new")
if ctx.HasError() { if ctx.HasError() {
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
ctx.HTML(200, tplProjectsNew) ctx.HTML(200, tplProjectsNew)
return return
} }
@ -192,6 +194,7 @@ func EditProject(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.projects.edit") ctx.Data["Title"] = ctx.Tr("repo.projects.edit")
ctx.Data["PageIsProjects"] = true ctx.Data["PageIsProjects"] = true
ctx.Data["PageIsEditProjects"] = true ctx.Data["PageIsEditProjects"] = true
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
p, err := models.GetProjectByID(ctx.ParamsInt64(":id")) p, err := models.GetProjectByID(ctx.ParamsInt64(":id"))
if err != nil { if err != nil {
@ -218,9 +221,10 @@ func EditProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
ctx.Data["Title"] = ctx.Tr("repo.projects.edit") ctx.Data["Title"] = ctx.Tr("repo.projects.edit")
ctx.Data["PageIsProjects"] = true ctx.Data["PageIsProjects"] = true
ctx.Data["PageIsEditProjects"] = true ctx.Data["PageIsEditProjects"] = true
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
if ctx.HasError() { if ctx.HasError() {
ctx.HTML(200, tplMilestoneNew) ctx.HTML(200, tplProjectsNew)
return return
} }
@ -287,6 +291,7 @@ func ViewProject(ctx *context.Context) {
return return
} }
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
ctx.Data["Project"] = project ctx.Data["Project"] = project
ctx.Data["Boards"] = allBoards ctx.Data["Boards"] = allBoards
ctx.Data["PageIsProjects"] = true ctx.Data["PageIsProjects"] = true
@ -551,6 +556,7 @@ func MoveIssueAcrossBoards(ctx *context.Context) {
func CreateProject(ctx *context.Context) { func CreateProject(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("repo.projects.new") ctx.Data["Title"] = ctx.Tr("repo.projects.new")
ctx.Data["ProjectTypes"] = models.GetProjectsConfig() ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
ctx.HTML(200, tplGenericProjectsNew) ctx.HTML(200, tplGenericProjectsNew)
} }
@ -566,6 +572,7 @@ func CreateProjectPost(ctx *context.Context, form auth.UserCreateProjectForm) {
ctx.Data["ContextUser"] = user ctx.Data["ContextUser"] = user
if ctx.HasError() { if ctx.HasError() {
ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
ctx.HTML(200, tplGenericProjectsNew) ctx.HTML(200, tplGenericProjectsNew)
return return
} }

View File

@ -535,6 +535,7 @@ func RegisterRoutes(m *macaron.Macaron) {
reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests)
reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests) reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests)
reqRepoProjectsReader := context.RequireRepoReader(models.UnitTypeProjects) reqRepoProjectsReader := context.RequireRepoReader(models.UnitTypeProjects)
reqRepoProjectsWriter := context.RequireRepoWriter(models.UnitTypeProjects)
// ***** START: Organization ***** // ***** START: Organization *****
m.Group("/org", func() { m.Group("/org", func() {
@ -858,10 +859,11 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Group("/projects", func() { m.Group("/projects", func() {
m.Get("", repo.Projects) m.Get("", repo.Projects)
m.Get("/:id", repo.ViewProject)
m.Group("", func() {
m.Get("/new", repo.NewProject) m.Get("/new", repo.NewProject)
m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewRepoProjectPost) m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewProjectPost)
m.Group("/:id", func() { m.Group("/:id", func() {
m.Get("", repo.ViewProject)
m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost) m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost)
m.Post("/delete", repo.DeleteProject) m.Post("/delete", repo.DeleteProject)
@ -876,6 +878,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Post("/:index", repo.MoveIssueAcrossBoards) m.Post("/:index", repo.MoveIssueAcrossBoards)
}) })
}) })
}, reqRepoProjectsWriter, context.RepoMustNotBeArchived())
}, reqRepoProjectsReader, repo.MustEnableProjects) }, reqRepoProjectsReader, repo.MustEnableProjects)
m.Group("/wiki", func() { m.Group("/wiki", func() {

View File

@ -4,7 +4,7 @@
<div class="ui container"> <div class="ui container">
<div class="navbar"> <div class="navbar">
{{template "repo/issue/navbar" .}} {{template "repo/issue/navbar" .}}
{{if and (or .CanWriteIssues .CanWritePulls) (not .Repository.IsArchived)}} {{if and .CanWriteProjects (not .Repository.IsArchived)}}
<div class="ui right"> <div class="ui right">
<a class="ui green button" href="{{$.Link}}/new">{{.i18n.Tr "repo.projects.new"}}</a> <a class="ui green button" href="{{$.Link}}/new">{{.i18n.Tr "repo.projects.new"}}</a>
</div> </div>

View File

@ -4,7 +4,7 @@
<div class="ui container"> <div class="ui container">
<div class="navbar"> <div class="navbar">
{{template "repo/issue/navbar" .}} {{template "repo/issue/navbar" .}}
{{if and (or .CanWriteIssues .CanWritePulls) .PageIsEditProject}} {{if and .CanWriteProjects .PageIsEditProject}}
<div class="ui right floated secondary menu"> <div class="ui right floated secondary menu">
<a class="ui green button" href="{{$.RepoLink}}/projects/new">{{.i18n.Tr "repo.milestones.new"}}</a> <a class="ui green button" href="{{$.RepoLink}}/projects/new">{{.i18n.Tr "repo.milestones.new"}}</a>
</div> </div>

View File

@ -10,10 +10,9 @@
{{template "repo/issue/search" .}} {{template "repo/issue/search" .}}
</div> </div>
<div class="column right aligned"> <div class="column right aligned">
{{if .PageIsProjects}} {{if and .CanWriteProjects (not .Repository.IsArchived) .PageIsProjects}}
<a class="ui green button show-modal item" data-modal="#new-board-item">{{.i18n.Tr "new_project_board"}}</a> <a class="ui green button show-modal item" data-modal="#new-board-item">{{.i18n.Tr "new_project_board"}}</a>
{{end}} {{end}}
<div class="ui small modal" id="new-board-item"> <div class="ui small modal" id="new-board-item">
<div class="header"> <div class="header">
{{$.i18n.Tr "repo.projects.board.new"}} {{$.i18n.Tr "repo.projects.board.new"}}
@ -45,9 +44,7 @@
<div class="ui segment board-column"> <div class="ui segment board-column">
<div class="board-column-header"> <div class="board-column-header">
<div class="ui large label board-label">{{.Title}}</div> <div class="ui large label board-label">{{.Title}}</div>
{{if and $.CanWriteProjects (not $.Repository.IsArchived) $.PageIsProjects (ne .ID 0)}}
{{ if $.IsSigned }}
{{ if not (eq .ID 0) }}
<div class="ui dropdown jump item poping up right" data-variation="tiny inverted"> <div class="ui dropdown jump item poping up right" data-variation="tiny inverted">
<span class="ui text"> <span class="ui text">
<img class="ui tiny avatar image" width="24" height="24"> <img class="ui tiny avatar image" width="24" height="24">
@ -104,7 +101,6 @@
</div> </div>
</div> </div>
{{ end }} {{ end }}
{{ end }}
</div> </div>
<div class="ui divider"></div> <div class="ui divider"></div>