diff --git a/model/repositories.py b/model/repositories.py index ceef0cc..2d89f4d 100644 --- a/model/repositories.py +++ b/model/repositories.py @@ -59,8 +59,15 @@ class Repository(ModelItemBase): def gen_internalurl(self): return self.repotype.gen_internalurl( self.gen_subpath() ) - def can_write(self): - return self.can_update() or self.rights.isallowed(self.table(), self.id, self.manager.REPOWRITE) + def can_write(self, user_id): + if user_id: + if self.user_id == self.rights.user_id: + return True + if self.rights.get_superuser(user_id) + return True + if self.rights.get(user_id, self.table(), self.id, self.manager.REPOWRITE) + return True + return False def can_update(self): return self.user_id == self.rights.user_id or self.rights.issuperuser() @@ -94,6 +101,8 @@ class Repository(ModelItemBase): if self.can_update(): if not mode in (self.manager.READ, self.manager.REPOWRITE): raise exception.ModelWrongData(self.t('Wrong mode')) + if not user_id and mode == self.manager.REPOWRITE: + raise exception.ModelWrongData(self.t('Cannot grant write access for all users')) self.rights.set(user_id, self.table(), self.id, mode, allowed) else: raise exception.ModelDeny() diff --git a/repoproxy.py b/repoproxy.py index 4a127a1..cff8fe8 100644 --- a/repoproxy.py +++ b/repoproxy.py @@ -158,14 +158,14 @@ class RepoProxy: if not owner: return self.forbidden() - repo = request.model.repositories.get_by_name( owner.id, reponame, owner ) + repo = request.model.repositories.get_by_name( owner, reponame ) if not repo: return self.forbidden() writeaccess = repo.repotype.iswriteaccess(request, nextpath) if writeaccess: - if not repo.can_write(): + if not repo.can_write(user.id if user else 0): return self.unauthorized() url = repo.gen_internalurl()