forked from
tangled.org/core
Mirror of @tangled.org/core. Running on a Raspberry Pi Zero 2 (Please be gentle).
appview/pulls: show branch delete only if the logged-in-user can push to the repo
Signed-off-by: oppiliappan <me@oppi.li>
+12
-1
+11
appview/pulls/pulls.go
+11
appview/pulls/pulls.go
···
7
7
"fmt"
8
8
"log"
9
9
"net/http"
10
+
"slices"
10
11
"sort"
11
12
"strconv"
12
13
"strings"
···
25
24
"tangled.org/core/appview/xrpcclient"
26
25
"tangled.org/core/idresolver"
27
26
"tangled.org/core/patchutil"
27
+
"tangled.org/core/rbac"
28
28
"tangled.org/core/tid"
29
29
"tangled.org/core/types"
30
30
···
45
43
db *db.DB
46
44
config *config.Config
47
45
notifier notify.Notifier
46
+
enforcer *rbac.Enforcer
48
47
}
49
48
50
49
func New(
···
56
53
db *db.DB,
57
54
config *config.Config,
58
55
notifier notify.Notifier,
56
+
enforcer *rbac.Enforcer,
59
57
) *Pulls {
60
58
return &Pulls{
61
59
oauth: oauth,
···
66
62
db: db,
67
63
config: config,
68
64
notifier: notifier,
65
+
enforcer: enforcer,
69
66
}
70
67
}
71
68
···
331
326
branch = pull.PullSource.Branch
332
327
repo = pull.PullSource.Repo
333
328
} else {
329
+
return nil
330
+
}
331
+
332
+
// user can only delete branch if they are a collaborator in the repo that the branch belongs to
333
+
perms := s.enforcer.GetPermissionsInRepo(user.Did, repo.Knot, repo.DidSlashRepo())
334
+
if !slices.Contains(perms, "repo:push") {
334
335
return nil
335
336
}
336
337
+1
-1
appview/state/router.go
+1
-1
appview/state/router.go
···
258
258
}
259
259
260
260
func (s *State) PullsRouter(mw *middleware.Middleware) http.Handler {
261
-
pulls := pulls.New(s.oauth, s.repoResolver, s.pages, s.idResolver, s.db, s.config, s.notifier)
261
+
pulls := pulls.New(s.oauth, s.repoResolver, s.pages, s.idResolver, s.db, s.config, s.notifier, s.enforcer)
262
262
return pulls.Router(mw)
263
263
}
264
264