Restricting access to fork functioanlity to users with Code access (#2542)

Signed-off-by: Jonas Franz <[email protected]>

Author: jonasfranz

models/repo.go

@@ -648,7 +648,7 @@ func (repo *Repository) UpdateSize() error {
 
 // CanBeForked returns true if repository meets the requirements of being forked.
 func (repo *Repository) CanBeForked() bool {
-	return !repo.IsBare
+	return !repo.IsBare && repo.UnitEnabled(UnitTypeCode)
 }
 
 // CanEnablePulls returns true if repository meets the requirements of accepting pulls.

modules/context/repo.go

@@ -162,6 +162,75 @@ func RedirectToRepo(ctx *Context, redirectRepoID int64) {
 	ctx.Redirect(redirectPath)
 }
 
+// RepoIDAssignment returns an macaron handler which assigns the repo to the context.
+func RepoIDAssignment() macaron.Handler {
+	return func(ctx *Context) {
+		var (
+			err   error
+		)
+
+		repoID := ctx.ParamsInt64(":repoid")
+
+		// Get repository.
+		repo, err := models.GetRepositoryByID(repoID)
+		if err != nil {
+			if models.IsErrRepoNotExist(err) {
+				ctx.Handle(404, "GetRepositoryByID", nil)
+			} else {
+				ctx.Handle(500, "GetRepositoryByID", err)
+			}
+			return
+		}
+
+		if err = repo.GetOwner(); err != nil {
+			ctx.Handle(500, "GetOwner", err)
+			return
+		}
+
+		// Admin has super access.
+		if ctx.IsSigned && ctx.User.IsAdmin {
+			ctx.Repo.AccessMode = models.AccessModeOwner
+		} else {
+			var userID int64
+			if ctx.User != nil {
+				userID = ctx.User.ID
+			}
+			mode, err := models.AccessLevel(userID, repo)
+			if err != nil {
+				ctx.Handle(500, "AccessLevel", err)
+				return
+			}
+			ctx.Repo.AccessMode = mode
+		}
+
+		// Check access.
+		if ctx.Repo.AccessMode == models.AccessModeNone {
+			if ctx.Query("go-get") == "1" {
+				earlyResponseForGoGetMeta(ctx)
+				return
+			}
+			ctx.Handle(404, "no access right", err)
+			return
+		}
+		ctx.Data["HasAccess"] = true
+
+		if repo.IsMirror {
+			ctx.Repo.Mirror, err = models.GetMirrorByRepoID(repo.ID)
+			if err != nil {
+				ctx.Handle(500, "GetMirror", err)
+				return
+			}
+			ctx.Data["MirrorEnablePrune"] = ctx.Repo.Mirror.EnablePrune
+			ctx.Data["MirrorInterval"] = ctx.Repo.Mirror.Interval
+			ctx.Data["Mirror"] = ctx.Repo.Mirror
+		}
+
+		ctx.Repo.Repository = repo
+		ctx.Data["RepoName"] = ctx.Repo.Repository.Name
+		ctx.Data["IsBareRepo"] = ctx.Repo.Repository.IsBare
+	}
+}
+
 // RepoAssignment returns a macaron to handle repository assignment
 func RepoAssignment() macaron.Handler {
 	return func(ctx *Context) {

routers/routes/routes.go

@@ -416,8 +416,10 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Post("/create", bindIgnErr(auth.CreateRepoForm{}), repo.CreatePost)
 		m.Get("/migrate", repo.Migrate)
 		m.Post("/migrate", bindIgnErr(auth.MigrateRepoForm{}), repo.MigratePost)
-		m.Combo("/fork/:repoid").Get(repo.Fork).
-			Post(bindIgnErr(auth.CreateRepoForm{}), repo.ForkPost)
+		m.Group("/fork", func() {
+			m.Combo("/:repoid").Get(repo.Fork).
+				Post(bindIgnErr(auth.CreateRepoForm{}), repo.ForkPost)
+		}, context.RepoIDAssignment(), context.UnitTypes(), context.LoadRepoUnits(), context.CheckUnit(models.UnitTypeCode))
 	}, reqSignIn)
 
 	m.Group("/:username/:reponame", func() {