Hide 'New Project board' button for users that are not signed in (#12547)

wULLSnpAXbWZGYDYyhWTKKspEQoaYxXyhoisqHf · zeripath · techknowlogick · web-flow · commit d4e35b9dc617 · 2020-08-22T02:58:59.000-04:00
* hide: 'New Project board' button

* there is no reason to show the button for users that are not signed in

* update template: specifies the condition together with another one

as per lafriks' suggestion in the comment

* chore: add proper user authorization check

* chore: also hide button if repo is archived

* chore: show project board edit/delete menu to authorized users only

* chore: drop the redundant IsSigned check

* CanWriteIssues and CanWritePulls implies (and requires) signed in user

* Add CanWriteProjects and properly assert permissions

Signed-off-by: Andrew Thornton &lt;art27@cantab.net&gt;

Co-authored-by: Andrew Thornton &lt;art27@cantab.net&gt;
Co-authored-by: techknowlogick &lt;techknowlogick@gitea.io&gt;
diff --git a/routers/repo/projects.go b/routers/repo/projects.go
@@ -95,6 +95,7 @@ func Projects(ctx *context.Context) {
 	pager.AddParam(ctx, "state", "State")
 	ctx.Data["Page"] = pager
 
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.Data["IsShowClosed"] = isShowClosed
 	ctx.Data["IsProjectsPage"] = true
 	ctx.Data["SortType"] = sortType
@@ -106,16 +107,17 @@ func Projects(ctx *context.Context) {
 func NewProject(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.new")
 	ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
-
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.HTML(200, tplProjectsNew)
 }
 
-// NewRepoProjectPost creates a new project
-func NewRepoProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
-
+// NewProjectPost creates a new project
+func NewProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.new")
 
 	if ctx.HasError() {
+		ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
+		ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
 		ctx.HTML(200, tplProjectsNew)
 		return
 	}
@@ -192,6 +194,7 @@ func EditProject(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.edit")
 	ctx.Data["PageIsProjects"] = true
 	ctx.Data["PageIsEditProjects"] = true
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 
 	p, err := models.GetProjectByID(ctx.ParamsInt64(":id"))
 	if err != nil {
@@ -218,9 +221,10 @@ func EditProjectPost(ctx *context.Context, form auth.CreateProjectForm) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.edit")
 	ctx.Data["PageIsProjects"] = true
 	ctx.Data["PageIsEditProjects"] = true
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 
 	if ctx.HasError() {
-		ctx.HTML(200, tplMilestoneNew)
+		ctx.HTML(200, tplProjectsNew)
 		return
 	}
 
@@ -287,6 +291,7 @@ func ViewProject(ctx *context.Context) {
 		return
 	}
 
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 	ctx.Data["Project"] = project
 	ctx.Data["Boards"] = allBoards
 	ctx.Data["PageIsProjects"] = true
@@ -551,6 +556,7 @@ func MoveIssueAcrossBoards(ctx *context.Context) {
 func CreateProject(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.projects.new")
 	ctx.Data["ProjectTypes"] = models.GetProjectsConfig()
+	ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 
 	ctx.HTML(200, tplGenericProjectsNew)
 }
@@ -566,6 +572,7 @@ func CreateProjectPost(ctx *context.Context, form auth.UserCreateProjectForm) {
 	ctx.Data["ContextUser"] = user
 
 	if ctx.HasError() {
+		ctx.Data["CanWriteProjects"] = ctx.Repo.Permission.CanWrite(models.UnitTypeProjects)
 		ctx.HTML(200, tplGenericProjectsNew)
 		return
 	}
diff --git a/routers/routes/routes.go b/routers/routes/routes.go
@@ -535,6 +535,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 	reqRepoIssuesOrPullsWriter := context.RequireRepoWriterOr(models.UnitTypeIssues, models.UnitTypePullRequests)
 	reqRepoIssuesOrPullsReader := context.RequireRepoReaderOr(models.UnitTypeIssues, models.UnitTypePullRequests)
 	reqRepoProjectsReader := context.RequireRepoReader(models.UnitTypeProjects)
+	reqRepoProjectsWriter := context.RequireRepoWriter(models.UnitTypeProjects)
 
 	// ***** START: Organization *****
 	m.Group("/org", func() {
@@ -858,24 +859,26 @@ func RegisterRoutes(m *macaron.Macaron) {
 
 		m.Group("/projects", func() {
 			m.Get("", repo.Projects)
-			m.Get("/new", repo.NewProject)
-			m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewRepoProjectPost)
-			m.Group("/:id", func() {
-				m.Get("", repo.ViewProject)
-				m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost)
-				m.Post("/delete", repo.DeleteProject)
-
-				m.Get("/edit", repo.EditProject)
-				m.Post("/edit", bindIgnErr(auth.CreateProjectForm{}), repo.EditProjectPost)
-				m.Post("/^:action(open|close)$", repo.ChangeProjectStatus)
-
-				m.Group("/:boardID", func() {
-					m.Put("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.EditProjectBoardTitle)
-					m.Delete("", repo.DeleteProjectBoard)
-
-					m.Post("/:index", repo.MoveIssueAcrossBoards)
+			m.Get("/:id", repo.ViewProject)
+			m.Group("", func() {
+				m.Get("/new", repo.NewProject)
+				m.Post("/new", bindIgnErr(auth.CreateProjectForm{}), repo.NewProjectPost)
+				m.Group("/:id", func() {
+					m.Post("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.AddBoardToProjectPost)
+					m.Post("/delete", repo.DeleteProject)
+
+					m.Get("/edit", repo.EditProject)
+					m.Post("/edit", bindIgnErr(auth.CreateProjectForm{}), repo.EditProjectPost)
+					m.Post("/^:action(open|close)$", repo.ChangeProjectStatus)
+
+					m.Group("/:boardID", func() {
+						m.Put("", bindIgnErr(auth.EditProjectBoardTitleForm{}), repo.EditProjectBoardTitle)
+						m.Delete("", repo.DeleteProjectBoard)
+
+						m.Post("/:index", repo.MoveIssueAcrossBoards)
+					})
 				})
-			})
+			}, reqRepoProjectsWriter, context.RepoMustNotBeArchived())
 		}, reqRepoProjectsReader, repo.MustEnableProjects)
 
 		m.Group("/wiki", func() {
diff --git a/templates/repo/projects/list.tmpl b/templates/repo/projects/list.tmpl
@@ -4,10 +4,10 @@
 	<div class="ui container">
 		<div class="navbar">
 			{{template "repo/issue/navbar" .}}
-			{{if and (or .CanWriteIssues .CanWritePulls) (not .Repository.IsArchived)}}
-			<div class="ui right">
-				<a class="ui green button" href="{{$.Link}}/new">{{.i18n.Tr "repo.projects.new"}}</a>
-			</div>
+			{{if and .CanWriteProjects (not .Repository.IsArchived)}}
+				<div class="ui right">
+					<a class="ui green button" href="{{$.Link}}/new">{{.i18n.Tr "repo.projects.new"}}</a>
+				</div>
 			{{end}}
 		</div>
 		<div class="ui divider"></div>
@@ -39,35 +39,35 @@
 		</div>
 		<div class="milestone list">
 			{{range .Projects}}
-			<li class="item">
-				{{svg "octicon-project" 16}} <a href="{{$.RepoLink}}/projects/{{.ID}}">{{.Title}}</a>
-				<div class="meta">
-					{{ $closedDate:= TimeSinceUnix .ClosedDateUnix $.Lang }}
-					{{if .IsClosed }}
-						{{svg "octicon-clock" 16}} {{$.i18n.Tr "repo.milestones.closed" $closedDate|Str2html}}
+				<li class="item">
+					{{svg "octicon-project" 16}} <a href="{{$.RepoLink}}/projects/{{.ID}}">{{.Title}}</a>
+					<div class="meta">
+						{{ $closedDate:= TimeSinceUnix .ClosedDateUnix $.Lang }}
+						{{if .IsClosed }}
+							{{svg "octicon-clock" 16}} {{$.i18n.Tr "repo.milestones.closed" $closedDate|Str2html}}
+						{{end}}
+						<span class="issue-stats">
+							{{svg "octicon-issue-opened" 16}} {{$.i18n.Tr "repo.issues.open_tab" .NumOpenIssues}}
+							{{svg "octicon-issue-closed" 16}} {{$.i18n.Tr "repo.issues.close_tab" .NumClosedIssues}}
+						</span>
+					</div>
+					{{if and (or $.CanWriteIssues $.CanWritePulls) (not $.Repository.IsArchived)}}
+					<div class="ui right operate">
+						<a href="{{$.Link}}/{{.ID}}/edit" data-id={{.ID}} data-title={{.Title}}>{{svg "octicon-pencil" 16}} {{$.i18n.Tr "repo.issues.label_edit"}}</a>
+						{{if .IsClosed}}
+							<a class="link-action" href data-url="{{$.Link}}/{{.ID}}/open">{{svg "octicon-check" 16}} {{$.i18n.Tr "repo.projects.open"}}</a>
+						{{else}}
+							<a class="link-action" href data-url="{{$.Link}}/{{.ID}}/close">{{svg "octicon-x" 16}} {{$.i18n.Tr "repo.projects.close"}}</a>
+						{{end}}
+						<a class="delete-button" href="#" data-url="{{$.RepoLink}}/projects/{{.ID}}/delete" data-id="{{.ID}}">{{svg "octicon-trashcan" 16}} {{$.i18n.Tr "repo.issues.label_delete"}}</a>
+					</div>
 					{{end}}
-					<span class="issue-stats">
-						{{svg "octicon-issue-opened" 16}} {{$.i18n.Tr "repo.issues.open_tab" .NumOpenIssues}}
-						{{svg "octicon-issue-closed" 16}} {{$.i18n.Tr "repo.issues.close_tab" .NumClosedIssues}}
-					</span>
-				</div>
-				{{if and (or $.CanWriteIssues $.CanWritePulls) (not $.Repository.IsArchived)}}
-				<div class="ui right operate">
-					<a href="{{$.Link}}/{{.ID}}/edit" data-id={{.ID}} data-title={{.Title}}>{{svg "octicon-pencil" 16}} {{$.i18n.Tr "repo.issues.label_edit"}}</a>
-					{{if .IsClosed}}
-						<a class="link-action" href data-url="{{$.Link}}/{{.ID}}/open">{{svg "octicon-check" 16}} {{$.i18n.Tr "repo.projects.open"}}</a>
-					{{else}}
-						<a class="link-action" href data-url="{{$.Link}}/{{.ID}}/close">{{svg "octicon-x" 16}} {{$.i18n.Tr "repo.projects.close"}}</a>
+					{{if .Description}}
+					<div class="content">
+						{{.RenderedContent|Str2html}}
+					</div>
 					{{end}}
-					<a class="delete-button" href="#" data-url="{{$.RepoLink}}/projects/{{.ID}}/delete" data-id="{{.ID}}">{{svg "octicon-trashcan" 16}} {{$.i18n.Tr "repo.issues.label_delete"}}</a>
-				</div>
-				{{end}}
-				{{if .Description}}
-				<div class="content">
-					{{.RenderedContent|Str2html}}
-				</div>
-				{{end}}
-			</li>
+				</li>
 			{{end}}
 
 			{{template "base/paginate" .}}
diff --git a/templates/repo/projects/new.tmpl b/templates/repo/projects/new.tmpl
@@ -4,7 +4,7 @@
 	<div class="ui container">
 		<div class="navbar">
 			{{template "repo/issue/navbar" .}}
-			{{if and (or .CanWriteIssues .CanWritePulls) .PageIsEditProject}}
+			{{if and .CanWriteProjects .PageIsEditProject}}
 			<div class="ui right floated secondary menu">
 				<a class="ui green button" href="{{$.RepoLink}}/projects/new">{{.i18n.Tr "repo.milestones.new"}}</a>
 			</div>
diff --git a/templates/repo/projects/view.tmpl b/templates/repo/projects/view.tmpl
@@ -10,10 +10,9 @@
 				{{template "repo/issue/search" .}}
 			</div>
 			<div class="column right aligned">
-				{{if .PageIsProjects}}
-				<a class="ui green button show-modal item" data-modal="#new-board-item">{{.i18n.Tr "new_project_board"}}</a>
+				{{if and .CanWriteProjects (not .Repository.IsArchived) .PageIsProjects}}
+					<a class="ui green button show-modal item" data-modal="#new-board-item">{{.i18n.Tr "new_project_board"}}</a>
 				{{end}}
-
 				<div class="ui small modal" id="new-board-item">
 					<div class="header">
 						{{$.i18n.Tr "repo.projects.board.new"}}
@@ -45,65 +44,62 @@
 			<div class="ui segment board-column">
 				<div class="board-column-header">
 					<div class="ui large label board-label">{{.Title}}</div>
-
-					{{ if $.IsSigned }}
-					{{ if not (eq .ID 0) }}
-					<div class="ui dropdown jump item poping up right" data-variation="tiny inverted">
-						<span class="ui text">
-							<img class="ui tiny avatar image" width="24" height="24">
-							<span class="fitted not-mobile" tabindex="-1">{{svg "octicon-kebab-horizontal" 24}}</span>
-						</span>
-						<div class="menu user-menu" tabindex="-1">
-							<a class="item show-modal button" data-modal="#edit-project-board-modal-{{.ID}}">
-								{{svg "octicon-pencil" 16}}
-								{{$.i18n.Tr "repo.projects.board.edit"}}
-							</a>
-							<a class="item show-modal button" data-modal="#delete-board-modal-{{.ID}}">
-								{{svg "octicon-trashcan" 16}}
-								{{$.i18n.Tr "repo.projects.board.delete"}}
-							</a>
-
-							<div class="ui small modal edit-project-board" id="edit-project-board-modal-{{.ID}}">
-								<div class="header">
+					{{if and $.CanWriteProjects (not $.Repository.IsArchived) $.PageIsProjects (ne .ID 0)}}
+						<div class="ui dropdown jump item poping up right" data-variation="tiny inverted">
+							<span class="ui text">
+								<img class="ui tiny avatar image" width="24" height="24">
+								<span class="fitted not-mobile" tabindex="-1">{{svg "octicon-kebab-horizontal" 24}}</span>
+							</span>
+							<div class="menu user-menu" tabindex="-1">
+								<a class="item show-modal button" data-modal="#edit-project-board-modal-{{.ID}}">
+									{{svg "octicon-pencil" 16}}
 									{{$.i18n.Tr "repo.projects.board.edit"}}
+								</a>
+								<a class="item show-modal button" data-modal="#delete-board-modal-{{.ID}}">
+									{{svg "octicon-trashcan" 16}}
+									{{$.i18n.Tr "repo.projects.board.delete"}}
+								</a>
+
+								<div class="ui small modal edit-project-board" id="edit-project-board-modal-{{.ID}}">
+									<div class="header">
+										{{$.i18n.Tr "repo.projects.board.edit"}}
+									</div>
+									<div class="content">
+										<form class="ui form">
+											<div class="required field">
+												<label for="new_board_title">{{$.i18n.Tr "repo.projects.board.edit_title"}}</label>
+												<input class="project-board-title" id="new_board_title" name="title" value="{{.Title}}" required>
+											</div>
+
+											<div class="text right actions">
+												<div class="ui cancel button">{{$.i18n.Tr "settings.cancel"}}</div>
+												<button data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}" class="ui red button">{{$.i18n.Tr "repo.projects.board.edit"}}</button>
+											</div>
+										</form>
+									</div>
 								</div>
-								<div class="content">
-									<form class="ui form">
-										<div class="required field">
-											<label for="new_board_title">{{$.i18n.Tr "repo.projects.board.edit_title"}}</label>
-											<input class="project-board-title" id="new_board_title" name="title" value="{{.Title}}" required>
-										</div>
 
+								<div class="ui basic modal" id="delete-board-modal-{{.ID}}">
+									<div class="ui icon header">
+										{{$.i18n.Tr "repo.projects.board.delete"}}
+									</div>
+									<div class="content center">
+										<input type="hidden" name="action" value="delete">
+										<div class="field">
+											<label>
+												{{$.i18n.Tr "repo.projects.board.deletion_desc"}}
+											</label>
+										</div>
+									</div>
+									<form class="ui form" method="post">
 										<div class="text right actions">
 											<div class="ui cancel button">{{$.i18n.Tr "settings.cancel"}}</div>
-											<button data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}" class="ui red button">{{$.i18n.Tr "repo.projects.board.edit"}}</button>
+											<button class="ui red button delete-project-board" data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}">{{$.i18n.Tr "repo.projects.board.delete"}}</button>
 										</div>
 									</form>
 								</div>
 							</div>
-
-							<div class="ui basic modal" id="delete-board-modal-{{.ID}}">
-								<div class="ui icon header">
-									{{$.i18n.Tr "repo.projects.board.delete"}}
-								</div>
-								<div class="content center">
-									<input type="hidden" name="action" value="delete">
-									<div class="field">
-										<label>
-											{{$.i18n.Tr "repo.projects.board.deletion_desc"}}
-										</label>
-									</div>
-								</div>
-								<form class="ui form" method="post">
-									<div class="text right actions">
-										<div class="ui cancel button">{{$.i18n.Tr "settings.cancel"}}</div>
-										<button class="ui red button delete-project-board" data-url="{{$.RepoLink}}/projects/{{$.Project.ID}}/{{.ID}}">{{$.i18n.Tr "repo.projects.board.delete"}}</button>
-									</div>
-								</form>
-							</div>
 						</div>
-					</div>
-					{{ end }}
 					{{ end }}
 				</div>
 				<div class="ui divider"></div>
