Refactoring of the Access Table

This commit does a lot of the work of refactoring the access table in a table with id's instead of strings.

The result does compile, but has not been tested. It may eat your kittens.

cmd/serve.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"strings"
 	"time"
@@ -67,19 +66,19 @@ func parseCmd(cmd string) (string, string) {
 }
 
 var (
-	COMMANDS_READONLY = map[string]models.AccessType{
+	COMMANDS_READONLY = map[string]models.AccessMode{
-		"git-upload-pack":    models.WRITABLE,
+		"git-upload-pack":    models.WriteAccess,
-		"git upload-pack":    models.WRITABLE,
+		"git upload-pack":    models.WriteAccess,
-		"git-upload-archive": models.WRITABLE,
+		"git-upload-archive": models.WriteAccess,
 	}
 
-	COMMANDS_WRITE = map[string]models.AccessType{
+	COMMANDS_WRITE = map[string]models.AccessMode{
-		"git-receive-pack": models.READABLE,
+		"git-receive-pack": models.ReadAccess,
-		"git receive-pack": models.READABLE,
+		"git receive-pack": models.ReadAccess,
 	}
 )
 
-func In(b string, sl map[string]models.AccessType) bool {
+func In(b string, sl map[string]models.AccessMode) bool {
 	_, e := sl[b]
 	return e
 }
@@ -144,9 +143,19 @@ func runServ(k *cli.Context) {
 	}
 
 	// Access check.
+	repo, err := models.GetRepositoryByName(repoUser.Id, repoName)
+	if err != nil {
+		if err == models.ErrRepoNotExist {
+			println("Gogs: given repository does not exist")
+			log.GitLogger.Fatal(2, "Repository does not exist: %s/%s", repoUser.Name, repoName)
+		}
+		println("Gogs: internal error:", err.Error())
+		log.GitLogger.Fatal(2, "Fail to get repository: %v", err)
+	}
+
 	switch {
 	case isWrite:
-		has, err := models.HasAccess(user.Name, path.Join(repoUserName, repoName), models.WRITABLE)
+		has, err := models.HasAccess(user, repo, models.WriteAccess)
 		if err != nil {
 			println("Gogs: internal error:", err.Error())
 			log.GitLogger.Fatal(2, "Fail to check write access:", err)
@@ -155,21 +164,11 @@ func runServ(k *cli.Context) {
 			log.GitLogger.Fatal(2, "User %s has no right to write repository %s", user.Name, repoPath)
 		}
 	case isRead:
-		repo, err := models.GetRepositoryByName(repoUser.Id, repoName)
-		if err != nil {
-			if err == models.ErrRepoNotExist {
-				println("Gogs: given repository does not exist")
-				log.GitLogger.Fatal(2, "Repository does not exist: %s/%s", repoUser.Name, repoName)
-			}
-			println("Gogs: internal error:", err.Error())
-			log.GitLogger.Fatal(2, "Fail to get repository: %v", err)
-		}
-
 		if !repo.IsPrivate {
 			break
 		}
 
-		has, err := models.HasAccess(user.Name, path.Join(repoUserName, repoName), models.READABLE)
+		has, err := models.HasAccess(user, repo, models.ReadAccess)
 		if err != nil {
 			println("Gogs: internal error:", err.Error())
 			log.GitLogger.Fatal(2, "Fail to check read access:", err)

models/access.go

@@ -4,95 +4,76 @@
 
 package models
 
-import (
+type AccessMode int
-	"strings"
-	"time"
-)
-
-type AccessType int
 
 const (
-	READABLE AccessType = iota + 1
+	NoAccess AccessMode = iota
-	WRITABLE
+	ReadAccess
+	WriteAccess
+	AdminAccess
+	OwnerAccess
 )
 
-// Access represents the accessibility of user to repository.
+func maxAccessMode(modes ...AccessMode) AccessMode {
-type Access struct {
+	max := NoAccess
-	Id       int64
+	for _, mode := range modes {
-	UserName string     `xorm:"UNIQUE(s)"`
+		if mode > max {
-	RepoName string     `xorm:"UNIQUE(s)"` // <user name>/<repo name>
+			max = mode
-	Mode     AccessType `xorm:"UNIQUE(s)"`
+		}
-	Created  time.Time  `xorm:"CREATED"`
+	}
+	return max
 }
 
-func addAccess(e Engine, access *Access) error {
+// Access represents the highest access level of a user to the repository. The only access type
-	access.UserName = strings.ToLower(access.UserName)
+// that is not in this table is the real owner of a repository. In case of an organization
-	access.RepoName = strings.ToLower(access.RepoName)
+// repository, the members of the owners team are in this table.
-	_, err := e.Insert(access)
+type Access struct {
-	return err
+	ID     int64 `xorm:"pk autoincr"`
+	UserID int64 `xorm:"UNIQUE(s)"`
+	RepoID int64 `xorm:"UNIQUE(s)"`
+	Mode   AccessMode
 }
 
-// AddAccess adds new access record.
+// HasAccess returns true if someone has the request access level. User can be nil!
-func AddAccess(access *Access) error {
+func HasAccess(u *User, r *Repository, testMode AccessMode) (bool, error) {
-	return addAccess(x, access)
+	mode, err := AccessLevel(u, r)
+	return testMode <= mode, err
 }
 
-func updateAccess(e Engine, access *Access) error {
+// Return the Access a user has to a repository. Will return NoneAccess if the
-	if _, err := e.Id(access.Id).Update(access); err != nil {
+// user does not have access. User can be nil!
-		return err
+func AccessLevel(u *User, r *Repository) (AccessMode, error) {
+	mode := NoAccess
+	if !r.IsPrivate {
+		mode = ReadAccess
 	}
-	return nil
-}
-
-// UpdateAccess updates access information.
-func UpdateAccess(access *Access) error {
-	access.UserName = strings.ToLower(access.UserName)
-	access.RepoName = strings.ToLower(access.RepoName)
-	return updateAccess(x, access)
-}
-
-func deleteAccess(e Engine, access *Access) error {
-	_, err := e.Delete(access)
-	return err
-}
 
-// DeleteAccess deletes access record.
+	if u != nil {
-func DeleteAccess(access *Access) error {
+		if u.Id == r.OwnerId {
-	return deleteAccess(x, access)
+			return OwnerAccess, nil
-}
+		}
 
-// HasAccess returns true if someone can read or write to given repository.
+		a := &Access{UserID: u.Id, RepoID: r.Id}
-// The repoName should be in format <username>/<reponame>.
+		if has, err := x.Get(a); !has || err != nil {
-func HasAccess(uname, repoName string, mode AccessType) (bool, error) {
+			return mode, err
-	if len(repoName) == 0 {
+		}
-		return false, nil
+		return a.Mode, nil
-	}
-	access := &Access{
-		UserName: strings.ToLower(uname),
-		RepoName: strings.ToLower(repoName),
-	}
-	has, err := x.Get(access)
-	if err != nil {
-		return false, err
-	} else if !has {
-		return false, nil
-	} else if mode > access.Mode {
-		return false, nil
 	}
-	return true, nil
+
+	return mode, nil
 }
 
 // GetAccessibleRepositories finds all repositories where a user has access to,
 // besides his own.
-func (u *User) GetAccessibleRepositories() (map[*Repository]AccessType, error) {
+func (u *User) GetAccessibleRepositories() (map[*Repository]AccessMode, error) {
 	accesses := make([]*Access, 0, 10)
-	if err := x.Find(&accesses, &Access{UserName: u.LowerName}); err != nil {
+	if err := x.Find(&accesses, &Access{UserID: u.Id}); err != nil {
 		return nil, err
 	}
 
-	repos := make(map[*Repository]AccessType, len(accesses))
+	repos := make(map[*Repository]AccessMode, len(accesses))
 	for _, access := range accesses {
-		repo, err := GetRepositoryByRef(access.RepoName)
+		repo, err := GetRepositoryById(access.RepoID)
 		if err != nil {
 			return nil, err
 		}
@@ -106,3 +87,65 @@ func (u *User) GetAccessibleRepositories() (map[*Repository]AccessType, error) {
 
 	return repos, nil
 }
+
+// Recalculate all accesses for repository
+func (r *Repository) RecalcAccessSess() error {
+	accessMap := make(map[int64]AccessMode, 20)
+
+	// Give all collaborators write access
+	collaborators, err := r.GetCollaborators()
+	if err != nil {
+		return err
+	}
+	for _, c := range collaborators {
+		accessMap[c.Id] = WriteAccess
+	}
+
+	if err := r.GetOwner(); err != nil {
+		return err
+	}
+	if r.Owner.IsOrganization() {
+		if err = r.Owner.GetTeams(); err != nil {
+			return err
+		}
+
+		for _, team := range r.Owner.Teams {
+			if !(team.IsOwnerTeam() || team.HasRepository(r)) {
+				continue
+			}
+
+			if err = team.GetMembers(); err != nil {
+				return err
+			}
+			for _, u := range team.Members {
+				accessMap[u.Id] = maxAccessMode(accessMap[u.Id], team.Authorize)
+			}
+		}
+	}
+
+	minMode := ReadAccess
+	if !r.IsPrivate {
+		minMode = WriteAccess
+	}
+
+	newAccesses := make([]Access, 0, len(accessMap))
+	for userID, mode := range accessMap {
+		if userID == r.OwnerId || mode <= minMode {
+			continue
+		}
+		newAccesses = append(newAccesses, Access{UserID: userID, RepoID: r.Id, Mode: mode})
+	}
+
+	// Delete old accesses for repository
+	if _, err = x.Delete(&Access{RepoID: r.Id}); err != nil {
+		return err
+	}
+
+	// And insert the new ones
+	if _, err = x.Insert(newAccesses); err != nil {
+		return err
+	}
+
+	return nil
+
+}

models/migrations/migrations.go

@@ -51,6 +51,7 @@ type Version struct {
 // update _MIN_VER_DB accordingly
 var migrations = []Migration{
 	NewMigration("generate collaboration from access", accessToCollaboration), // V0 -> V1
+	NewMigration("refactor access table to use id's", accessRefactor),         // V1 -> V2
 }
 
 // Migrate database to current version
@@ -206,3 +207,8 @@ func accessToCollaboration(x *xorm.Engine) error {
 
 	return sess.Commit()
 }
+
+func accessRefactor(x *xorm.Engine) error {
+	//TODO
+	return nil
+}

models/org.go

@@ -6,9 +6,7 @@ package models
 
 import (
 	"errors"
-	"fmt"
 	"os"
-	"path"
 	"strings"
 
 	"github.com/Unknwon/com"
@@ -136,7 +134,7 @@ func CreateOrganization(org, owner *User) (*User, error) {
 		OrgId:      org.Id,
 		LowerName:  strings.ToLower(OWNER_TEAM),
 		Name:       OWNER_TEAM,
-		Authorize:  ORG_ADMIN,
+		Authorize:  OwnerAccess,
 		NumMembers: 1,
 	}
 	if _, err = sess.Insert(t); err != nil {
@@ -371,10 +369,10 @@ func RemoveOrgUser(orgId, uid int64) error {
 		return err
 	}
 	access := &Access{
-		UserName: u.LowerName,
+		UserID: u.Id,
 	}
 	for _, repo := range org.Repos {
-		access.RepoName = path.Join(org.LowerName, repo.LowerName)
+		access.RepoID = repo.Id
 		if _, err = sess.Delete(access); err != nil {
 			sess.Rollback()
 			return err
@@ -405,21 +403,6 @@ func RemoveOrgUser(orgId, uid int64) error {
 //   |____| \___  >____  /__|_|  /
 //              \/     \/      \/
 
-type AuthorizeType int
-
-const (
-	ORG_READABLE AuthorizeType = iota + 1
-	ORG_WRITABLE
-	ORG_ADMIN
-)
-
-func AuthorizeToAccessType(auth AuthorizeType) AccessType {
-	if auth == ORG_READABLE {
-		return READABLE
-	}
-	return WRITABLE
-}
-
 const OWNER_TEAM = "Owners"
 
 // Team represents a organization team.
@@ -429,7 +412,7 @@ type Team struct {
 	LowerName   string
 	Name        string
 	Description string
-	Authorize   AuthorizeType
+	Authorize   AccessMode
 	RepoIds     string        `xorm:"TEXT"`
 	Repos       []*Repository `xorm:"-"`
 	Members     []*User       `xorm:"-"`
@@ -484,25 +467,6 @@ func (t *Team) RemoveMember(uid int64) error {
 	return RemoveTeamMember(t.OrgId, t.Id, uid)
 }
 
-// addAccessWithAuthorize inserts or updates access with given mode.
-func addAccessWithAuthorize(e Engine, access *Access, mode AccessType) error {
-	has, err := e.Get(access)
-	if err != nil {
-		return fmt.Errorf("fail to get access: %v", err)
-	}
-	access.Mode = mode
-	if has {
-		if _, err = e.Id(access.Id).Update(access); err != nil {
-			return fmt.Errorf("fail to update access: %v", err)
-		}
-	} else {
-		if _, err = e.Insert(access); err != nil {
-			return fmt.Errorf("fail to insert access: %v", err)
-		}
-	}
-	return nil
-}
-
 // AddRepository adds new repository to team of organization.
 func (t *Team) AddRepository(repo *Repository) (err error) {
 	idStr := "$" + com.ToStr(repo.Id) + "|"
@@ -531,27 +495,13 @@ func (t *Team) AddRepository(repo *Repository) (err error) {
 		return err
 	}
 
-	// Give access to team members.
+	if err = repo.RecalcAccessSess(); err != nil {
-	mode := AuthorizeToAccessType(t.Authorize)
+		sess.Rollback()
+		return err
+	}
 
 	for _, u := range t.Members {
-		auth, err := getHighestAuthorize(sess, t.OrgId, u.Id, repo.Id, t.Id)
+		if err = WatchRepo(u.Id, repo.Id, true); err != nil {
-		if err != nil {
-			sess.Rollback()
-			return err
-		}
-
-		access := &Access{
-			UserName: u.LowerName,
-			RepoName: path.Join(repo.Owner.LowerName, repo.LowerName),
-		}
-		if auth < t.Authorize {
-			if err = addAccessWithAuthorize(sess, access, mode); err != nil {
-				sess.Rollback()
-				return err
-			}
-		}
-		if err = watchRepo(sess, u.Id, repo.Id, true); err != nil {
 			sess.Rollback()
 			return err
 		}
@@ -559,6 +509,11 @@ func (t *Team) AddRepository(repo *Repository) (err error) {
 	return sess.Commit()
 }
 
+func (t *Team) HasRepository(r *Repository) bool {
+	idStr := "$" + com.ToStr(r.Id) + "|"
+	return strings.Contains(t.RepoIds, idStr)
+}
+
 // RemoveRepository removes repository from team of organization.
 func (t *Team) RemoveRepository(repoId int64) error {
 	idStr := "$" + com.ToStr(repoId) + "|"
@@ -590,32 +545,16 @@ func (t *Team) RemoveRepository(repoId int64) error {
 		return err
 	}
 
-	// Remove access to team members.
+	if err = repo.RecalcAccessSess(); err != nil {
+		sess.Rollback()
+		return err
+	}
+
 	for _, u := range t.Members {
-		auth, err := getHighestAuthorize(sess, t.OrgId, u.Id, repo.Id, t.Id)
+		if err = WatchRepo(u.Id, repo.Id, false); err != nil {
-		if err != nil {
 			sess.Rollback()
 			return err
 		}
-
-		access := &Access{
-			UserName: u.LowerName,
-			RepoName: path.Join(repo.Owner.LowerName, repo.LowerName),
-		}
-		if auth == 0 {
-			if _, err = sess.Delete(access); err != nil {
-				sess.Rollback()
-				return fmt.Errorf("fail to delete access: %v", err)
-			} else if err = watchRepo(sess, u.Id, repo.Id, false); err != nil {
-				sess.Rollback()
-				return err
-			}
-		} else if auth < t.Authorize {
-			if err = addAccessWithAuthorize(sess, access, AuthorizeToAccessType(auth)); err != nil {
-				sess.Rollback()
-				return err
-			}
-		}
 	}
 
 	return sess.Commit()
@@ -693,34 +632,6 @@ func GetTeamById(teamId int64) (*Team, error) {
 	return getTeamById(x, teamId)
 }
 
-func getHighestAuthorize(e Engine, orgId, uid, repoId, teamId int64) (AuthorizeType, error) {
-	ts, err := getUserTeams(e, orgId, uid)
-	if err != nil {
-		return 0, err
-	}
-
-	var auth AuthorizeType = 0
-	for _, t := range ts {
-		// Not current team and has given repository.
-		if t.Id != teamId && strings.Contains(t.RepoIds, "$"+com.ToStr(repoId)+"|") {
-			// Fast return.
-			if t.Authorize == ORG_WRITABLE {
-				return ORG_WRITABLE, nil
-			}
-			if t.Authorize > auth {
-				auth = t.Authorize
-			}
-		}
-	}
-
-	return auth, nil
-}
-
-// GetHighestAuthorize returns highest repository authorize level for given user and team.
-func GetHighestAuthorize(orgId, uid, repoId, teamId int64) (AuthorizeType, error) {
-	return getHighestAuthorize(x, orgId, uid, repoId, teamId)
-}
-
 // UpdateTeam updates information of team.
 func UpdateTeam(t *Team, authChanged bool) (err error) {
 	if !IsLegalName(t.Name) {
@@ -738,45 +649,14 @@ func UpdateTeam(t *Team, authChanged bool) (err error) {
 	}
 
 	// Update access for team members if needed.
-	if authChanged && !t.IsOwnerTeam() {
+	if authChanged {
 		if err = t.GetRepositories(); err != nil {
 			return err
-		} else if err = t.GetMembers(); err != nil {
-			return err
 		}
 
-		// Get organization.
-		org, err := GetUserById(t.OrgId)
-		if err != nil {
-			return err
-		}
-
-		// Update access.
-		mode := AuthorizeToAccessType(t.Authorize)
-
 		for _, repo := range t.Repos {
-			for _, u := range t.Members {
+			if err = repo.RecalcAccessSess(); err != nil {
-				// ORG_WRITABLE is the highest authorize level for now.
+				return err
-				// Skip checking others if current team has this level.
-				if t.Authorize < ORG_WRITABLE {
-					auth, err := GetHighestAuthorize(t.OrgId, u.Id, repo.Id, t.Id)
-					if err != nil {
-						sess.Rollback()
-						return err
-					}
-					if auth >= t.Authorize {
-						continue // Other team has higher or same authorize level.
-					}
-				}
-
-				access := &Access{
-					UserName: u.LowerName,
-					RepoName: path.Join(org.LowerName, repo.LowerName),
-				}
-				if err = addAccessWithAuthorize(sess, access, mode); err != nil {
-					sess.Rollback()
-					return err
-				}
 			}
 		}
 	}
@@ -812,29 +692,8 @@ func DeleteTeam(t *Team) error {
 
 	// Delete all accesses.
 	for _, repo := range t.Repos {
-		for _, u := range t.Members {
+		if err = repo.RecalcAccessSess(); err != nil {
-			auth, err := GetHighestAuthorize(t.OrgId, u.Id, repo.Id, t.Id)
+			return err
-			if err != nil {
-				sess.Rollback()
-				return err
-			}
-
-			access := &Access{
-				UserName: u.LowerName,
-				RepoName: path.Join(org.LowerName, repo.LowerName),
-			}
-			if auth == 0 {
-				if _, err = sess.Delete(access); err != nil {
-					sess.Rollback()
-					return fmt.Errorf("fail to delete access: %v", err)
-				}
-			} else if auth < t.Authorize {
-				// Downgrade authorize level.
-				if err = addAccessWithAuthorize(sess, access, AuthorizeToAccessType(auth)); err != nil {
-					sess.Rollback()
-					return err
-				}
-			}
 		}
 	}
 
@@ -936,18 +795,6 @@ func AddTeamMember(orgId, teamId, uid int64) error {
 		return err
 	}
 
-	// Get organization.
-	org, err := GetUserById(orgId)
-	if err != nil {
-		return err
-	}
-
-	// Get user.
-	u, err := GetUserById(uid)
-	if err != nil {
-		return err
-	}
-
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
@@ -969,24 +816,11 @@ func AddTeamMember(orgId, teamId, uid int64) error {
 	}
 
 	// Give access to team repositories.
-	mode := AuthorizeToAccessType(t.Authorize)
 	for _, repo := range t.Repos {
-		auth, err := getHighestAuthorize(sess, t.OrgId, u.Id, repo.Id, teamId)
+		if err = repo.RecalcAccessSess(); err != nil {
-		if err != nil {
 			sess.Rollback()
 			return err
 		}
-
-		access := &Access{
-			UserName: u.LowerName,
-			RepoName: path.Join(org.LowerName, repo.LowerName),
-		}
-		if auth < t.Authorize {
-			if err = addAccessWithAuthorize(sess, access, mode); err != nil {
-				sess.Rollback()
-				return err
-			}
-		}
 	}
 
 	// We make sure it exists before.
@@ -1036,12 +870,6 @@ func removeTeamMember(e Engine, orgId, teamId, uid int64) error {
 		return err
 	}
 
-	// Get user.
-	u, err := GetUserById(uid)
-	if err != nil {
-		return err
-	}
-
 	tu := &TeamUser{
 		Uid:    uid,
 		OrgId:  orgId,
@@ -1056,28 +884,9 @@ func removeTeamMember(e Engine, orgId, teamId, uid int64) error {
 
 	// Delete access to team repositories.
 	for _, repo := range t.Repos {
-		auth, err := getHighestAuthorize(e, t.OrgId, u.Id, repo.Id, teamId)
+		if err = repo.RecalcAccessSess(); err != nil {
-		if err != nil {
 			return err
 		}
-
-		access := &Access{
-			UserName: u.LowerName,
-			RepoName: path.Join(org.LowerName, repo.LowerName),
-		}
-		// Delete access if this is the last team user belongs to.
-		if auth == 0 {
-			if _, err = e.Delete(access); err != nil {
-				return fmt.Errorf("fail to delete access: %v", err)
-			} else if err = watchRepo(e, u.Id, repo.Id, false); err != nil {
-				return err
-			}
-		} else if auth < t.Authorize {
-			// Downgrade authorize level.
-			if err = addAccessWithAuthorize(e, access, AuthorizeToAccessType(auth)); err != nil {
-				return err
-			}
-		}
 	}
 
 	// This must exist.

models/repo.go

@@ -206,14 +206,6 @@ func (repo *Repository) IsOwnedBy(u *User) bool {
 	return repo.OwnerId == u.Id
 }
 
-func (repo *Repository) HasAccess(uname string) bool {
-	if err := repo.GetOwner(); err != nil {
-		return false
-	}
-	has, _ := HasAccess(uname, path.Join(repo.Owner.Name, repo.Name), READABLE)
-	return has
-}
-
 // DescriptionHtml does special handles to description and return HTML string.
 func (repo *Repository) DescriptionHtml() template.HTML {
 	sanitize := func(s string) string {
@@ -548,36 +540,11 @@ func CreateRepository(u *User, name, desc, lang, license string, private, mirror
 
 	var t *Team // Owner team.
 
-	mode := WRITABLE
+	// TODO fix code for mirrors?
-	if mirror {
+
-		mode = READABLE
-	}
-	access := &Access{
-		UserName: u.LowerName,
-		RepoName: path.Join(u.LowerName, repo.LowerName),
-		Mode:     mode,
-	}
 	// Give access to all members in owner team.
 	if u.IsOrganization() {
-		t, err = u.GetOwnerTeam()
+		if err = repo.RecalcAccessSess(); err != nil {
-		if err != nil {
-			sess.Rollback()
-			return nil, err
-		}
-		if err = t.GetMembers(); err != nil {
-			sess.Rollback()
-			return nil, err
-		}
-		for _, u := range t.Members {
-			access.Id = 0
-			access.UserName = u.LowerName
-			if _, err = sess.Insert(access); err != nil {
-				sess.Rollback()
-				return nil, err
-			}
-		}
-	} else {
-		if _, err = sess.Insert(access); err != nil {
 			sess.Rollback()
 			return nil, err
 		}
@@ -707,37 +674,10 @@ func TransferOwnership(u *User, newOwner string, repo *Repository) error {
 	}
 
 	owner := repo.Owner
-	oldRepoLink := path.Join(owner.LowerName, repo.LowerName)
-	// Delete all access first if current owner is an organization.
-	if owner.IsOrganization() {
-		if _, err = sess.Where("repo_name=?", oldRepoLink).Delete(new(Access)); err != nil {
-			sess.Rollback()
-			return fmt.Errorf("fail to delete current accesses: %v", err)
-		}
-	} else {
-		// Delete current owner access.
-		if _, err = sess.Where("repo_name=?", oldRepoLink).And("user_name=?", owner.LowerName).
-			Delete(new(Access)); err != nil {
-			sess.Rollback()
-			return fmt.Errorf("fail to delete access(owner): %v", err)
-		}
-		// In case new owner has access.
-		if _, err = sess.Where("repo_name=?", oldRepoLink).And("user_name=?", newUser.LowerName).
-			Delete(new(Access)); err != nil {
-			sess.Rollback()
-			return fmt.Errorf("fail to delete access(new user): %v", err)
-		}
-	}
-
-	// Change accesses to new repository path.
-	if _, err = sess.Where("repo_name=?", oldRepoLink).
-		Update(&Access{RepoName: path.Join(newUser.LowerName, repo.LowerName)}); err != nil {
-		sess.Rollback()
-		return fmt.Errorf("fail to update access(change reponame): %v", err)
-	}
 
 	// Update repository.
 	repo.OwnerId = newUser.Id
+	repo.Owner = newUser
 	if _, err := sess.Id(repo.Id).Update(repo); err != nil {
 		sess.Rollback()
 		return err
@@ -754,53 +694,8 @@ func TransferOwnership(u *User, newOwner string, repo *Repository) error {
 		return err
 	}
 
-	mode := WRITABLE
+	if err = repo.RecalcAccessSess(); err != nil {
-	if repo.IsMirror {
+		return err
-		mode = READABLE
-	}
-	// New owner is organization.
-	if newUser.IsOrganization() {
-		access := &Access{
-			RepoName: path.Join(newUser.LowerName, repo.LowerName),
-			Mode:     mode,
-		}
-
-		// Give access to all members in owner team.
-		t, err := newUser.GetOwnerTeam()
-		if err != nil {
-			sess.Rollback()
-			return err
-		}
-		if err = t.GetMembers(); err != nil {
-			sess.Rollback()
-			return err
-		}
-		for _, u := range t.Members {
-			access.Id = 0
-			access.UserName = u.LowerName
-			if _, err = sess.Insert(access); err != nil {
-				sess.Rollback()
-				return err
-			}
-		}
-
-		// Update owner team info and count.
-		t.RepoIds += "$" + com.ToStr(repo.Id) + "|"
-		t.NumRepos++
-		if _, err = sess.Id(t.Id).AllCols().Update(t); err != nil {
-			sess.Rollback()
-			return err
-		}
-	} else {
-		access := &Access{
-			RepoName: path.Join(newUser.LowerName, repo.LowerName),
-			UserName: newUser.LowerName,
-			Mode:     mode,
-		}
-		if _, err = sess.Insert(access); err != nil {
-			sess.Rollback()
-			return fmt.Errorf("fail to insert access: %v", err)
-		}
 	}
 
 	// Change repository directory name.
@@ -833,33 +728,8 @@ func ChangeRepositoryName(userName, oldRepoName, newRepoName string) (err error)
 		return ErrRepoNameIllegal
 	}
 
-	// Update accesses.
-	accesses := make([]Access, 0, 10)
-	if err = x.Find(&accesses, &Access{RepoName: userName + "/" + oldRepoName}); err != nil {
-		return err
-	}
-
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
-	for i := range accesses {
-		accesses[i].RepoName = userName + "/" + newRepoName
-		if err = updateAccess(sess, &accesses[i]); err != nil {
-			sess.Rollback()
-			return err
-		}
-	}
-
 	// Change repository directory name.
-	if err = os.Rename(RepoPath(userName, oldRepoName), RepoPath(userName, newRepoName)); err != nil {
+	return os.Rename(RepoPath(userName, oldRepoName), RepoPath(userName, newRepoName))
-		sess.Rollback()
-		return err
-	}
-
-	return sess.Commit()
 }
 
 func UpdateRepository(repo *Repository) error {
@@ -908,7 +778,7 @@ func DeleteRepository(uid, repoId int64, userName string) error {
 	}
 
 	// Delete all access.
-	if _, err := sess.Delete(&Access{RepoName: strings.ToLower(path.Join(userName, repo.Name))}); err != nil {
+	if _, err := sess.Delete(&Access{RepoID: repo.Id}); err != nil {
 		sess.Rollback()
 		return err
 	}
@@ -1228,41 +1098,30 @@ type Collaboration struct {
 // Add collaborator and accompanying access
 func (r *Repository) AddCollaborator(u *User) error {
 	collaboration := &Collaboration{RepoID: r.Id, UserID: u.Id}
+
 	has, err := x.Get(collaboration)
 	if err != nil {
 		return err
-	} else if has {
-		return nil
 	}
-
+	if has {
-	if err = r.GetOwner(); err != nil {
+		return nil
-		return err
 	}
 
-	sess := x.NewSession()
+	if _, err = x.InsertOne(collaboration); err != nil {
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
 		return err
 	}
 
-	if _, err = sess.InsertOne(collaboration); err != nil {
+	if err = r.GetOwner(); err != nil {
-		sess.Rollback()
-		return err
-	} else if err = addAccess(sess, &Access{
-		UserName: u.LowerName,
-		RepoName: path.Join(r.Owner.LowerName, r.LowerName),
-		Mode:     WRITABLE}); err != nil {
-		sess.Rollback()
 		return err
 	}
 
-	return sess.Commit()
+	return r.RecalcAccessSess()
 }
 
 // GetCollaborators returns the collaborators for a repository
 func (r *Repository) GetCollaborators() ([]*User, error) {
-	collaborations := make([]*Collaboration, 0, 5)
+	collaborations := make([]*Collaboration, 0)
-	if err := x.Where("repo_id=?", r.Id).Find(&collaborations); err != nil {
+	if err := x.Find(&collaborations, &Collaboration{RepoID: r.Id}); err != nil {
 		return nil, err
 	}
 
@@ -1278,50 +1137,14 @@ func (r *Repository) GetCollaborators() ([]*User, error) {
 }
 
 // Delete collaborator and accompanying access
-func (r *Repository) DeleteCollaborator(u *User) (err error) {
+func (r *Repository) DeleteCollaborator(u *User) error {
 	collaboration := &Collaboration{RepoID: r.Id, UserID: u.Id}
-	has, err := x.Get(collaboration)
-	if err != nil {
-		return err
-	} else if !has {
-		return nil
-	}
 
-	if err = r.GetOwner(); err != nil {
+	if has, err := x.Delete(collaboration); err != nil || has == 0 {
-		return err
-	}
-
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
 		return err
 	}
 
-	needDelete := true
+	return r.RecalcAccessSess()
-	if r.Owner.IsOrganization() {
-		auth, err := getHighestAuthorize(sess, r.Owner.Id, u.Id, r.Id, 0)
-		if err != nil {
-			sess.Rollback()
-			return err
-		}
-		if auth > 0 {
-			needDelete = false
-		}
-	}
-	if needDelete {
-		if err = deleteAccess(sess, &Access{
-			UserName: u.LowerName,
-			RepoName: path.Join(r.Owner.LowerName, r.LowerName),
-			Mode:     WRITABLE}); err != nil {
-			sess.Rollback()
-			return err
-		} else if _, err = sess.Delete(collaboration); err != nil {
-			sess.Rollback()
-			return err
-		}
-	}
-
-	return sess.Commit()
 }
 
 //  __      __         __         .__
@@ -1495,40 +1318,10 @@ func ForkRepository(u *User, oldRepo *Repository, name, desc string) (*Repositor
 		return nil, err
 	}
 
-	var t *Team // Owner team.
+	if err = repo.RecalcAccessSess(); err != nil {
-
+		return nil, err
-	mode := WRITABLE
-
-	access := &Access{
-		UserName: u.LowerName,
-		RepoName: path.Join(u.LowerName, repo.LowerName),
-		Mode:     mode,
-	}
-	// Give access to all members in owner team.
-	if u.IsOrganization() {
-		t, err = u.GetOwnerTeam()
-		if err != nil {
-			sess.Rollback()
-			return nil, err
-		}
-		if err = t.GetMembers(); err != nil {
-			sess.Rollback()
-			return nil, err
-		}
-		for _, u := range t.Members {
-			access.Id = 0
-			access.UserName = u.LowerName
-			if _, err = sess.Insert(access); err != nil {
-				sess.Rollback()
-				return nil, err
-			}
-		}
-	} else {
-		if _, err = sess.Insert(access); err != nil {
-			sess.Rollback()
-			return nil, err
-		}
 	}
+	var t *Team // Owner team.
 
 	if _, err = sess.Exec(
 		"UPDATE `user` SET num_repos = num_repos + 1 WHERE id = ?", u.Id); err != nil {

models/user.go

@@ -395,62 +395,7 @@ func ChangeUserName(u *User, newUserName string) (err error) {
 	if !IsLegalName(newUserName) {
 		return ErrUserNameIllegal
 	}
-
+	return os.Rename(UserPath(u.LowerName), UserPath(newUserName))
-	newUserName = strings.ToLower(newUserName)
-
-	// Update accesses of user.
-	accesses := make([]Access, 0, 10)
-	if err = x.Find(&accesses, &Access{UserName: u.LowerName}); err != nil {
-		return err
-	}
-
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
-	for i := range accesses {
-		accesses[i].UserName = newUserName
-		if strings.HasPrefix(accesses[i].RepoName, u.LowerName+"/") {
-			accesses[i].RepoName = strings.Replace(accesses[i].RepoName, u.LowerName, newUserName, 1)
-		}
-		if err = updateAccess(sess, &accesses[i]); err != nil {
-			sess.Rollback()
-			return err
-		}
-	}
-
-	repos, err := GetRepositories(u.Id, true)
-	if err != nil {
-		return err
-	}
-	for i := range repos {
-		accesses = make([]Access, 0, 10)
-		// Update accesses of user repository.
-		if err = x.Find(&accesses, &Access{RepoName: u.LowerName + "/" + repos[i].LowerName}); err != nil {
-			return err
-		}
-
-		for j := range accesses {
-			// if the access is not the user's access (already updated above)
-			if accesses[j].UserName != u.LowerName {
-				accesses[j].RepoName = newUserName + "/" + repos[i].LowerName
-				if err = updateAccess(sess, &accesses[j]); err != nil {
-					sess.Rollback()
-					return err
-				}
-			}
-		}
-	}
-
-	// Change user directory name.
-	if err = os.Rename(UserPath(u.LowerName), UserPath(newUserName)); err != nil {
-		sess.Rollback()
-		return err
-	}
-
-	return sess.Commit()
 }
 
 // UpdateUser updates user's information.
@@ -523,7 +468,7 @@ func DeleteUser(u *User) error {
 		return err
 	}
 	// Delete all accesses.
-	if _, err = x.Delete(&Access{UserName: u.LowerName}); err != nil {
+	if _, err = x.Delete(&Access{UserID: u.Id}); err != nil {
 		return err
 	}
 	// Delete all alternative email addresses

modules/middleware/org.go

@@ -87,7 +87,7 @@ func OrgAssignment(redirect bool, args ...bool) macaron.Handler {
 				return
 			}
 			ctx.Data["Team"] = ctx.Org.Team
-			ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize == models.ORG_ADMIN
+			ctx.Org.IsAdminTeam = ctx.Org.Team.IsOwnerTeam() || ctx.Org.Team.Authorize >= models.AdminAccess
 		}
 		ctx.Data["IsAdminTeam"] = ctx.Org.IsAdminTeam
 		if requireAdminTeam && !ctx.Org.IsAdminTeam {

modules/middleware/repo.go

@@ -5,7 +5,6 @@
 package middleware
 
 import (
-	"errors"
 	"fmt"
 	"net/url"
 	"strings"
@@ -29,17 +28,10 @@ func ApiRepoAssignment() macaron.Handler {
 			err error
 		)
 
-		// Collaborators who have write access can be seen as owners.
+		// Check if the user is the same as the repository owner
-		if ctx.IsSigned {
+		if ctx.IsSigned && u.LowerName == strings.ToLower(userName) {
-			ctx.Repo.IsOwner, err = models.HasAccess(ctx.User.Name, userName+"/"+repoName, models.WRITABLE)
+			u = ctx.User
-			if err != nil {
+		} else {
-				ctx.JSON(500, &base.ApiJsonErr{"HasAccess: " + err.Error(), base.DOC_URL})
-				return
-			}
-			ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
-		}
-
-		if !ctx.Repo.IsTrueOwner {
 			u, err = models.GetUserByName(userName)
 			if err != nil {
 				if err == models.ErrUserNotExist {
@@ -49,64 +41,38 @@ func ApiRepoAssignment() macaron.Handler {
 				}
 				return
 			}
-		} else {
-			u = ctx.User
 		}
 		ctx.Repo.Owner = u
 
-		// Organization owner team members are true owners as well.
-		if ctx.IsSigned && ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOwnedBy(ctx.User.Id) {
-			ctx.Repo.IsTrueOwner = true
-		}
-
 		// Get repository.
 		repo, err := models.GetRepositoryByName(u.Id, repoName)
 		if err != nil {
 			if err == models.ErrRepoNotExist {
 				ctx.Error(404)
-				return
+			} else {
+				ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL})
 			}
-			ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL})
 			return
 		} else if err = repo.GetOwner(); err != nil {
 			ctx.JSON(500, &base.ApiJsonErr{"GetOwner: " + err.Error(), base.DOC_URL})
 			return
 		}
 
-		// Check if the mirror repository owner(mirror repository doesn't have access).
+		if ctx.IsSigned {
-		if ctx.IsSigned && !ctx.Repo.IsOwner {
+			mode, err := models.AccessLevel(ctx.User, repo)
-			if repo.OwnerId == ctx.User.Id {
+			if err != nil {
-				ctx.Repo.IsOwner = true
+				ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL})
-			}
+				return
-			// Check if current user has admin permission to repository.
-			if u.IsOrganization() {
-				auth, err := models.GetHighestAuthorize(u.Id, ctx.User.Id, repo.Id, 0)
-				if err != nil {
-					ctx.JSON(500, &base.ApiJsonErr{"GetHighestAuthorize: " + err.Error(), base.DOC_URL})
-					return
-				}
-				if auth == models.ORG_ADMIN {
-					ctx.Repo.IsOwner = true
-					ctx.Repo.IsAdmin = true
-				}
 			}
+			ctx.Repo.IsOwner = mode >= models.WriteAccess
+			ctx.Repo.IsAdmin = mode >= models.ReadAccess
+			ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess
 		}
 
 		// Check access.
 		if repo.IsPrivate && !ctx.Repo.IsOwner {
-			if ctx.User == nil {
+			ctx.Error(404)
-				ctx.Error(404)
+			return
-				return
-			}
-
-			hasAccess, err := models.HasAccess(ctx.User.Name, ctx.Repo.Owner.Name+"/"+repo.Name, models.READABLE)
-			if err != nil {
-				ctx.JSON(500, &base.ApiJsonErr{"HasAccess: " + err.Error(), base.DOC_URL})
-				return
-			} else if !hasAccess {
-				ctx.Error(404)
-				return
-			}
 		}
 		ctx.Repo.HasAccess = true
 
@@ -242,101 +208,54 @@ func RepoAssignment(redirect bool, args ...bool) macaron.Handler {
 			refName = ctx.Params(":path")
 		}
 
-		// Collaborators who have write access can be seen as owners.
+		// Check if the user is the same as the repository owner
-		if ctx.IsSigned {
+		if ctx.IsSigned && u.LowerName == strings.ToLower(userName) {
-			ctx.Repo.IsOwner, err = models.HasAccess(ctx.User.Name, userName+"/"+repoName, models.WRITABLE)
+			u = ctx.User
-			if err != nil {
+		} else {
-				ctx.Handle(500, "HasAccess", err)
-				return
-			}
-			ctx.Repo.IsTrueOwner = ctx.User.LowerName == strings.ToLower(userName)
-		}
-
-		if !ctx.Repo.IsTrueOwner {
 			u, err = models.GetUserByName(userName)
 			if err != nil {
 				if err == models.ErrUserNotExist {
-					ctx.Handle(404, "GetUserByName", err)
+					ctx.Error(404)
-				} else if redirect {
-					log.Error(4, "GetUserByName", err)
-					ctx.Redirect(setting.AppSubUrl + "/")
 				} else {
-					ctx.Handle(500, "GetUserByName", err)
+					ctx.JSON(500, &base.ApiJsonErr{"GetUserByName: " + err.Error(), base.DOC_URL})
 				}
 				return
 			}
-		} else {
-			u = ctx.User
-		}
-
-		if u == nil {
-			if redirect {
-				ctx.Redirect(setting.AppSubUrl + "/")
-				return
-			}
-			ctx.Handle(404, "RepoAssignment", errors.New("invliad user account for single repository"))
-			return
 		}
 		ctx.Repo.Owner = u
 
-		// Organization owner team members are true owners as well.
-		if ctx.IsSigned && ctx.Repo.Owner.IsOrganization() && ctx.Repo.Owner.IsOwnedBy(ctx.User.Id) {
-			ctx.Repo.IsTrueOwner = true
-		}
-
 		// Get repository.
 		repo, err := models.GetRepositoryByName(u.Id, repoName)
 		if err != nil {
 			if err == models.ErrRepoNotExist {
-				ctx.Handle(404, "GetRepositoryByName", err)
+				ctx.Error(404)
-				return
+			} else {
-			} else if redirect {
+				ctx.JSON(500, &base.ApiJsonErr{"GetRepositoryByName: " + err.Error(), base.DOC_URL})
-				ctx.Redirect(setting.AppSubUrl + "/")
-				return
 			}
-			ctx.Handle(500, "GetRepositoryByName", err)
 			return
 		} else if err = repo.GetOwner(); err != nil {
-			ctx.Handle(500, "GetOwner", err)
+			ctx.JSON(500, &base.ApiJsonErr{"GetOwner: " + err.Error(), base.DOC_URL})
 			return
 		}
 
-		// Check if the mirror repository owner(mirror repository doesn't have access).
+		if ctx.IsSigned {
-		if ctx.IsSigned && !ctx.Repo.IsOwner {
+			mode, err := models.AccessLevel(ctx.User, repo)
-			if repo.OwnerId == ctx.User.Id {
+			if err != nil {
-				ctx.Repo.IsOwner = true
+				ctx.JSON(500, &base.ApiJsonErr{"AccessLevel: " + err.Error(), base.DOC_URL})
-			}
+				return
-			// Check if current user has admin permission to repository.
-			if u.IsOrganization() {
-				auth, err := models.GetHighestAuthorize(u.Id, ctx.User.Id, repo.Id, 0)
-				if err != nil {
-					ctx.Handle(500, "GetHighestAuthorize", err)
-					return
-				}
-				if auth == models.ORG_ADMIN {
-					ctx.Repo.IsOwner = true
-					ctx.Repo.IsAdmin = true
-				}
 			}
+			ctx.Repo.IsOwner = mode >= models.WriteAccess
+			ctx.Repo.IsAdmin = mode >= models.ReadAccess
+			ctx.Repo.IsTrueOwner = mode >= models.OwnerAccess
 		}
 
 		// Check access.
 		if repo.IsPrivate && !ctx.Repo.IsOwner {
-			if ctx.User == nil {
+			ctx.Error(404)
-				ctx.Handle(404, "HasAccess", nil)
+			return
-				return
-			}
-
-			hasAccess, err := models.HasAccess(ctx.User.Name, ctx.Repo.Owner.Name+"/"+repo.Name, models.READABLE)
-			if err != nil {
-				ctx.Handle(500, "HasAccess", err)
-				return
-			} else if !hasAccess {
-				ctx.Handle(404, "HasAccess", nil)
-				return
-			}
 		}
 		ctx.Repo.HasAccess = true
+
 		ctx.Data["HasAccess"] = true
 
 		if repo.IsMirror {

routers/api/v1/repo.go

@@ -255,7 +255,7 @@ func ListMyRepos(ctx *middleware.Context) {
 			return
 		}
 
-		repos[i] = ToApiRepository(repo.Owner, repo, api.Permission{false, access >= models.WRITABLE, true})
+		repos[i] = ToApiRepository(repo.Owner, repo, api.Permission{false, access >= models.WriteAccess, true})
 
 		// FIXME: cache result to reduce DB query?
 		if repo.Owner.IsOrganization() && repo.Owner.IsOwnedBy(ctx.User.Id) {

routers/org/teams.go

@@ -165,14 +165,14 @@ func NewTeamPost(ctx *middleware.Context, form auth.CreateTeamForm) {
 	}
 
 	// Validate permission level.
-	var auth models.AuthorizeType
+	var auth models.AccessMode
 	switch form.Permission {
 	case "read":
-		auth = models.ORG_READABLE
+		auth = models.ReadAccess
 	case "write":
-		auth = models.ORG_WRITABLE
+		auth = models.WriteAccess
 	case "admin":
-		auth = models.ORG_ADMIN
+		auth = models.AdminAccess
 	default:
 		ctx.Error(401)
 		return
@@ -246,14 +246,14 @@ func EditTeamPost(ctx *middleware.Context, form auth.CreateTeamForm) {
 	isAuthChanged := false
 	if !t.IsOwnerTeam() {
 		// Validate permission level.
-		var auth models.AuthorizeType
+		var auth models.AccessMode
 		switch form.Permission {
 		case "read":
-			auth = models.ORG_READABLE
+			auth = models.ReadAccess
 		case "write":
-			auth = models.ORG_WRITABLE
+			auth = models.WriteAccess
 		case "admin":
-			auth = models.ORG_ADMIN
+			auth = models.AdminAccess
 		default:
 			ctx.Error(401)
 			return

routers/repo/http.go

@@ -137,18 +137,18 @@ func Http(ctx *middleware.Context) {
 		}
 
 		if !isPublicPull {
-			var tp = models.WRITABLE
+			var tp = models.WriteAccess
 			if isPull {
-				tp = models.READABLE
+				tp = models.ReadAccess
 			}
 
-			has, err := models.HasAccess(authUsername, username+"/"+reponame, tp)
+			has, err := models.HasAccess(authUser, repo, tp)
 			if err != nil {
 				ctx.Handle(401, "no basic auth and digit auth", nil)
 				return
 			} else if !has {
-				if tp == models.READABLE {
+				if tp == models.ReadAccess {
-					has, err = models.HasAccess(authUsername, username+"/"+reponame, models.WRITABLE)
+					has, err = models.HasAccess(authUser, repo, models.WriteAccess)
 					if err != nil || !has {
 						ctx.Handle(401, "no basic auth and digit auth", nil)
 						return

routers/user/home.go

@@ -103,8 +103,7 @@ func Dashboard(ctx *middleware.Context) {
 	feeds := make([]*models.Action, 0, len(actions))
 	for _, act := range actions {
 		if act.IsPrivate {
-			if has, _ := models.HasAccess(ctx.User.Name, act.RepoUserName+"/"+act.RepoName,
+			if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true}, models.ReadAccess); !has {
-				models.READABLE); !has {
 				continue
 			}
 		}
@@ -211,8 +210,8 @@ func Profile(ctx *middleware.Context) {
 				if !ctx.IsSigned {
 					continue
 				}
-				if has, _ := models.HasAccess(ctx.User.Name, act.RepoUserName+"/"+act.RepoName,
+				if has, _ := models.HasAccess(ctx.User, &models.Repository{Id: act.RepoId, IsPrivate: true},
-					models.READABLE); !has {
+					models.ReadAccess); !has {
 					continue
 				}
 			}