Team permission to create repository in organization

integrations/api_repo_test.go

@@ -347,6 +347,8 @@ func TestAPIOrgRepoCreate(t *testing.T) {
 		{ctxUserID: 1, orgName: "user3", repoName: "repo-admin", expectedStatus: http.StatusCreated},
 		{ctxUserID: 2, orgName: "user3", repoName: "repo-own", expectedStatus: http.StatusCreated},
 		{ctxUserID: 2, orgName: "user6", repoName: "repo-bad-org", expectedStatus: http.StatusForbidden},
+		{ctxUserID: 27, orgName: "user3", repoName: "repo-creator", expectedStatus: http.StatusCreated},
+		{ctxUserID: 27, orgName: "user6", repoName: "repo-not-creator", expectedStatus: http.StatusForbidden},
 	}
 
 	prepareTestEnv(t)

models/fixtures/org_user.yml

@@ -45,3 +45,16 @@
   uid: 24
   org_id: 25
   is_public: true
+
+-
+  id: 9
+  uid: 27
+  org_id: 3
+  is_public: true
+
+-
+  id: 10
+  uid: 27
+  org_id: 6
+  is_public: true
+

models/fixtures/team.yml

@@ -96,3 +96,23 @@
   authorize: 1 # read
   num_repos: 0
   num_members: 0
+
+-
+  id: 12
+  org_id: 3
+  lower_name: team12creators
+  name: team12Creators
+  authorize: 3 # admin
+  num_repos: 0
+  num_members: 1
+  can_create_org_repo: true
+
+-
+  id: 13
+  org_id: 6
+  lower_name: team13notcreators
+  name: team13NotCreators
+  authorize: 3 # admin
+  num_repos: 0
+  num_members: 1
+  can_create_org_repo: false

models/fixtures/team_user.yml

@@ -69,3 +69,15 @@
   org_id: 25
   team_id: 10
   uid: 24
+
+-
+  id: 13
+  org_id: 3
+  team_id: 12
+  uid: 27
+
+-
+  id: 14
+  org_id: 6
+  team_id: 13
+  uid: 27

models/fixtures/user.yml

@@ -50,8 +50,8 @@
   avatar: avatar3
   avatar_email: user3@example.com
   num_repos: 3
-  num_members: 2
-  num_teams: 3
+  num_members: 3
+  num_teams: 4
 
 -
   id: 4
@@ -102,8 +102,8 @@
   avatar: avatar6
   avatar_email: user6@example.com
   num_repos: 0
-  num_members: 1
-  num_teams: 1
+  num_members: 2
+  num_teams: 2
 
 -
   id: 7
@@ -427,4 +427,24 @@
   num_repos: 1
   num_members: 0
   num_teams: 1
-  repo_admin_change_team_access: true
+  repo_admin_change_team_access: true
+
+-
+  id: 27
+  lower_name: user27
+  name: user27
+  full_name: "user27"
+  email: user27@example.com
+  keep_email_private: true
+  passwd: 7d93daa0d1e6f2305cc8fa496847d61dc7320bb16262f9c55dd753480207234cdd96a93194e408341971742f4701772a025a # password
+  type: 0 # individual
+  salt: ZogKvWdyEx
+  is_admin: false
+  avatar: avatar27
+  avatar_email: user27@example.com
+  num_repos: 0
+  num_stars: 0
+  num_followers: 0
+  num_following: 0
+  is_active: true
+

models/org.go

@@ -29,6 +29,11 @@ func (org *User) IsOrgMember(uid int64) (bool, error) {
 	return IsOrganizationMember(org.ID, uid)
 }
 
+// CanCreateOrgRepo returns true if given user can create repo in organization
+func (org *User) CanCreateOrgRepo(uid int64) (bool, error) {
+	return CanCreateOrgRepo(org.ID, uid)
+}
+
 func (org *User) getTeam(e Engine, name string) (*Team, error) {
 	return getTeam(e, org.ID, name)
 }
@@ -149,11 +154,12 @@ func CreateOrganization(org, owner *User) (err error) {
 
 	// Create default owner team.
 	t := &Team{
-		OrgID:      org.ID,
-		LowerName:  strings.ToLower(ownerTeamName),
-		Name:       ownerTeamName,
-		Authorize:  AccessModeOwner,
-		NumMembers: 1,
+		OrgID:            org.ID,
+		LowerName:        strings.ToLower(ownerTeamName),
+		Name:             ownerTeamName,
+		Authorize:        AccessModeOwner,
+		NumMembers:       1,
+		CanCreateOrgRepo: true,
 	}
 	if _, err = sess.Insert(t); err != nil {
 		return fmt.Errorf("insert owner team: %v", err)
@@ -335,6 +341,19 @@ func IsPublicMembership(orgID, uid int64) (bool, error) {
 		Exist()
 }
 
+// CanCreateOrgRepo returns true if user can create repo in organization
+func CanCreateOrgRepo(orgID, uid int64) (bool, error) {
+	if owner, err := IsOrganizationOwner(orgID, uid); owner || err != nil {
+		return owner, err
+	}
+	return x.
+		Where(builder.Eq{"team.can_create_org_repo": true}).
+		Join("INNER", "team_user", "team_user.team_id = team.id").
+		And("team_user.uid = ?", uid).
+		And("team_user.org_id = ?", orgID).
+		Exist(new(Team))
+}
+
 func getOrgsByUserID(sess *xorm.Session, userID int64, showAll bool) ([]*User, error) {
 	orgs := make([]*User, 0, 10)
 	if !showAll {
@@ -366,6 +385,17 @@ func getOwnedOrgsByUserID(sess *xorm.Session, userID int64) ([]*User, error) {
 		Find(&orgs)
 }
 
+func getOrgsCanCreateRepoByUserIDDesc(sess *xorm.Session, userID int64) ([]*User, error) {
+	orgs := make([]*User, 0, 10)
+	return orgs, sess.
+		Join("INNER", "`team_user`", "`team_user`.org_id=`user`.id").
+		Join("INNER", "`team`", "`team`.id=`team_user`.team_id").
+		Where("`team_user`.uid=?", userID).
+		And(builder.Eq{"`team`.authorize": AccessModeOwner}.Or(builder.Eq{"`team`.can_create_org_repo": true})).
+		Asc("`user`.name").
+		Find(&orgs)
+}
+
 // HasOrgVisible tells if the given user can see the given org
 func HasOrgVisible(org *User, user *User) bool {
 	return hasOrgVisible(x, org, user)
@@ -414,6 +444,12 @@ func GetOwnedOrgsByUserIDDesc(userID int64, desc string) ([]*User, error) {
 	return getOwnedOrgsByUserID(x.Desc(desc), userID)
 }
 
+// GetOrgsCanCreateRepoByUserIDDesc returns a list of organizations where given user ID
+// are allowed to create repos, ordered descending by the given condition.
+func GetOrgsCanCreateRepoByUserIDDesc(userID int64, desc string) ([]*User, error) {
+	return getOrgsCanCreateRepoByUserIDDesc(x.Desc(desc), userID)
+}
+
 // GetOrgUsersByUserID returns all organization-user relations by user ID.
 func GetOrgUsersByUserID(uid int64, all bool) ([]*OrgUser, error) {
 	ous := make([]*OrgUser, 0, 10)

models/org_team.go

@@ -21,17 +21,18 @@ const ownerTeamName = "Owners"
 
 // Team represents a organization team.
 type Team struct {
-	ID          int64 `xorm:"pk autoincr"`
-	OrgID       int64 `xorm:"INDEX"`
-	LowerName   string
-	Name        string
-	Description string
-	Authorize   AccessMode
-	Repos       []*Repository `xorm:"-"`
-	Members     []*User       `xorm:"-"`
-	NumRepos    int
-	NumMembers  int
-	Units       []*TeamUnit `xorm:"-"`
+	ID               int64 `xorm:"pk autoincr"`
+	OrgID            int64 `xorm:"INDEX"`
+	LowerName        string
+	Name             string
+	Description      string
+	Authorize        AccessMode
+	Repos            []*Repository `xorm:"-"`
+	Members          []*User       `xorm:"-"`
+	NumRepos         int
+	NumMembers       int
+	Units            []*TeamUnit `xorm:"-"`
+	CanCreateOrgRepo bool        `xorm:"NOT NULL DEFAULT false"`
 }
 
 // ColorFormat provides a basic color format for a Team

models/org_test.go

@@ -87,20 +87,22 @@ func TestUser_GetTeams(t *testing.T) {
 	assert.NoError(t, PrepareTestDatabase())
 	org := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)
 	assert.NoError(t, org.GetTeams())
-	if assert.Len(t, org.Teams, 3) {
+	if assert.Len(t, org.Teams, 4) {
 		assert.Equal(t, int64(1), org.Teams[0].ID)
 		assert.Equal(t, int64(2), org.Teams[1].ID)
-		assert.Equal(t, int64(7), org.Teams[2].ID)
+		assert.Equal(t, int64(12), org.Teams[2].ID)
+		assert.Equal(t, int64(7), org.Teams[3].ID)
 	}
 }
 
 func TestUser_GetMembers(t *testing.T) {
 	assert.NoError(t, PrepareTestDatabase())
 	org := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User)
 	assert.NoError(t, org.GetMembers())
-	if assert.Len(t, org.Members, 2) {
+	if assert.Len(t, org.Members, 3) {
 		assert.Equal(t, int64(2), org.Members[0].ID)
-		assert.Equal(t, int64(4), org.Members[1].ID)
+		assert.Equal(t, int64(27), org.Members[1].ID)
+		assert.Equal(t, int64(4), org.Members[2].ID)
 	}
 }
 
@@ -395,7 +397,7 @@ func TestGetOrgUsersByOrgID(t *testing.T) {
 
 	orgUsers, err := GetOrgUsersByOrgID(3)
 	assert.NoError(t, err)
-	if assert.Len(t, orgUsers, 2) {
+	if assert.Len(t, orgUsers, 3) {
 		assert.Equal(t, OrgUser{
 			ID:       orgUsers[0].ID,
 			OrgID:    3,

models/repo.go

@@ -1326,7 +1326,18 @@ func createRepository(e *xorm.Session, doer, u *User, repo *Repository) (err err
 			return fmt.Errorf("getOwnerTeam: %v", err)
 		} else if err = t.addRepository(e, repo); err != nil {
 			return fmt.Errorf("addRepository: %v", err)
-		} else if err = prepareWebhooks(e, repo, HookEventRepository, &api.RepositoryPayload{
+		}
+
+		if !t.IsMember(doer.ID) {
+			// If creator not in owner team, make repo admin
+			if err = repo.addCollaborator(e, doer); err != nil {
+				return fmt.Errorf("AddCollaborator: %v", err)
+			} else if err = repo.changeCollaborationAccessMode(e, doer.ID, AccessModeAdmin); err != nil {
+				return fmt.Errorf("ChangeCollaborationAccessMode: %v", err)
+			}
+		}
+
+		if err = prepareWebhooks(e, repo, HookEventRepository, &api.RepositoryPayload{
 			Action:       api.HookRepoCreated,
 			Repository:   repo.innerAPIFormat(e, AccessModeOwner, false),
 			Organization: u.APIFormat(),

models/repo_collaboration.go

@@ -16,41 +16,39 @@ type Collaboration struct {
 	Mode   AccessMode `xorm:"DEFAULT 2 NOT NULL"`
 }
 
-// AddCollaborator adds new collaboration to a repository with default access mode.
-func (repo *Repository) AddCollaborator(u *User) error {
+func (repo *Repository) addCollaborator(e Engine, u *User) error {
 	collaboration := &Collaboration{
 		RepoID: repo.ID,
 		UserID: u.ID,
 	}
 
-	has, err := x.Get(collaboration)
+	has, err := e.Get(collaboration)
 	if err != nil {
 		return err
 	} else if has {
 		return nil
 	}
 	collaboration.Mode = AccessModeWrite
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
-	if _, err = sess.InsertOne(collaboration); err != nil {
+	if _, err = e.InsertOne(collaboration); err != nil {
 		return err
 	}
 
 	if repo.Owner.IsOrganization() {
-		err = repo.recalculateTeamAccesses(sess, 0)
+		err = repo.recalculateTeamAccesses(e, 0)
 	} else {
-		err = repo.recalculateAccesses(sess)
+		err = repo.recalculateAccesses(e)
 	}
 	if err != nil {
 		return fmt.Errorf("recalculateAccesses 'team=%v': %v", repo.Owner.IsOrganization(), err)
 	}
 
-	return sess.Commit()
+	return nil
+}
+
+// AddCollaborator adds new collaboration to a repository with default access mode.
+func (repo *Repository) AddCollaborator(u *User) error {
+	return repo.addCollaborator(x, u)
 }
 
 func (repo *Repository) getCollaborations(e Engine) ([]*Collaboration, error) {
@@ -98,8 +96,7 @@ func (repo *Repository) IsCollaborator(userID int64) (bool, error) {
 	return repo.isCollaborator(x, userID)
 }
 
-// ChangeCollaborationAccessMode sets new access mode for the collaboration.
-func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode) error {
+func (repo *Repository) changeCollaborationAccessMode(e Engine, uid int64, mode AccessMode) error {
 	// Discard invalid input
 	if mode <= AccessModeNone || mode > AccessModeOwner {
 		return nil
@@ -109,7 +106,7 @@ func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode
 		RepoID: repo.ID,
 		UserID: uid,
 	}
-	has, err := x.Get(collaboration)
+	has, err := e.Get(collaboration)
 	if err != nil {
 		return fmt.Errorf("get collaboration: %v", err)
 	} else if !has {
@@ -121,22 +118,21 @@ func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode
 	}
 	collaboration.Mode = mode
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
-	if _, err = sess.
+	if _, err = e.
 		ID(collaboration.ID).
 		Cols("mode").
 		Update(collaboration); err != nil {
 		return fmt.Errorf("update collaboration: %v", err)
-	} else if _, err = sess.Exec("UPDATE access SET mode = ? WHERE user_id = ? AND repo_id = ?", mode, uid, repo.ID); err != nil {
+	} else if _, err = e.Exec("UPDATE access SET mode = ? WHERE user_id = ? AND repo_id = ?", mode, uid, repo.ID); err != nil {
 		return fmt.Errorf("update access table: %v", err)
 	}
 
-	return sess.Commit()
+	return nil
+}
+
+// ChangeCollaborationAccessMode sets new access mode for the collaboration.
+func (repo *Repository) ChangeCollaborationAccessMode(uid int64, mode AccessMode) error {
+	return repo.changeCollaborationAccessMode(x, uid, mode)
 }
 
 // DeleteCollaboration removes collaboration relation between the user and repository.