Add "Allow edits from maintainer" feature (#18002)

Adds a feature [like GitHub has](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork) (step 7). If you create a new PR from a forked repo, you can select (and change later, but only if you are the PR creator/poster) the "Allow edits from maintainers" option. Then users with write access to the base branch get more permissions on this branch: * use the update pull request button * push directly from the command line (`git push`) * edit/delete/upload files via web UI * use related API endpoints You can't merge PRs to this branch with this enabled, you'll need "full" code write permissions. This feature has a pretty big impact on the permission system. I might forgot changing some things or didn't find security vulnerabilities. In this case, please leave a review or comment on this PR. Closes #17728 Co-authored-by: 6543 <6543@obermui.de>
author: qwerty287 <80460567+qwerty287@users.noreply.github.com> 2022-04-28 17:45:33 +0200
committer: GitHub <noreply@github.com> 2022-04-28 17:45:33 +0200
commit: 8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf (patch)
tree: 46049742d086daa7683db502883a58e94370a583 /services
parent: Better describe what `/repos/{owner}/{repo}/raw/{filepath}` returns on 200 (#... (diff)
download: forgejo-8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf.tar.xz
forgejo-8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf.zip
3 files changed, 69 insertions, 9 deletions
diff --git a/services/forms/repo_form.go b/services/forms/repo_form.go
index 80123e9af3..f40e99a044 100644
--- a/services/forms/repo_form.go
+++ b/services/forms/repo_form.go
@@ -422,15 +422,16 @@ func (f *NewPackagistHookForm) Validate(req *http.Request, errs binding.Errors)
 
 // CreateIssueForm form for creating issue
 type CreateIssueForm struct {
-	Title       string `binding:"Required;MaxSize(255)"`
-	LabelIDs    string `form:"label_ids"`
-	AssigneeIDs string `form:"assignee_ids"`
-	Ref         string `form:"ref"`
-	MilestoneID int64
-	ProjectID   int64
-	AssigneeID  int64
-	Content     string
-	Files       []string
+	Title               string `binding:"Required;MaxSize(255)"`
+	LabelIDs            string `form:"label_ids"`
+	AssigneeIDs         string `form:"assignee_ids"`
+	Ref                 string `form:"ref"`
+	MilestoneID         int64
+	ProjectID           int64
+	AssigneeID          int64
+	Content             string
+	Files               []string
+	AllowMaintainerEdit bool
 }
 
 // Validate validates the fields
@@ -684,6 +685,11 @@ type DismissReviewForm struct {
 	Message  string
 }
 
+// UpdateAllowEditsForm form for changing if PR allows edits from maintainers
+type UpdateAllowEditsForm struct {
+	AllowMaintainerEdit bool
+}
+
 // __________       .__
 // \______   \ ____ |  |   ____ _____    ______ ____
 //  |       _// __ \|  | _/ __ \\__  \  /  ___// __ \
diff --git a/services/pull/edits.go b/services/pull/edits.go
new file mode 100644
index 0000000000..68515ec141
--- /dev/null
+++ b/services/pull/edits.go
@@ -0,0 +1,40 @@
+// Copyright 2022 The Gitea Authors.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package pull
+
+import (
+	"context"
+	"errors"
+
+	"code.gitea.io/gitea/models"
+	unit_model "code.gitea.io/gitea/models/unit"
+	user_model "code.gitea.io/gitea/models/user"
+)
+
+var ErrUserHasNoPermissionForAction = errors.New("user not allowed to do this action")
+
+// SetAllowEdits allow edits from maintainers to PRs
+func SetAllowEdits(ctx context.Context, doer *user_model.User, pr *models.PullRequest, allow bool) error {
+	if doer == nil || !pr.Issue.IsPoster(doer.ID) {
+		return ErrUserHasNoPermissionForAction
+	}
+
+	if err := pr.LoadHeadRepo(); err != nil {
+		return err
+	}
+
+	permission, err := models.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
+	if err != nil {
+		return err
+	}
+
+	if !permission.CanWrite(unit_model.TypeCode) {
+		return ErrUserHasNoPermissionForAction
+	}
+
+	pr.AllowMaintainerEdit = allow
+	return models.UpdateAllowEdits(ctx, pr)
+}
diff --git a/services/pull/update.go b/services/pull/update.go
index 899bee1f19..2d845e8504 100644
--- a/services/pull/update.go
+++ b/services/pull/update.go
@@ -111,11 +111,25 @@ func IsUserAllowedToUpdate(ctx context.Context, pull *models.PullRequest, user *
 		return false, false, nil
 	}
 
+	baseRepoPerm, err := models.GetUserRepoPermission(ctx, pull.BaseRepo, user)
+	if err != nil {
+		return false, false, err
+	}
+
 	mergeAllowed, err = IsUserAllowedToMerge(pr, headRepoPerm, user)
 	if err != nil {
 		return false, false, err
 	}
 
+	if pull.AllowMaintainerEdit {
+		mergeAllowedMaintainer, err := IsUserAllowedToMerge(pr, baseRepoPerm, user)
+		if err != nil {
+			return false, false, err
+		}
+
+		mergeAllowed = mergeAllowed || mergeAllowedMaintainer
+	}
+
 	return mergeAllowed, rebaseAllowed, nil
 }
author	qwerty287 <80460567+qwerty287@users.noreply.github.com>	2022-04-28 17:45:33 +0200
committer	GitHub <noreply@github.com>	2022-04-28 17:45:33 +0200
commit	8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf (patch)
tree	46049742d086daa7683db502883a58e94370a583 /services
parent	Better describe what `/repos/{owner}/{repo}/raw/{filepath}` returns on 200 (#... (diff)
download	forgejo-8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf.tar.xz forgejo-8eb1cd9264af9493e0f57a4a4c0a1f764f7cefcf.zip