chore: refactor REST API permission check (refactor comparison)

Browse source

- All middleware enforcing permissions are refactored to use
  the `apiv1_permissions1 interface rather than accessing data
  members. Unless specified below, their logic is otherwise
  unmodified.
- `repoAssignment()` permissions is split out in `repoAccess()`
  and they are verified to always be used together with `FollowedBy`.
- `commentAssignment()` permissions is split out in `ReqValidCommentID()`
  and they are verified to always be used together with `FollowedBy`.
- `checkPermission()` is a helper for permission middleware that do
  not have arguments other than the context.
- `tokenRequiresScopes()` and `tokenRequiresRepoOwnerScope()` both
  rely on the determination of the permission leve (read or write)
  based on the HTTP method (`GET`, `PUT`, etc.). This logic was moved to
  the `requiredScopeLevel()` function and the result provided in
  argument to the permission function. The permission functions do
  not know about the HTTP method.
- `ReqSelfOrAdmin` has a new anonymous function helper to compare
  the user names instead of the pointers because it is more correct.
  This is not a bug fix but it is more robust.

...

This commit is contained in:

limiting-factor 2026-06-14 14:47:15 +02:00

parent 17616708fd

commit 172e1d75cf

No known key found for this signature in database

GPG key ID: FBFC3FECD17D904F

1 changed files with 405 additions and 462 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

891

routers/api/v1/api.go

View file

File diff suppressed because it is too large Load diff