go-gitea · sclu1034 · Mar 30, 2023 · Mar 31, 2023 · Apr 2, 2023 · May 2, 2023
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -1412,6 +1412,7 @@ func Routes() *web.Route {
 				m.Delete("", reqToken(), reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)
 				m.Get("/files", reqToken(), packages.ListPackageFiles)
 			})
+			m.Post("/{type}/{name}/link", reqToken(), reqPackageAccess(perm.AccessModeWrite), packages.LinkPackage)
 			m.Get("/", reqToken(), packages.ListPackages)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryPackage), context_service.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead))
 

diff --git a/routers/api/v1/packages/package.go b/routers/api/v1/packages/package.go
@@ -4,6 +4,7 @@
 package packages
 
 import (
+	"errors"
 	"net/http"
 
 	"code.gitea.io/gitea/models/packages"
@@ -213,3 +214,54 @@ func ListPackageFiles(ctx *context.APIContext) {
 
 	ctx.JSON(http.StatusOK, apiPackageFiles)
 }
+
+// LinkPackage sets a repository link for a package
+func LinkPackage(ctx *context.APIContext) {
+	// swagger:operation POST /packages/{owner}/{type}/{name}/link package linkPackage
+	// ---
+	// summary: Link a package to a repository
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the package
+	//   type: string
+	//   required: true
+	// - name: type
+	//   in: path
+	//   description: type of the package
+	//   type: string
+	//   required: true
+	// - name: name
+	//   in: path
+	//   description: name of the package
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: query
+	//   description: ID of the repository to link
+	//   type: integer
+	//   required: true
+	// responses:
+	//   "201":
+	//     "$ref": "#/responses/empty"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	pkg, err := packages.GetPackageByName(ctx, ctx.ContextUser.ID, packages.Type(ctx.Params("type")), ctx.Params("name"))
+	if err != nil {
+		if errors.Is(err, util.ErrNotExist) {
+			ctx.Error(http.StatusNotFound, "GetPackageByName", err)
+		} else {
+			ctx.Error(http.StatusInternalServerError, "GetPackageByName", err)
+		}
+		return
+	}
+
+	err = packages_service.LinkPackageToRepository(ctx, ctx.Doer, pkg, ctx.FormInt64("repo"))
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "LinkPackageToRepository", err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
diff --git a/services/packages/packages.go b/services/packages/packages.go
@@ -14,7 +14,9 @@ import (
 
 	"code.gitea.io/gitea/models/db"
 	packages_model "code.gitea.io/gitea/models/packages"
+	access_model "code.gitea.io/gitea/models/perm/access"
 	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
@@ -657,3 +659,35 @@ func RemoveAllPackages(ctx context.Context, userID int64) (int, error) {
 	}
 	return count, nil
 }
+
+func LinkPackageToRepository(ctx context.Context, doer *user_model.User, p *packages_model.Package, repoID int64) error {
+	if repoID != 0 {
+		repo, err := repo_model.GetRepositoryByID(ctx, repoID)
+		if err != nil {
+			return fmt.Errorf("Error getting repository %d: %w", repoID, err)
+		}
+
+		canWrite := repo.OwnerID == doer.ID
+
+		if !canWrite {
+			perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
+			if err != nil {
+				return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err)
+			}
+
+			canWrite = perms.CanWrite(unit.TypePackages)
+		}
+
+		if !canWrite {
+			return fmt.Errorf("No permissions to link this package and repository")
+		}
-		if !canWrite {
-			perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
-			if err != nil {
-				return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err)
-			}
-
-			canWrite = perms.CanWrite(unit.TypePackages)
-		}
-
-		if !canWrite {
-			return fmt.Errorf("No permissions to link this package and repository")
-		}
+	  perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
+	  if err != nil {
+		  return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err)
+	  }
+
+		if !perms.CanWrite(unit.TypePackages) {
+			return fmt.Errorf("No permissions to link this package and repository")
+		}
-		if !canWrite {
-			perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
-			if err != nil {
-				return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err)
-			}
-
-			canWrite = perms.CanWrite(unit.TypePackages)
-		}
-
-		if !canWrite {
-			return fmt.Errorf("No permissions to link this package and repository")
-		}
+	  perms, err := access_model.GetUserRepoPermission(ctx, repo, doer)
+	  if err != nil {
+		  return fmt.Errorf("Error getting repository permissions for %d on %d: %w", doer.ID, repo.ID, err)
+	  }
+
+		if !perms.CanWrite(unit.TypePackages) {
+			return fmt.Errorf("No permissions to link this package and repository")
+		}
+
+		repoID = repo.ID
+	}
+
+	if err := packages_model.SetRepositoryLink(ctx, p.ID, repoID); err != nil {
+		return fmt.Errorf("Error updating package: %w", err)
+	}
+
+	return nil
+}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
@@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	packages_model "code.gitea.io/gitea/models/packages"
 	container_model "code.gitea.io/gitea/models/packages/container"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/setting"
@@ -31,9 +32,17 @@ import (
 func TestPackageAPI(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
 	session := loginUser(t, user.Name)
 	tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
+	tokenWritePackage := getTokenForLoggedInUser(
+		t,
+		session,
+		auth_model.AccessTokenScopeWritePackage,
+		auth_model.AccessTokenScopeReadPackage,
+		auth_model.AccessTokenScopeWriteRepository,
+	)
 	tokenDeletePackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWritePackage)
 
 	packageName := "test-package"
@@ -99,7 +108,8 @@ func TestPackageAPI(t *testing.T) {
 			assert.Nil(t, ap1.Repository)
 
 			// link to public repository
-			assert.NoError(t, packages_model.SetRepositoryLink(db.DefaultContext, p.ID, 1))
+			req = NewRequestf(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/link?repo=%d", user.Name, packageName, repo.ID)).AddTokenAuth(tokenWritePackage)
+			MakeRequest(t, req, http.StatusNoContent)
 
 			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
 				AddTokenAuth(tokenReadPackage)
@@ -108,10 +118,15 @@ func TestPackageAPI(t *testing.T) {
 			var ap2 *api.Package
 			DecodeJSON(t, resp, &ap2)
 			assert.NotNil(t, ap2.Repository)
-			assert.EqualValues(t, 1, ap2.Repository.ID)
+			assert.EqualValues(t, repo.ID, ap2.Repository.ID)
 
-			// link to private repository
-			assert.NoError(t, packages_model.SetRepositoryLink(db.DefaultContext, p.ID, 2))
+			// link to repository without write access, should fail
+			req = NewRequestf(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/link?repo=%d", user.Name, packageName, 3)).AddTokenAuth(tokenWritePackage)
+			MakeRequest(t, req, http.StatusInternalServerError)
+
+			// remove link
+			req = NewRequestf(t, "POST", fmt.Sprintf("/api/v1/packages/%s/generic/%s/link?repo=%d", user.Name, packageName, 0)).AddTokenAuth(tokenWritePackage)
+			MakeRequest(t, req, http.StatusNoContent)
 
 			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).
 				AddTokenAuth(tokenReadPackage)
@@ -121,7 +136,18 @@ func TestPackageAPI(t *testing.T) {
 			DecodeJSON(t, resp, &ap3)
 			assert.Nil(t, ap3.Repository)
 
-			assert.NoError(t, packages_model.UnlinkRepositoryFromAllPackages(db.DefaultContext, 2))
+			// force link to a repository the currently logged-in user doesn't have access to
+			privateRepoID := int64(6)
+			assert.NoError(t, packages_model.SetRepositoryLink(db.DefaultContext, p.ID, privateRepoID))
+
+			req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s/generic/%s/%s", user.Name, packageName, packageVersion)).AddTokenAuth(tokenReadPackage)
+			resp = MakeRequest(t, req, http.StatusOK)
+
+			var ap4 *api.Package
+			DecodeJSON(t, resp, &ap4)
+			assert.Nil(t, ap4.Repository)
+
+			assert.NoError(t, packages_model.UnlinkRepositoryFromAllPackages(db.DefaultContext, privateRepoID))
 		})
 	})