diff --git a/app/api/controller/check/controller.go b/app/api/controller/check/controller.go index cb71affa2..20679e3c9 100644 --- a/app/api/controller/check/controller.go +++ b/app/api/controller/check/controller.go @@ -19,6 +19,7 @@ import ( "fmt" apiauth "github.com/harness/gitness/app/api/auth" + "github.com/harness/gitness/app/api/controller/space" "github.com/harness/gitness/app/api/usererror" "github.com/harness/gitness/app/auth" "github.com/harness/gitness/app/auth/authz" @@ -84,17 +85,5 @@ func (c *Controller) getSpaceCheckAccess( spaceRef string, permission enum.Permission, ) (*types.Space, error) { - space, err := c.spaceStore.FindByRef(ctx, spaceRef) - if err != nil { - return nil, fmt.Errorf("parent space not found: %w", err) - } - - scope := &types.Scope{SpacePath: space.Path} - resource := &types.Resource{Type: enum.ResourceTypeRepo} - err = apiauth.Check(ctx, c.authorizer, session, scope, resource, permission) - if err != nil { - return nil, fmt.Errorf("auth check failed: %w", err) - } - - return space, nil + return space.GetSpaceCheckAuth(ctx, c.spaceStore, c.authorizer, session, spaceRef, permission) } diff --git a/app/api/controller/space/controller.go b/app/api/controller/space/controller.go index e410d3f52..427790c84 100644 --- a/app/api/controller/space/controller.go +++ b/app/api/controller/space/controller.go @@ -151,17 +151,7 @@ func (c *Controller) getSpaceCheckAuth( spaceRef string, permission enum.Permission, ) (*types.Space, error) { - space, err := c.spaceStore.FindByRef(ctx, spaceRef) - if err != nil { - return nil, fmt.Errorf("parent space not found: %w", err) - } - - err = apiauth.CheckSpace(ctx, c.authorizer, session, space, permission) - if err != nil { - return nil, fmt.Errorf("auth check failed: %w", err) - } - - return space, nil + return GetSpaceCheckAuth(ctx, c.spaceStore, c.authorizer, session, spaceRef, permission) } func (c *Controller) getSpaceCheckAuthRepoCreation( diff --git a/app/api/controller/space/helper.go b/app/api/controller/space/helper.go index 9d1eb1292..4d79c3427 100644 --- a/app/api/controller/space/helper.go +++ b/app/api/controller/space/helper.go @@ -18,11 +18,37 @@ import ( "context" "fmt" + apiauth "github.com/harness/gitness/app/api/auth" + "github.com/harness/gitness/app/auth" + "github.com/harness/gitness/app/auth/authz" "github.com/harness/gitness/app/services/publicaccess" + "github.com/harness/gitness/app/store" "github.com/harness/gitness/types" "github.com/harness/gitness/types/enum" ) +// GetSpaceCheckAuth checks whether the user has the requested permission on the provided space and returns the space. +func GetSpaceCheckAuth( + ctx context.Context, + spaceStore store.SpaceStore, + authorizer authz.Authorizer, + session *auth.Session, + spaceRef string, + permission enum.Permission, +) (*types.Space, error) { + space, err := spaceStore.FindByRef(ctx, spaceRef) + if err != nil { + return nil, fmt.Errorf("space not found: %w", err) + } + + err = apiauth.CheckSpace(ctx, authorizer, session, space, permission) + if err != nil { + return nil, fmt.Errorf("auth check failed: %w", err) + } + + return space, nil +} + func GetSpaceOutput( ctx context.Context, publicAccess publicaccess.Service, diff --git a/app/api/controller/webhook/controller.go b/app/api/controller/webhook/controller.go index 59e4dad00..409316b38 100644 --- a/app/api/controller/webhook/controller.go +++ b/app/api/controller/webhook/controller.go @@ -19,6 +19,7 @@ import ( "fmt" apiauth "github.com/harness/gitness/app/api/auth" + "github.com/harness/gitness/app/api/controller/space" "github.com/harness/gitness/app/auth" "github.com/harness/gitness/app/auth/authz" "github.com/harness/gitness/app/services/webhook" @@ -80,17 +81,5 @@ func (c *Controller) getSpaceCheckAccess( spaceRef string, permission enum.Permission, ) (*types.Space, error) { - space, err := c.spaceStore.FindByRef(ctx, spaceRef) - if err != nil { - return nil, fmt.Errorf("parent space not found: %w", err) - } - - scope := &types.Scope{SpacePath: space.Path} - resource := &types.Resource{Type: enum.ResourceTypeRepo} - err = apiauth.Check(ctx, c.authorizer, session, scope, resource, permission) - if err != nil { - return nil, fmt.Errorf("auth check failed: %w", err) - } - - return space, nil + return space.GetSpaceCheckAuth(ctx, c.spaceStore, c.authorizer, session, spaceRef, permission) } diff --git a/app/api/controller/webhook/repo_retrigger_execution.go b/app/api/controller/webhook/repo_retrigger_execution.go index fcecd5313..a7240c5e7 100644 --- a/app/api/controller/webhook/repo_retrigger_execution.go +++ b/app/api/controller/webhook/repo_retrigger_execution.go @@ -31,7 +31,7 @@ func (c *Controller) RetriggerExecutionRepo( webhookIdentifier string, webhookExecutionID int64, ) (*types.WebhookExecution, error) { - repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView) + repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoEdit) if err != nil { return nil, fmt.Errorf("failed to acquire access to the repo: %w", err) } diff --git a/app/api/controller/webhook/space_retrigger_execution.go b/app/api/controller/webhook/space_retrigger_execution.go index 6b324b165..29827c69b 100644 --- a/app/api/controller/webhook/space_retrigger_execution.go +++ b/app/api/controller/webhook/space_retrigger_execution.go @@ -31,7 +31,7 @@ func (c *Controller) RetriggerExecutionSpace( webhookIdentifier string, webhookExecutionID int64, ) (*types.WebhookExecution, error) { - space, err := c.getSpaceCheckAccess(ctx, session, spaceRef, enum.PermissionSpaceView) + space, err := c.getSpaceCheckAccess(ctx, session, spaceRef, enum.PermissionSpaceEdit) if err != nil { return nil, fmt.Errorf("failed to acquire access to space: %w", err) }