feat: [CODE-2245] (Public Access) Enforce repo-review permission (#2522)

* updated permission with review wherever is needed

app/api/controller/pullreq/comment_create.go

@@ -105,7 +105,7 @@ func (c *Controller) CommentCreate(
 		return nil, err
 	}
 
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/comment_delete.go

@@ -35,7 +35,7 @@ func (c *Controller) CommentDelete(
 	prNum int64,
 	commentID int64,
 ) error {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/comment_status.go

@@ -59,7 +59,7 @@ func (c *Controller) CommentStatus(
 	commentID int64,
 	in *CommentStatusInput,
 ) (*types.PullReqActivity, error) {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/comment_update.go

@@ -58,7 +58,7 @@ func (c *Controller) CommentUpdate(
 		return nil, err
 	}
 
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/file_view_add.go

@@ -62,7 +62,7 @@ func (c *Controller) FileViewAdd(
 		return nil, err
 	}
 
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/file_view_delete.go

@@ -31,7 +31,7 @@ func (c *Controller) FileViewDelete(
 	prNum int64,
 	filePath string,
 ) error {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/label_assign.go

@@ -35,7 +35,7 @@ func (c *Controller) AssignLabel(
 	pullreqNum int64,
 	in *types.PullReqCreateInput,
 ) (*types.PullReqLabel, error) {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoPush)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to target repo: %w", err)
 	}

app/api/controller/pullreq/label_unassign.go

@@ -34,7 +34,7 @@ func (c *Controller) UnassignLabel(
 	pullreqNum int64,
 	labelID int64,
 ) error {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoPush)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return fmt.Errorf("failed to acquire access to target repo: %w", err)
 	}

app/api/controller/pullreq/review_submit.go

@@ -67,7 +67,7 @@ func (c *Controller) ReviewSubmit(
 		return nil, err
 	}
 
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}

app/api/controller/pullreq/reviewer_add.go

@@ -43,7 +43,7 @@ func (c *Controller) ReviewerAdd(
 	prNum int64,
 	in *ReviewerAddInput,
 ) (*types.PullReqReviewer, error) {
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}
@@ -91,7 +91,7 @@ func (c *Controller) ReviewerAdd(
 		if err = apiauth.CheckRepo(ctx, c.authorizer, &auth.Session{
 			Principal: *reviewerPrincipal,
 			Metadata:  nil,
-		}, repo, enum.PermissionRepoView); err != nil {
+		}, repo, enum.PermissionRepoReview); err != nil {
 			log.Ctx(ctx).Info().Msgf("Reviewer principal: %s access error: %s", reviewerInfo.UID, err)
 			return nil, usererror.BadRequest("The reviewer doesn't have enough permissions for the repository.")
 		}

app/api/controller/pullreq/reviewer_delete.go

@@ -53,7 +53,7 @@ func (c *Controller) ReviewerDelete(
 	var reqPermission enum.Permission
 	switch {
 	case session.Principal.ID == reviewer.PrincipalID:
-		reqPermission = enum.PermissionRepoView // Anybody should be allowed to remove their own reviews.
+		reqPermission = enum.PermissionRepoReview // Anybody can remove their own reviews with RepoReview permission.
 	case reviewer.ReviewDecision == enum.PullReqReviewDecisionPending:
 		reqPermission = enum.PermissionRepoPush // The reviewer was asked for a review but didn't submit it yet.
 	default:

app/api/controller/repo/label_value_define.go

@@ -48,7 +48,7 @@ func (c *Controller) DefineLabelValue(
 
 	permission := enum.PermissionRepoEdit
 	if label.Type == enum.LabelTypeDynamic {
-		permission = enum.PermissionRepoPush
+		permission = enum.PermissionRepoReview
 	}
 
 	if err = apiauth.CheckRepo(

app/api/controller/upload/upload.go

@@ -42,7 +42,7 @@ func (c *Controller) Upload(ctx context.Context,
 	file io.Reader,
 ) (*Result, error) {
 	// Permission check to see if the user in request has access to the repo.
-	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoView)
+	repo, err := c.getRepoCheckAccess(ctx, session, repoRef, enum.PermissionRepoReview)
 	if err != nil {
 		return nil, fmt.Errorf("failed to acquire access to repo: %w", err)
 	}