From cb3bb23e7918159e14f7b928e7db160524e1c4b7 Mon Sep 17 00:00:00 2001
From: yystopf <yystopf@163.com>
Date: Mon, 20 Feb 2023 16:47:19 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=EF=BC=9A=E6=93=8D=E4=BD=9C?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/controllers/api/v1/base_controller.rb            |  1 -
 .../api/v1/issues/issue_tags_controller.rb           |  3 ++-
 app/controllers/api/v1/issues/journals_controller.rb |  5 +++++
 .../api/v1/issues/milestones_controller.rb           |  3 ++-
 app/controllers/api/v1/issues_controller.rb          | 12 +++++++-----
 .../api/v1/projects/collaborators_controller.rb      |  2 +-
 app/views/api/v1/issues/show.json.jbuilder           |  1 +
 7 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb
index 771adcc05..c6a4f180d 100644
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -52,7 +52,6 @@ class Api::V1::BaseController < ApplicationController
   # 具有仓库的操作权限或者fork仓库的操作权限
   def require_operate_above_or_fork_project 
     @project = load_project
-    puts !current_user.admin? && !@project.operator?(current_user) && !(@project.fork_project.present? && @project.fork_project.operator?(current_user))
     return render_forbidden if !current_user.admin? && !@project.operator?(current_user) && !(@project.fork_project.present? && @project.fork_project.operator?(current_user))
   end
 
diff --git a/app/controllers/api/v1/issues/issue_tags_controller.rb b/app/controllers/api/v1/issues/issue_tags_controller.rb
index 63d8fb605..7038ddcae 100644
--- a/app/controllers/api/v1/issues/issue_tags_controller.rb
+++ b/app/controllers/api/v1/issues/issue_tags_controller.rb
@@ -1,6 +1,7 @@
 class Api::V1::Issues::IssueTagsController < Api::V1::BaseController 
 
-  before_action :require_public_and_member_above, only: [:index, :create, :update, :destroy] 
+  before_action :require_public_and_member_above, only: [:index] 
+  before_action :require_operate_above, only: [:create, :update, :destroy]
 
   def index 
     @issue_tags = @project.issue_tags.order("#{order_by} #{order_direction}")
diff --git a/app/controllers/api/v1/issues/journals_controller.rb b/app/controllers/api/v1/issues/journals_controller.rb
index 55e820611..cd0996277 100644
--- a/app/controllers/api/v1/issues/journals_controller.rb
+++ b/app/controllers/api/v1/issues/journals_controller.rb
@@ -3,6 +3,7 @@ class Api::V1::Issues::JournalsController < Api::V1::IssuesController
   before_action :require_public_and_member_above, only: [:index, :create, :children_journals, :update, :destroy]
   before_action :load_issue, only: [:index, :create, :children_journals, :update, :destroy]
   before_action :load_journal, only: [:children_journals, :update, :destroy]
+  before_action :check_journal_operate_permission, only: [:update, :destroy]
 
   def index 
     @object_results = Api::V1::Issues::Journals::ListService.call(@issue, query_params, current_user)
@@ -45,4 +46,8 @@ class Api::V1::Issues::JournalsController < Api::V1::IssuesController
     return render_not_found("评论不存在！") unless @journal.present?
   end
 
+  def check_journal_operate_permission 
+    return render_forbidden("您没有操作权限！") unless current_user.present? && current_user.logged? && (@project.member?(current_user) || current_user.admin? || @issue.user == current_user || @journal.user == current_user)
+  end
+
 end
\ No newline at end of file
diff --git a/app/controllers/api/v1/issues/milestones_controller.rb b/app/controllers/api/v1/issues/milestones_controller.rb
index 79b1aa15b..3bbbbdefa 100644
--- a/app/controllers/api/v1/issues/milestones_controller.rb
+++ b/app/controllers/api/v1/issues/milestones_controller.rb
@@ -1,5 +1,6 @@
 class Api::V1::Issues::MilestonesController < Api::V1::BaseController 
-  before_action :require_public_and_member_above
+  before_action :require_public_and_member_above, only: [:index, :show]
+  before_action :require_operate_above, only: [:create, :update, :destroy]
   before_action :load_milestone, only: [:show, :update, :destroy]
 
   # 里程碑列表
diff --git a/app/controllers/api/v1/issues_controller.rb b/app/controllers/api/v1/issues_controller.rb
index d1f8a83a1..562a360dc 100644
--- a/app/controllers/api/v1/issues_controller.rb
+++ b/app/controllers/api/v1/issues_controller.rb
@@ -1,6 +1,8 @@
 class Api::V1::IssuesController < Api::V1::BaseController 
 
-  before_action :require_public_and_member_above, only: [:index, :show, :create, :update, :destroy, :batch_update, :batch_destroy] 
+  before_action :require_public_and_member_above, only: [:index, :show, :create, :update, :destroy] 
+  before_action :require_operate_above, only: [:batch_update, :batch_destroy]
+  before_action :check_issue_operate_permission, only: [:update, :destroy]
 
   def index 
     @object_results = Api::V1::Issues::ListService.call(@project, query_params, current_user)
@@ -17,6 +19,7 @@ class Api::V1::IssuesController < Api::V1::BaseController
   before_action :load_issue, only: [:show, :update, :destroy]
 
   def show 
+    @user_permission = current_user.present? && current_user.logged? && (@project.member?(current_user) || current_user.admin? || @issue.user == current_user)
   end
 
   def update 
@@ -58,8 +61,6 @@ class Api::V1::IssuesController < Api::V1::BaseController
     @issue = @project.issues.where(project_issues_index: params[:id]).where.not(id: params[:id]).take || Issue.find_by_id(params[:id])
     if @issue.blank?
       render_not_found("疑修不存在!")
-    elsif @issue.present? && @issue.is_lock &&!(@project.member?(current_user) || current_user.admin?)
-      render_forbidden("您没有权限操作！")
     end
   end
 
@@ -69,13 +70,14 @@ class Api::V1::IssuesController < Api::V1::BaseController
       @issue = Issue.find_by_id(id)
       if @issue.blank?
         return render_not_found("ID为#{id}的疑修不存在!")
-      elsif @issue.present? && @issue.is_lock &&!(@project.member?(current_user) || current_user.admin?)
-        return render_forbidden("ID为#{id}的疑修您没有权限操作！")
       end
     end
     @issues = Issue.where(id: params[:ids])
   end
 
+  def check_issue_operate_permission 
+    return render_forbidden("您没有操作权限！") unless current_user.present? && current_user.logged? && (@project.member?(current_user) || current_user.admin? || @issue.user == current_user)
+  end
 
   private 
 
diff --git a/app/controllers/api/v1/projects/collaborators_controller.rb b/app/controllers/api/v1/projects/collaborators_controller.rb
index 67a96378e..cd9002a99 100644
--- a/app/controllers/api/v1/projects/collaborators_controller.rb
+++ b/app/controllers/api/v1/projects/collaborators_controller.rb
@@ -3,7 +3,7 @@ class Api::V1::Projects::CollaboratorsController < Api::V1::BaseController
   before_action :require_public_and_member_above, only: [:index]
 
   def index 
-    @collaborators = @project.all_collaborators.ransack(name_or_login_cont: params[:keyword]).result
+    @collaborators = @project.all_collaborators.like(params[:keyword])
     @collaborators = kaminary_select_paginate(@collaborators)
   end
 
diff --git a/app/views/api/v1/issues/show.json.jbuilder b/app/views/api/v1/issues/show.json.jbuilder
index 8746417b5..55028fc64 100644
--- a/app/views/api/v1/issues/show.json.jbuilder
+++ b/app/views/api/v1/issues/show.json.jbuilder
@@ -1 +1,2 @@
 json.partial! "api/v1/issues/detail", locals: {issue: @issue}
+json.user_permission @user_permission