From fe0e093a1d6189e1ea9259921a4fd9e1c7e8dfde Mon Sep 17 00:00:00 2001
From: zouap <zouap@pcl.ac.cn>
Date: Wed, 4 Aug 2021 10:21:40 +0800
Subject: [PATCH] =?UTF-8?q?=E6=95=B0=E6=8D=AE=E9=9B=86=E6=98=BE=E7=A4=BA?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=8D=8F=E4=BD=9C=E8=80=85=E5=8F=AF=E4=BB=A5?=
 =?UTF-8?q?=E6=9F=A5=E7=9C=8B=E5=8F=8A=E4=B8=8B=E8=BD=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: zouap <zouap@pcl.ac.cn>
---
 routers/repo/attachment.go | 11 ++++++++---
 routers/repo/dataset.go    | 25 +++++++++++++++++--------
 2 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go
index 3e92471bb..830f193ee 100755
--- a/routers/repo/attachment.go
+++ b/routers/repo/attachment.go
@@ -141,7 +141,7 @@ func DeleteAttachment(ctx *context.Context) {
 	})
 }
 
-func DownloadUserIsOrg(ctx *context.Context, attach *models.Attachment) bool {
+func DownloadUserIsOrgOrCollaboration(ctx *context.Context, attach *models.Attachment) bool {
 	dataset, err := models.GetDatasetByID(attach.DatasetID)
 	if err != nil {
 		log.Info("query dataset error")
@@ -154,10 +154,15 @@ func DownloadUserIsOrg(ctx *context.Context, attach *models.Attachment) bool {
 			if repo.Owner.IsOrganization() {
 				//log.Info("ower is org.")
 				if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
-					log.Info("user may visit the attach.")
+					log.Info("org user may visit the attach.")
 					return true
 				}
 			}
+			isCollaborator, _ := repo.IsCollaborator(ctx.User.ID)
+			if isCollaborator {
+				log.Info("Collaborator user may visit the attach.")
+				return true
+			}
 		}
 	}
 	return false
@@ -190,7 +195,7 @@ func GetAttachment(ctx *context.Context) {
 
 	if repository == nil { //If not linked
 		//if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && attach.IsPrivate { //We block if not the uploader
-		if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && !DownloadUserIsOrg(ctx, attach) { //We block if not the uploader
+		if !(ctx.IsSigned && attach.UploaderID == ctx.User.ID) && !DownloadUserIsOrgOrCollaboration(ctx, attach) { //We block if not the uploader
 			ctx.Error(http.StatusNotFound)
 			return
 		}
diff --git a/routers/repo/dataset.go b/routers/repo/dataset.go
index 53a2969fb..8b2f2abd3 100755
--- a/routers/repo/dataset.go
+++ b/routers/repo/dataset.go
@@ -28,19 +28,28 @@ func newFilterPrivateAttachments(ctx *context.Context, list []*models.Attachment
 		log.Info("can write.")
 		return list
 	} else {
+		if repo.Owner == nil {
+			repo.GetOwner()
+		}
+		permission := false
+		if repo.Owner.IsOrganization() {
+			if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
+				log.Info("user is member of org.")
+				permission = true
+			}
+		}
+		isCollaborator, _ := repo.IsCollaborator(ctx.User.ID)
+		if isCollaborator {
+			log.Info("Collaborator user may visit the attach.")
+			permission = true
+		}
 		var publicList []*models.Attachment
 		for _, attach := range list {
 			if !attach.IsPrivate {
 				publicList = append(publicList, attach)
 			} else {
-				if repo.Owner == nil {
-					repo.GetOwner()
-				}
-				if repo.Owner.IsOrganization() {
-					if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
-						log.Info("user is member of org.")
-						publicList = append(publicList, attach)
-					}
+				if permission {
+					publicList = append(publicList, attach)
 				}
 			}
 		}