(user?: UserWithAccounts)
| 108 | * Returns a filter for repositories that the user has access to. |
| 109 | */ |
| 110 | export const getRepoPermissionFilterForUser = (user?: UserWithAccounts): Prisma.RepoWhereInput => { |
| 111 | // Collect the issuer URLs from the user's linked accounts. |
| 112 | // Used to grant access to public repos on connections with enforcePermissionsForPublicRepos: true. |
| 113 | const linkedAccountIssuerUrls = (user?.accounts ?? []) |
| 114 | .map(account => account.issuerUrl) |
| 115 | .filter((url): url is string => url !== null && url !== undefined); |
| 116 | |
| 117 | // One of the following conditions must be met in order |
| 118 | // for the user to be able to have access to the repo: |
| 119 | return { |
| 120 | OR: [ |
| 121 | // 1. The repo is explicitly permitted to the user |
| 122 | // via the permittedAccounts relation. |
| 123 | ...((user && user.accounts.length > 0) ? [ |
| 124 | { |
| 125 | permittedAccounts: { |
| 126 | some: { |
| 127 | accountId: { |
| 128 | in: user.accounts.map(account => account.id), |
| 129 | } |
| 130 | } |
| 131 | } |
| 132 | }, |
| 133 | ] : []), |
| 134 | // 2. The `enforcePermissions` flag is *not* set to `true` on any |
| 135 | // of the repo's connections. |
| 136 | { |
| 137 | AND: [ |
| 138 | { connections: { some: {} } }, // guard against vacuous truthiness |
| 139 | { |
| 140 | NOT: { |
| 141 | connections: { |
| 142 | some: { |
| 143 | connection: { |
| 144 | enforcePermissions: true, |
| 145 | } |
| 146 | } |
| 147 | } |
| 148 | } |
| 149 | } |
| 150 | ] |
| 151 | }, |
| 152 | // 3. The repo is public and either: |
| 153 | // - a. The `enforcePermissionsForPublicRepos` flag is *not* set to `true` |
| 154 | // on any of the repo's connections. |
| 155 | // - b. The user has a account linked to the same code host as the repo. |
| 156 | { |
| 157 | AND: [ |
| 158 | { isPublic: true }, |
| 159 | { connections: { some: {} } }, // guard against vacuous truthiness |
| 160 | { |
| 161 | OR: [ |
| 162 | { |
| 163 | NOT: { |
| 164 | connections: { |
| 165 | some: { |
| 166 | connection: { enforcePermissionsForPublicRepos: true } |
| 167 | } |
no outgoing calls
no test coverage detected