IsSafeContent determines if the specified user can safely access the requested repository content. Safe access applies when any of the following is true: - the content was created by a trusted bot; - the author currently has push access to the repository; - the repository is private; - the content w
(ctx context.Context, username, owner, repo string)
| 108 | // - the repository is private; |
| 109 | // - the content was created by the viewer. |
| 110 | func (c *RepoAccessCache) IsSafeContent(ctx context.Context, username, owner, repo string) (bool, error) { |
| 111 | if c == nil { |
| 112 | return false, fmt.Errorf("nil repo access cache") |
| 113 | } |
| 114 | |
| 115 | if c.isTrustedBot(username) { |
| 116 | return true, nil |
| 117 | } |
| 118 | |
| 119 | repoInfo, err := c.getRepoAccessInfo(ctx, username, owner, repo) |
| 120 | if err != nil { |
| 121 | return false, err |
| 122 | } |
| 123 | |
| 124 | c.logDebug(ctx, fmt.Sprintf("evaluated repo access for user %s to %s/%s for content filtering, result: hasPushAccess=%t, isPrivate=%t", |
| 125 | username, owner, repo, repoInfo.HasPushAccess, repoInfo.IsPrivate)) |
| 126 | |
| 127 | if repoInfo.IsPrivate { |
| 128 | return true, nil |
| 129 | } |
| 130 | if repoInfo.HasPushAccess { |
| 131 | return true, nil |
| 132 | } |
| 133 | |
| 134 | viewerLogin, err := c.viewerLoginFor(ctx) |
| 135 | if err != nil { |
| 136 | return false, err |
| 137 | } |
| 138 | return viewerLogin == strings.ToLower(username), nil |
| 139 | } |
| 140 | |
| 141 | func (c *RepoAccessCache) viewerLoginFor(ctx context.Context) (string, error) { |
| 142 | c.viewerMu.Lock() |