tenseleyflow/shithub / 09c93d2

+type PrivateCollaborationLimitError struct {

+	Check PrivateCollaborationCheck

+}

+

+func (e *PrivateCollaborationLimitError) Error() string {

+	if e == nil {

+		return ErrPrivateCollaborationLimitExceeded.Error()

+	}

+	if msg := e.Check.Message(); msg != "" {

+		return msg

+	}

+	return ErrPrivateCollaborationLimitExceeded.Error()

+}

+

+func (e *PrivateCollaborationLimitError) Unwrap() error {

+	return ErrPrivateCollaborationLimitExceeded

+}

+

+	return &PrivateCollaborationLimitError{Check: c}

+	"errors"

+	if check.Allowed || check.WouldUse != 4 || !errors.Is(check.Err(), entitlements.ErrPrivateCollaborationLimitExceeded) {

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	if role == orgsdb.OrgRoleOwner {

+		var check entitlements.PrivateCollaborationCheck

+		if targetUserID.Valid {

+			check, err = entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, p.OrgID, targetUserID.Int64)

+		} else {

+			check, err = entitlements.CheckPrivateInvitationSlot(ctx, entitlements.Deps{Pool: deps.Pool}, p.OrgID)

+		}

+		if err != nil {

+			return InviteResult{}, err

+		}

+		if err := check.Err(); err != nil {

+			return InviteResult{}, err

+		}

+	}

+	if inv.Role == orgsdb.OrgRoleOwner {

+		check, err := entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, inv.OrgID, acceptorUserID)

+		if err != nil {

+			return err

+		}

+		if err := check.Err(); err != nil {

+			return err

+		}

+	}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	if r == orgsdb.OrgRoleOwner {

+		check, err := entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, orgID, userID)

+		if err != nil {

+			return err

+		}

+		if err := check.Err(); err != nil {

+			return err

+		}

+	}

+	if current.Role != orgsdb.OrgRoleOwner && r == orgsdb.OrgRoleOwner {

+		check, err := entitlements.CheckOrgOwnerPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, orgID, userID)

+		if err != nil {

+			return err

+		}

+		if err := check.Err(); err != nil {

+			return err

+		}

+	}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package orgs_test

+

+import (

+	"context"

+	"errors"

+	"testing"

+

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	"github.com/tenseleyFlow/shithub/internal/orgs"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+)

+

+func TestOwnerExpansionRespectsPrivateCollaborationLimit(t *testing.T) {

+	pool, deps, alice := setup(t)

+	ctx := context.Background()

+	org, err := orgs.Create(ctx, deps, orgs.CreateParams{Slug: "acme", CreatedByUserID: alice})

+	if err != nil {

+		t.Fatalf("create org: %v", err)

+	}

+	repo := mustOrgRepo(t, pool, org.ID, "secret", "private")

+	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "bob"))

+	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "carol"))

+

+	dave := mustUser(t, pool, "dave")

+	if err := orgs.AddMember(ctx, deps, org.ID, dave, alice, "owner"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+		t.Fatalf("AddMember owner err=%v, want private collaboration limit", err)

+	}

+	if err := orgs.AddMember(ctx, deps, org.ID, dave, alice, "member"); err != nil {

+		t.Fatalf("plain member add should not expand private collaboration: %v", err)

+	}

+	if err := orgs.ChangeRole(ctx, deps, org.ID, dave, "owner"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+		t.Fatalf("ChangeRole owner err=%v, want private collaboration limit", err)

+	}

+}

+

+func TestTeamExpansionRespectsPrivateCollaborationLimit(t *testing.T) {

+	pool, deps, alice := setup(t)

+	ctx := context.Background()

+	org, err := orgs.Create(ctx, deps, orgs.CreateParams{Slug: "acme", CreatedByUserID: alice})

+	if err != nil {

+		t.Fatalf("create org: %v", err)

+	}

+	repo := mustOrgRepo(t, pool, org.ID, "secret", "private")

+	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "bob"))

+	insertDirectCollab(t, pool, repo.ID, mustUser(t, pool, "carol"))

+

+	team, err := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{OrgID: org.ID, Slug: "security", CreatedByUserID: alice})

+	if err != nil {

+		t.Fatalf("create team: %v", err)

+	}

+	if err := orgs.GrantTeamRepoAccess(ctx, deps, team.ID, repo.ID, alice, "read"); err != nil {

+		t.Fatalf("empty-team private grant should not expand private collaboration: %v", err)

+	}

+	dave := mustUser(t, pool, "dave")

+	if err := orgs.AddTeamMember(ctx, deps, team.ID, dave, alice, "member"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+		t.Fatalf("AddTeamMember err=%v, want private collaboration limit", err)

+	}

+

+	team2, err := orgs.CreateTeam(ctx, deps, orgs.CreateTeamParams{OrgID: org.ID, Slug: "ops", CreatedByUserID: alice})

+	if err != nil {

+		t.Fatalf("create second team: %v", err)

+	}

+	insertTeamMemberRaw(t, pool, team2.ID, dave)

+	if err := orgs.GrantTeamRepoAccess(ctx, deps, team2.ID, repo.ID, alice, "read"); !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+		t.Fatalf("GrantTeamRepoAccess err=%v, want private collaboration limit", err)

+	}

+	if err := orgs.RemoveTeamMember(ctx, deps, team2.ID, dave); err != nil {

+		t.Fatalf("cleanup remove team member should remain allowed: %v", err)

+	}

+}

+

+func mustOrgRepo(t *testing.T, db reposdb.DBTX, orgID int64, name, visibility string) reposdb.Repo {

+	t.Helper()

+	repo, err := reposdb.New().CreateRepo(context.Background(), db, reposdb.CreateRepoParams{

+		OwnerOrgID:    pgtype.Int8{Int64: orgID, Valid: true},

+		Name:          name,

+		Visibility:    reposdb.RepoVisibility(visibility),

+		DefaultBranch: "trunk",

+	})

+	if err != nil {

+		t.Fatalf("create org repo %s: %v", name, err)

+	}

+	return repo

+}

+

+func insertDirectCollab(t *testing.T, db reposdb.DBTX, repoID, userID int64) {

+	t.Helper()

+	if _, err := db.Exec(context.Background(), `INSERT INTO repo_collaborators (repo_id, user_id, role) VALUES ($1, $2, 'read')`, repoID, userID); err != nil {

+		t.Fatalf("insert direct collaborator: %v", err)

+	}

+}

+

+func insertTeamMemberRaw(t *testing.T, db reposdb.DBTX, teamID, userID int64) {

+	t.Helper()

+	if _, err := db.Exec(context.Background(), `INSERT INTO team_members (team_id, user_id, role) VALUES ($1, $2, 'member')`, teamID, userID); err != nil {

+		t.Fatalf("insert team member: %v", err)

+	}

+}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	check, err := entitlements.CheckTeamMemberPrivateCollaboration(ctx, entitlements.Deps{Pool: deps.Pool}, teamID, userID)

+	if err != nil {

+		return err

+	}

+	if err := check.Err(); err != nil {

+		return err

+	}

+	check, err := entitlements.CheckTeamPrivateRepoGrant(ctx, entitlements.Deps{Pool: deps.Pool}, teamID, repoID)

+	if err != nil {

+		return err

+	}

+	if err := check.Err(); err != nil {

+		return err

+	}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	if p.OwnerOrgID != 0 && p.Visibility == "private" {

+		check, err := entitlements.CheckPrivateRepositoryCreation(ctx, entitlements.Deps{Pool: deps.Pool}, p.OwnerOrgID)

+		if err != nil {

+			return Result{}, err

+		}

+		if err := check.Err(); err != nil {

+			return Result{}, err

+		}

+	}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+func mustCreateRepoUser(t *testing.T, db usersdb.DBTX, username string) usersdb.User {

+	t.Helper()

+	user, err := usersdb.New().CreateUser(context.Background(), db, usersdb.CreateUserParams{

+		Username:     username,

+		DisplayName:  username,

+		PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser %s: %v", username, err)

+	}

+	return user

+}

+

+func TestCreate_PrivateOrgRepoRespectsCollaborationLimit(t *testing.T) {

+	t.Parallel()

+	pool, deps, uid, _, _ := setupCreateEnv(t)

+	ctx := context.Background()

+	org, err := orgs.Create(ctx, orgs.Deps{Pool: pool}, orgs.CreateParams{

+		Slug:            "acme",

+		CreatedByUserID: uid,

+	})

+	if err != nil {

+		t.Fatalf("create org: %v", err)

+	}

+	for _, name := range []string{"owner2", "owner3", "owner4"} {

+		user := mustCreateRepoUser(t, pool, name)

+		if _, err := pool.Exec(ctx, `INSERT INTO org_members (org_id, user_id, role) VALUES ($1, $2, 'owner')`, org.ID, user.ID); err != nil {

+			t.Fatalf("insert owner: %v", err)

+		}

+	}

+	_, err = repos.Create(ctx, deps, repos.Params{

+		OwnerOrgID:  org.ID,

+		OwnerSlug:   string(org.Slug),

+		ActorUserID: uid,

+		Name:        "secret",

+		Visibility:  "private",

+	})

+	if !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+		t.Fatalf("Create private org repo err=%v, want private collaboration limit", err)

+	}

+}

+

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	"github.com/tenseleyFlow/shithub/internal/orgs"

+func mustLifecycleUser(t *testing.T, db usersdb.DBTX, username string) usersdb.User {

+	t.Helper()

+	user, err := usersdb.New().CreateUser(context.Background(), db, usersdb.CreateUserParams{

+		Username:     username,

+		DisplayName:  username,

+		PasswordHash: fixtureHash,

+	})

+	if err != nil {

+		t.Fatalf("CreateUser %s: %v", username, err)

+	}

+	return user

+}

+

+func TestSetVisibilityRespectsPrivateCollaborationLimit(t *testing.T) {

+	t.Parallel()

+	env := setup(t)

+	ctx := context.Background()

+	org, err := orgs.Create(ctx, orgs.Deps{Pool: env.deps.Pool}, orgs.CreateParams{

+		Slug:            "acme",

+		CreatedByUserID: env.alice.ID,

+	})

+	if err != nil {

+		t.Fatalf("create org: %v", err)

+	}

+	repo, err := reposdb.New().CreateRepo(ctx, env.deps.Pool, reposdb.CreateRepoParams{

+		OwnerOrgID:    pgtype.Int8{Int64: org.ID, Valid: true},

+		Name:          "soon-private",

+		DefaultBranch: "trunk",

+		Visibility:    reposdb.RepoVisibilityPublic,

+	})

+	if err != nil {

+		t.Fatalf("create org repo: %v", err)

+	}

+	for _, userID := range []int64{env.bob.ID, mustLifecycleUser(t, env.deps.Pool, "carol").ID, mustLifecycleUser(t, env.deps.Pool, "dave").ID} {

+		if _, err := env.deps.Pool.Exec(ctx, `INSERT INTO repo_collaborators (repo_id, user_id, role) VALUES ($1, $2, 'read')`, repo.ID, userID); err != nil {

+			t.Fatalf("insert collaborator: %v", err)

+		}

+	}

+	err = lifecycle.SetVisibility(ctx, env.deps, env.alice.ID, repo.ID, "private")

+	if !errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+		t.Fatalf("SetVisibility err=%v, want private collaboration limit", err)

+	}

+}

+

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	if repo.OwnerOrgID.Valid && newVisibility == "private" {

+		check, err := entitlements.CheckRepoPrivateVisibility(ctx, entitlements.Deps{Pool: deps.Pool}, repo.OwnerOrgID.Int64, repo.ID)

+		if err != nil {

+			return err

+		}

+		if err := check.Err(); err != nil {

+			return err

+		}

+	}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	check, err := entitlements.CheckDirectPrivateCollaborator(r.Context(), entitlements.Deps{Pool: h.d.Pool}, repo.ID, user.ID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "api: private collaborator entitlement check", "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "collaborator entitlement check failed")

+		return

+	}

+	if err := check.Err(); err != nil {

+		writeAPIError(w, http.StatusPaymentRequired, err.Error())

+		return

+	}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	case errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded):

+		writeAPIError(w, http.StatusPaymentRequired, err.Error())

+				if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+					writeAPIError(w, http.StatusPaymentRequired, err.Error())

+					return

+				}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+		"Notice":          peopleNoticeMessage(r.URL.Query().Get("notice")),

+func peopleNoticeMessage(code string) string {

+	switch code {

+	case "private-collab-upgrade":

+		return "Free organizations can have up to 3 private collaborators. Upgrade to Team to add more private collaborators."

+	default:

+		return ""

+	}

+}

+

+		if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+			http.Redirect(w, r, "/"+org.Slug+"/people?notice=private-collab-upgrade", http.StatusSeeOther)

+			return

+		}

+		if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+			http.Redirect(w, r, "/"+org.Slug+"/people?notice=private-collab-upgrade", http.StatusSeeOther)

+			return

+		}

+			if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+				h.d.Render.HTTPError(w, r, http.StatusPaymentRequired, "")

+				return

+			}

+	"errors"

+	case "private-collab-upgrade":

+		return "Free organizations can have up to 3 private collaborators. Upgrade to Team to add more private collaborators."

+		if err := orgs.AddTeamMember(r.Context(), h.deps(), team.ID, uid, viewer.ID, role); err != nil {

+			h.d.Logger.WarnContext(r.Context(), "teams: add member", "org_id", org.ID, "team_id", team.ID, "user_id", uid, "error", err)

+			if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+				http.Redirect(w, r, h.teamPath(org, team)+"?notice=private-collab-upgrade", http.StatusSeeOther)

+				return

+			}

+		}

+		if err := orgs.GrantTeamRepoAccess(r.Context(), h.deps(), team.ID, repoID, viewer.ID,

+			r.PostFormValue("role")); err != nil {

+			h.d.Logger.WarnContext(r.Context(), "teams: grant repo", "org_id", org.ID, "team_id", team.ID, "repo_id", repoID, "error", err)

+			if errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded) {

+				http.Redirect(w, r, h.teamPath(org, team)+"?notice=private-collab-upgrade", http.StatusSeeOther)

+				return

+			}

+		}

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	case errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded):

+		http.Error(w, err.Error(), http.StatusPaymentRequired)

+	"github.com/tenseleyFlow/shithub/internal/entitlements"

+	case errors.Is(err, entitlements.ErrPrivateCollaborationLimitExceeded):

+		return err.Error()

+      {{ with .Notice }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}