`81e12ae`

web: migrate UserActor callsites to viewer.PolicyActor (SR2 C1/C2)

18 handler sites switched from policy.UserActor(viewer.ID,
viewer.Username, viewer.IsSuspended, false) to viewer.PolicyActor().
Includes profile, search, and repo (issues/PRs/lifecycle/social/
fork/labels/repo home) surfaces.

Pre-migration these all hardcoded IsSiteAdmin=false and ignored
viewer.ImpersonatedUserID. Post-migration impersonation is a
construct-time concern and admin-read-private gets a 200 instead
of 404.

PAT-bearing API handlers (api/checks.go, api/stars.go) and the
SSH/HTTPS-git paths keep plain UserActor() — those gates reject
suspended at credential check, and impersonation is impossible via
non-cookie auth, so the false literals are correct by construction.

Authored by

espadonne 3 days ago

SHA: 81e12ae5f3fcf5f2e13ad48cc26c3c368cdd4797
Parents: c9d4831
Tree: 44e89fd

11 changed files

Status	File	+	-
M	`internal/web/handlers/profile/org_profile.go`	1	5
M	`internal/web/handlers/profile/repositories_tab.go`	1	1
M	`internal/web/handlers/profile/stars_tab.go`	1	1
M	`internal/web/handlers/repo/fork.go`	3	3
M	`internal/web/handlers/repo/issues.go`	3	3
M	`internal/web/handlers/repo/labels_milestones.go`	2	2
M	`internal/web/handlers/repo/lifecycle.go`	2	2
M	`internal/web/handlers/repo/pulls.go`	3	3
M	`internal/web/handlers/repo/repo.go`	1	1
M	`internal/web/handlers/repo/social.go`	1	1
M	`internal/web/handlers/search/search.go`	1	1

internal/web/handlers/profile/org_profile.gomodified

+ 	}
  	actor := policy.AnonymousActor()
  	if !viewer.IsAnonymous() {
 -		actor = policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, viewer.IsSiteAdmin)
 -		if viewer.ImpersonatedUserID != 0 {
 -			actor.Impersonating = true
 -			actor.ImpersonateWriteOK = viewer.ImpersonateWriteOK
 -		}
 +		actor = viewer.PolicyActor()
+ 	}
  	deps := policy.Deps{Pool: h.d.Pool}

internal/web/handlers/profile/repositories_tab.gomodified

  	actor := policy.AnonymousActor()
  	if !viewer.IsAnonymous() {
 -		actor = policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +		actor = viewer.PolicyActor()
+ 	}
  	deps := policy.Deps{Pool: h.d.Pool}

internal/web/handlers/profile/stars_tab.gomodified

  	actor := policy.AnonymousActor()
  	if !viewer.IsAnonymous() {
 -		actor = policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +		actor = viewer.PolicyActor()
+ 	}
  	deps := policy.Deps{Pool: h.d.Pool}

internal/web/handlers/repo/fork.gomodified

  		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
  		return
+ 	}
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	repoRef := policy.NewRepoRefFromRepo(source)
  	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionForkCreate, repoRef); !dec.Allow {
  		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")
  		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
  		return
+ 	}
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	repoRef := policy.NewRepoRefFromRepo(row)
  	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoWrite, repoRef); !dec.Allow {
  		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")
  	if viewer.IsAnonymous() {
  		return policy.AnonymousActor()
+ 	}
 -	return policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	return viewer.PolicyActor()
+ }
  // handleForkError maps the orchestrator's typed errors to status

internal/web/handlers/repo/issues.gomodified

  		authorName = usernameFor(issue.AuthorUserID.Int64)
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	pdeps := policy.Deps{Pool: h.d.Pool}
  	repoRef := policy.NewRepoRefFromRepo(row)
  	stateRef := issueStateRepoRef(row, issue)
  	// posters). We resolve the *real* role via the policy package — owner
  	// is implicit admin, and any explicit collaborator with role >= triage
  	// passes. Read fails (DB miss, unknown role) fail closed via RoleNone.
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	isCollab := policy.HasRoleAtLeast(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.NewRepoRefFromRepo(row), policy.RoleTriage)
  	var commentID int64
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	stateRef := issueStateRepoRef(row, issue)
  	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueClose, stateRef); !dec.Allow {
  		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, stateRef, actor), "")

internal/web/handlers/repo/labels_milestones.gomodified

+ 	}
  	labels, _ := h.iq.ListLabels(r.Context(), h.d.Pool, row.ID)
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	canManage := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueLabel, policy.NewRepoRefFromRepo(row)).Allow
  	w.Header().Set("Content-Type", "text/html; charset=utf-8")
  	_ = h.d.Render.RenderPage(w, r, "repo/labels", map[string]any{
+ 	}
  	ms, _ := h.iq.ListMilestones(r.Context(), h.d.Pool, row.ID)
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	canManage := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueLabel, policy.NewRepoRefFromRepo(row)).Allow
  	w.Header().Set("Content-Type", "text/html; charset=utf-8")
  	_ = h.d.Render.RenderPage(w, r, "repo/milestones", map[string]any{

internal/web/handlers/repo/lifecycle.gomodified

  		return reposdb.Repo{}, usersdb.User{}, false
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	repoRef := policy.NewRepoRefFromRepo(row)
  	dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, action, repoRef)
  	if !dec.Allow {
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	repoRef := policy.NewRepoRefFromRepo(repo)
  	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoAdmin, repoRef); !dec.Allow {
  		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")

internal/web/handlers/repo/pulls.gomodified

  		"ActiveSubnav": "pulls",
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	pdeps := policy.Deps{Pool: h.d.Pool}
  	repoRef := policy.NewRepoRefFromRepo(row)
  	stateRef := repoRef
  		reqs = append(reqs, rr)
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	pdeps := policy.Deps{Pool: h.d.Pool}
  	repoRef := policy.NewRepoRefFromRepo(row)
  	canCommentAction := policy.Can(r.Context(), pdeps, actor, policy.ActionIssueComment, repoRef).Allow
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
 -	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +	actor := viewer.PolicyActor()
  	repoRef := policy.NewRepoRefFromRepo(row)
  	if pr.IAuthorUserID.Valid {
  		repoRef.AuthorUserID = pr.IAuthorUserID.Int64

internal/web/handlers/repo/repo.gomodified

  	if viewer.IsAnonymous() {
  		actor = policy.AnonymousActor()
  	} else {
 -		actor = policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
 +		actor = viewer.PolicyActor()
+ 	}
  	// ActionRepoRead deny on a private repo with a non-collab viewer is
  	// indistinguishable from "doesn't exist" — Maybe404 returns 404 in

internal/web/handlers/search/search.gomodified


 	if viewer.IsAnonymous() {
 		return policy.AnonymousActor()
 	}
-	return policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
+	return viewer.PolicyActor()
 }
 
 // results renders the full /search page with type tabs.

`@@ -58,7 +58,7 @@` func (h Handlers) actor(r http.Request) policy.Actor {
58	58	if viewer.IsAnonymous() {
59	59	return policy.AnonymousActor()
60	60	}
61		- return policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
	61	+ return viewer.PolicyActor()
62	62	}
63	63
64	64	// results renders the full /search page with type tabs.