Restrict permission check on repositories and fix some problems (#5314)

* fix units permission problems

* fix some bugs and merge LoadUnits to repoAssignment

* refactor permission struct and add some copyright heads

* remove unused codes

* fix routes units check

* improve permission check

* add unit tests for permission

* fix typo

* fix tests

* fix some routes

* fix api permission check

* improve permission check

* fix some permission check

* fix tests

* fix tests

* improve some permission check

* fix some permission check

* refactor AccessLevel

* fix bug

* fix tests

* fix tests

* fix tests

* fix AccessLevel

* rename CanAccess

* fix tests

* fix comment

* fix bug

* add missing unit for test repos

* fix bug

* rename some functions

* fix routes check

routers/api/v1/org/team.go

@@ -311,7 +311,7 @@ func GetTeamRepos(ctx *context.APIContext) {
 	}
 	repos := make([]*api.Repository, len(team.Repos))
 	for i, repo := range team.Repos {
-		access, err := models.AccessLevel(ctx.User.ID, repo)
+		access, err := models.AccessLevel(ctx.User, repo)
 		if err != nil {
 			ctx.Error(500, "GetTeamRepos", err)
 			return
@@ -366,7 +366,7 @@ func AddTeamRepository(ctx *context.APIContext) {
 	if ctx.Written() {
 		return
 	}
-	if access, err := models.AccessLevel(ctx.User.ID, repo); err != nil {
+	if access, err := models.AccessLevel(ctx.User, repo); err != nil {
 		ctx.Error(500, "AccessLevel", err)
 		return
 	} else if access < models.AccessModeAdmin {
@@ -413,7 +413,7 @@ func RemoveTeamRepository(ctx *context.APIContext) {
 	if ctx.Written() {
 		return
 	}
-	if access, err := models.AccessLevel(ctx.User.ID, repo); err != nil {
+	if access, err := models.AccessLevel(ctx.User, repo); err != nil {
 		ctx.Error(500, "AccessLevel", err)
 		return
 	} else if access < models.AccessModeAdmin {