Bug fix allow users with access to count as official reviewers

models/git/protected_branch.go

@@ -206,12 +206,12 @@ func IsUserOfficialReviewer(ctx context.Context, protectBranch *ProtectedBranch,
 	}
 
 	if !protectBranch.EnableApprovalsWhitelist {
-		// Anyone with write access is considered official reviewer
-		writeAccess, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeWrite)
+		// Anyone with code access is considered official reviewer
+		access, err := access_model.HasAccessUnit(ctx, user, repo, unit.TypeCode, perm.AccessModeRead)
 		if err != nil {
 			return false, err
 		}
-		return writeAccess, nil
+		return access, nil
 	}
 
 	if slices.Contains(protectBranch.ApprovalsWhitelistUserIDs, user.ID) {

models/git/protected_branch_test.go

@@ -1,12 +1,20 @@
 // Copyright 2022 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package git
+package git_test
 
 import (
 	"fmt"
 	"testing"
 
+	"code.gitea.io/gitea/models/db"
+	git_model "code.gitea.io/gitea/models/git"
+	perm_model "code.gitea.io/gitea/models/perm"
+	access_model "code.gitea.io/gitea/models/perm/access"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -64,7 +72,7 @@ func TestBranchRuleMatch(t *testing.T) {
 	}
 
 	for _, kase := range kases {
-		pb := ProtectedBranch{RuleName: kase.Rule}
+		pb := git_model.ProtectedBranch{RuleName: kase.Rule}
 		var should, infact string
 		if !kase.ExpectedMatch {
 			should = " not"
@@ -76,3 +84,33 @@ func TestBranchRuleMatch(t *testing.T) {
 		)
 	}
 }
+
+func TestIsUserOfficialReviewer(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	protectedBranch := &git_model.ProtectedBranch{
+		RepoID:                   repo.ID,
+		EnableApprovalsWhitelist: false,
+	}
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3})
+
+	access := &access_model.Access{
+		UserID: user.ID,
+		RepoID: repo.ID,
+		Mode:   perm_model.AccessModeNone,
+	}
+	assert.NoError(t, db.Insert(db.DefaultContext, access))
+
+	official, err := git_model.IsUserOfficialReviewer(db.DefaultContext, protectedBranch, user)
+	assert.NoError(t, err)
+	assert.False(t, official)
+
+	access.Mode = perm_model.AccessModeRead
+	_, err = db.GetEngine(db.DefaultContext).ID(access.ID).Update(access)
+	assert.NoError(t, err)
+
+	official, err = git_model.IsUserOfficialReviewer(db.DefaultContext, protectedBranch, user)
+	assert.NoError(t, err)
+	assert.True(t, official)
+}

models/issues/review.go

@@ -300,7 +300,8 @@ func IsOfficialReviewerTeam(ctx context.Context, issue *Issue, team *organizatio
 	}
 
 	if !pb.EnableApprovalsWhitelist {
-		return team.UnitAccessMode(ctx, unit.TypeCode) >= perm.AccessModeWrite, nil
+		// Any team with code access is considered official reviewer
+		return team.UnitAccessMode(ctx, unit.TypeCode) >= perm.AccessModeRead, nil
 	}
 
 	return slices.Contains(pb.ApprovalsWhitelistTeamIDs, team.ID), nil