From 60522fc96f1fa4675e95010e4b1535e0eac21910 Mon Sep 17 00:00:00 2001
From: Danila Fominykh <d1nch8g@ion.lc>
Date: Mon, 13 Nov 2023 20:38:50 -0300
Subject: [PATCH] packages: Calculate package size quota using package creator
 ID instead of owner ID (#28007)

Changed behavior to calculate package quota limit using package `creator
ID` instead of `owner ID`.

Currently, users are allowed to create an unlimited number of
organizations, each of which has its own package limit quota, resulting
in the ability for users to have unlimited package space in different
organization scopes. This fix will calculate package quota based on
`package version creator ID` instead of `package version owner ID`
(which might be organization), so that users are not allowed to take
more space than configured package settings.

Also, there is a side case in which users can publish packages to a
specific package version, initially published by different user, taking
that user package size quota. Version in fix should be better because
the total amount of space is limited to the quota for users sharing the
same organization scope.
---
 models/packages/package_file.go | 12 ++++++++++++
 services/packages/packages.go   |  4 +---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/models/packages/package_file.go b/models/packages/package_file.go
index 1c2c9ac072..a2ddae7325 100644
--- a/models/packages/package_file.go
+++ b/models/packages/package_file.go
@@ -230,3 +230,15 @@ func CalculateFileSize(ctx context.Context, opts *PackageFileSearchOptions) (int
 		Join("INNER", "package_blob", "package_blob.id = package_file.blob_id").
 		SumInt(new(PackageBlob), "size")
 }
+
+// CalculateCreatorPackageQuota sums up all blob sizes related to package
+// version creator id.
+// It does NOT respect the deduplication of blobs.
+func CalculateCreatorPackageQuota(ctx context.Context, creatorID int64) (int64, error) {
+	return db.GetEngine(ctx).
+		Table("package_version").
+		Where(builder.Eq{"creator_id": creatorID}).
+		Join("INNER", "package_file", "package_version.id = package_file.version_id").
+		Join("INNER", "package_blob", "package_blob.id = package_file.blob_id").
+		SumInt(new(PackageBlob), "size")
+}
diff --git a/services/packages/packages.go b/services/packages/packages.go
index 56d5cc04de..294ee6cc1a 100644
--- a/services/packages/packages.go
+++ b/services/packages/packages.go
@@ -401,9 +401,7 @@ func CheckSizeQuotaExceeded(ctx context.Context, doer, owner *user_model.User, p
 	}
 
 	if setting.Packages.LimitTotalOwnerSize > -1 {
-		totalSize, err := packages_model.CalculateFileSize(ctx, &packages_model.PackageFileSearchOptions{
-			OwnerID: owner.ID,
-		})
+		totalSize, err := packages_model.CalculateCreatorPackageQuota(ctx, doer.ID)
 		if err != nil {
 			log.Error("CalculateFileSize failed: %v", err)
 			return err