Refactoring to make the code pretty

JoannaaKL · JoannaaKL · commit 2de28f79a8d9 · 2025-11-19T16:26:10.000+01:00
diff --git a/pkg/github/issues.go b/pkg/github/issues.go
@@ -331,11 +331,11 @@ func GetIssue(ctx context.Context, client *github.Client, cache *lockdown.RepoAc
 		}
 		login := issue.GetUser().GetLogin()
 		if login != "" {
-			isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
+			info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
 			if err != nil {
 				return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil
 			}
-			if !isPrivate && !hasPushAccess {
+			if info.ViewerLogin != login && !info.IsPrivate && !info.HasPushAccess {
 				return mcp.NewToolResultError("access to issue details is restricted by lockdown mode"), nil
 			}
 		}
@@ -394,16 +394,16 @@ func GetIssueComments(ctx context.Context, client *github.Client, cache *lockdow
 			if login == "" {
 				continue
 			}
-			isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
+			info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
 			if err != nil {
 				return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil
 			}
-			// Do not filter content for private repositories
-			if isPrivate {
+			// Do not filter content for private repositories or if the comment author is the viewer
+			if info.IsPrivate || info.ViewerLogin == login {
 				filteredComments = comments
 				break
 			}
-			if hasPushAccess {
+			if info.HasPushAccess {
 				filteredComments = append(filteredComments, comment)
 			}
 		}
@@ -459,16 +459,16 @@ func GetSubIssues(ctx context.Context, client *github.Client, cache *lockdown.Re
 			if login == "" {
 				continue
 			}
-			isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
+			info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
 			if err != nil {
 				return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil
 			}
-			// Repo is private, do not filter content
-			if isPrivate {
+			// Repo is private or the comment author is the viewer, do not filter content
+			if info.IsPrivate || info.ViewerLogin == login {
 				filteredSubIssues = subIssues
 				break
 			}
-			if hasPushAccess {
+			if info.HasPushAccess {
 				filteredSubIssues = append(filteredSubIssues, subIssue)
 			}
 		}
diff --git a/pkg/github/pullrequests.go b/pkg/github/pullrequests.go
@@ -141,12 +141,12 @@ func GetPullRequest(ctx context.Context, client *github.Client, cache *lockdown.
 		}
 		login := pr.GetUser().GetLogin()
 		if login != "" {
-			isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
+			info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
 			if err != nil {
 				return nil, fmt.Errorf("failed to check content removal: %w", err)
 			}
 
-			if !isPrivate && !hasPushAccess {
+			if info.ViewerLogin != login && !info.IsPrivate && !info.HasPushAccess {
 				return mcp.NewToolResultError("access to pull request is restricted by lockdown mode"), nil
 			}
 		}
@@ -303,15 +303,16 @@ func GetPullRequestReviewComments(ctx context.Context, client *github.Client, ca
 			if user == nil {
 				continue
 			}
-			isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, user.GetLogin(), owner, repo)
+			info, err := cache.GetRepoAccessInfo(ctx, user.GetLogin(), owner, repo)
 			if err != nil {
 				return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil
 			}
-			if isPrivate {
+			// Do not filter content for private repositories or if the comment author is the viewer
+			if info.IsPrivate || info.ViewerLogin == user.GetLogin() {
 				filteredComments = comments
 				break
 			}
-			if hasPushAccess {
+			if info.HasPushAccess {
 				filteredComments = append(filteredComments, comment)
 			}
 		}
@@ -353,14 +354,14 @@ func GetPullRequestReviews(ctx context.Context, client *github.Client, cache *lo
 		for _, review := range reviews {
 			login := review.GetUser().GetLogin()
 			if login != "" {
-				isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
+				info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)
 				if err != nil {
 					return nil, fmt.Errorf("failed to check lockdown mode: %w", err)
 				}
-				if isPrivate {
+				if info.IsPrivate || info.ViewerLogin == login {
 					filteredReviews = reviews
 				}
-				if hasPushAccess {
+				if info.HasPushAccess {
 					filteredReviews = append(filteredReviews, review)
 				}
 				reviews = filteredReviews
diff --git a/pkg/lockdown/lockdown.go b/pkg/lockdown/lockdown.go
@@ -23,8 +23,16 @@ type RepoAccessCache struct {
 }
 
 type repoAccessCacheEntry struct {
-	isPrivate  bool
-	knownUsers map[string]bool // normalized login -> has push access
+	isPrivate   bool
+	knownUsers  map[string]bool // normalized login -> has push access
+	viewerLogin string
+}
+
+// RepoAccessInfo captures repository metadata needed for lockdown decisions.
+type RepoAccessInfo struct {
+	IsPrivate     bool
+	HasPushAccess bool
+	ViewerLogin   string
 }
 
 const (
@@ -101,12 +109,11 @@ type CacheStats struct {
 	Evictions int64
 }
 
-// GetRepoAccessInfo returns the repository's privacy status and whether the
-// specified user has push permissions. Results are cached per repository to
-// avoid repeated GraphQL round-trips.
-func (c *RepoAccessCache) GetRepoAccessInfo(ctx context.Context, username, owner, repo string) (bool, bool, error) {
+// GetRepoAccessInfo returns repository access metadata for the provided user.
+// Results are cached per repository to avoid repeated GraphQL round-trips.
+func (c *RepoAccessCache) GetRepoAccessInfo(ctx context.Context, username, owner, repo string) (RepoAccessInfo, error) {
 	if c == nil {
-		return false, false, fmt.Errorf("nil repo access cache")
+		return RepoAccessInfo{}, fmt.Errorf("nil repo access cache")
 	}
 
 	key := cacheKey(owner, repo)
@@ -120,41 +127,59 @@ func (c *RepoAccessCache) GetRepoAccessInfo(ctx context.Context, username, owner
 		entry := cacheItem.Data().(*repoAccessCacheEntry)
 		if cachedHasPush, known := entry.knownUsers[userKey]; known {
 			c.logDebug("repo access cache hit", "owner", owner, "repo", repo, "user", username)
-			return entry.isPrivate, cachedHasPush, nil
+			return RepoAccessInfo{
+				IsPrivate:     entry.isPrivate,
+				HasPushAccess: cachedHasPush,
+				ViewerLogin:   entry.viewerLogin,
+			}, nil
 		}
 		c.logDebug("known users cache miss", "owner", owner, "repo", repo, "user", username)
-		_, hasPush, queryErr := c.queryRepoAccessInfo(ctx, username, owner, repo)
+		info, queryErr := c.queryRepoAccessInfo(ctx, username, owner, repo)
 		if queryErr != nil {
-			return false, false, queryErr
+			return RepoAccessInfo{}, queryErr
 		}
-		entry.knownUsers[userKey] = hasPush
+		entry.knownUsers[userKey] = info.HasPushAccess
+		entry.viewerLogin = info.ViewerLogin
+		entry.isPrivate = info.IsPrivate
 		c.cache.Add(key, c.ttl, entry)
-		return entry.isPrivate, entry.knownUsers[userKey], nil
+		return RepoAccessInfo{
+			IsPrivate:     entry.isPrivate,
+			HasPushAccess: entry.knownUsers[userKey],
+			ViewerLogin:   entry.viewerLogin,
+		}, nil
 	}
 
 	c.logDebug("repo access cache miss", "owner", owner, "repo", repo, "user", username)
 
-	isPrivate, hasPush, queryErr := c.queryRepoAccessInfo(ctx, username, owner, repo)
+	info, queryErr := c.queryRepoAccessInfo(ctx, username, owner, repo)
 	if queryErr != nil {
-		return false, false, queryErr
+		return RepoAccessInfo{}, queryErr
 	}
 
 	// Create new entry
 	entry := &repoAccessCacheEntry{
-		knownUsers: map[string]bool{userKey: hasPush},
-		isPrivate:  isPrivate,
+		knownUsers:  map[string]bool{userKey: info.HasPushAccess},
+		isPrivate:   info.IsPrivate,
+		viewerLogin: info.ViewerLogin,
 	}
 	c.cache.Add(key, c.ttl, entry)
 
-	return entry.isPrivate, entry.knownUsers[userKey], nil
+	return RepoAccessInfo{
+		IsPrivate:     entry.isPrivate,
+		HasPushAccess: entry.knownUsers[userKey],
+		ViewerLogin:   entry.viewerLogin,
+	}, nil
 }
 
-func (c *RepoAccessCache) queryRepoAccessInfo(ctx context.Context, username, owner, repo string) (bool, bool, error) {
+func (c *RepoAccessCache) queryRepoAccessInfo(ctx context.Context, username, owner, repo string) (RepoAccessInfo, error) {
 	if c.client == nil {
-		return false, false, fmt.Errorf("nil GraphQL client")
+		return RepoAccessInfo{}, fmt.Errorf("nil GraphQL client")
 	}
 
 	var query struct {
+		Viewer struct {
+			Login githubv4.String
+		}
 		Repository struct {
 			IsPrivate     githubv4.Boolean
 			Collaborators struct {
@@ -175,7 +200,7 @@ func (c *RepoAccessCache) queryRepoAccessInfo(ctx context.Context, username, own
 	}
 
 	if err := c.client.Query(ctx, &query, variables); err != nil {
-		return false, false, fmt.Errorf("failed to query repository access info: %w", err)
+		return RepoAccessInfo{}, fmt.Errorf("failed to query repository access info: %w", err)
 	}
 
 	hasPush := false
@@ -188,7 +213,11 @@ func (c *RepoAccessCache) queryRepoAccessInfo(ctx context.Context, username, own
 		}
 	}
 
-	return bool(query.Repository.IsPrivate), hasPush, nil
+	return RepoAccessInfo{
+		IsPrivate:     bool(query.Repository.IsPrivate),
+		HasPushAccess: hasPush,
+		ViewerLogin:   string(query.Viewer.Login),
+	}, nil
 }
 
 func cacheKey(owner, repo string) string {
diff --git a/pkg/lockdown/lockdown_test.go b/pkg/lockdown/lockdown_test.go
@@ -18,6 +18,9 @@ const (
 )
 
 type repoAccessQuery struct {
+	Viewer struct {
+		Login githubv4.String
+	}
 	Repository struct {
 		IsPrivate     githubv4.Boolean
 		Collaborators struct {
@@ -62,6 +65,9 @@ func newMockRepoAccessCache(t *testing.T, ttl time.Duration) (*RepoAccessCache,
 	}
 
 	response := githubv4mock.DataResponse(map[string]any{
+		"viewer": map[string]any{
+			"login": testUser,
+		},
 		"repository": map[string]any{
 			"isPrivate": false,
 			"collaborators": map[string]any{
@@ -90,13 +96,17 @@ func TestRepoAccessCacheEvictsAfterTTL(t *testing.T) {
 	ctx := t.Context()
 
 	cache, transport := newMockRepoAccessCache(t, 5*time.Millisecond)
-	_, _, err := cache.GetRepoAccessInfo(ctx, testUser, testOwner, testRepo)
+	info, err := cache.GetRepoAccessInfo(ctx, testUser, testOwner, testRepo)
 	require.NoError(t, err)
+	require.Equal(t, testUser, info.ViewerLogin)
+	require.True(t, info.HasPushAccess)
 	require.EqualValues(t, 1, transport.CallCount())
 
 	time.Sleep(20 * time.Millisecond)
 
-	_, _, err = cache.GetRepoAccessInfo(ctx, testUser, testOwner, testRepo)
+	info, err = cache.GetRepoAccessInfo(ctx, testUser, testOwner, testRepo)
 	require.NoError(t, err)
+	require.Equal(t, testUser, info.ViewerLogin)
+	require.True(t, info.HasPushAccess)
 	require.EqualValues(t, 2, transport.CallCount())
 }

Original file line number	Diff line number	Diff line change
`@@ -331,11 +331,11 @@ func GetIssue(ctx context.Context, client github.Client, cache lockdown.RepoAc`
`331`	`331`	`}`
`332`	`332`	`login := issue.GetUser().GetLogin()`
`333`	`333`	`if login != "" {`
`334`		`- isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
	`334`	`+ info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
`335`	`335`	`if err != nil {`
`336`	`336`	`return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil`
`337`	`337`	`}`
`338`		`- if !isPrivate && !hasPushAccess {`
	`338`	`+ if info.ViewerLogin != login && !info.IsPrivate && !info.HasPushAccess {`
`339`	`339`	`return mcp.NewToolResultError("access to issue details is restricted by lockdown mode"), nil`
`340`	`340`	`}`
`341`	`341`	`}`
`@@ -394,16 +394,16 @@ func GetIssueComments(ctx context.Context, client github.Client, cache lockdow`
`394`	`394`	`if login == "" {`
`395`	`395`	`continue`
`396`	`396`	`}`
`397`		`- isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
	`397`	`+ info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
`398`	`398`	`if err != nil {`
`399`	`399`	`return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil`
`400`	`400`	`}`
`401`		`- // Do not filter content for private repositories`
`402`		`- if isPrivate {`
	`401`	`+ // Do not filter content for private repositories or if the comment author is the viewer`
	`402`	`+ if info.IsPrivate \|\| info.ViewerLogin == login {`
`403`	`403`	`filteredComments = comments`
`404`	`404`	`break`
`405`	`405`	`}`
`406`		`- if hasPushAccess {`
	`406`	`+ if info.HasPushAccess {`
`407`	`407`	`filteredComments = append(filteredComments, comment)`
`408`	`408`	`}`
`409`	`409`	`}`
`@@ -459,16 +459,16 @@ func GetSubIssues(ctx context.Context, client github.Client, cache lockdown.Re`
`459`	`459`	`if login == "" {`
`460`	`460`	`continue`
`461`	`461`	`}`
`462`		`- isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
	`462`	`+ info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
`463`	`463`	`if err != nil {`
`464`	`464`	`return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil`
`465`	`465`	`}`
`466`		`- // Repo is private, do not filter content`
`467`		`- if isPrivate {`
	`466`	`+ // Repo is private or the comment author is the viewer, do not filter content`
	`467`	`+ if info.IsPrivate \|\| info.ViewerLogin == login {`
`468`	`468`	`filteredSubIssues = subIssues`
`469`	`469`	`break`
`470`	`470`	`}`
`471`		`- if hasPushAccess {`
	`471`	`+ if info.HasPushAccess {`
`472`	`472`	`filteredSubIssues = append(filteredSubIssues, subIssue)`
`473`	`473`	`}`
`474`	`474`	`}`
Original file line number	Diff line number	Diff line change
`@@ -141,12 +141,12 @@ func GetPullRequest(ctx context.Context, client github.Client, cache lockdown.`
`141`	`141`	`}`
`142`	`142`	`login := pr.GetUser().GetLogin()`
`143`	`143`	`if login != "" {`
`144`		`- isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
	`144`	`+ info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
`145`	`145`	`if err != nil {`
`146`	`146`	`return nil, fmt.Errorf("failed to check content removal: %w", err)`
`147`	`147`	`}`
`148`	`148`
`149`		`- if !isPrivate && !hasPushAccess {`
	`149`	`+ if info.ViewerLogin != login && !info.IsPrivate && !info.HasPushAccess {`
`150`	`150`	`return mcp.NewToolResultError("access to pull request is restricted by lockdown mode"), nil`
`151`	`151`	`}`
`152`	`152`	`}`
`@@ -303,15 +303,16 @@ func GetPullRequestReviewComments(ctx context.Context, client *github.Client, ca`
`303`	`303`	`if user == nil {`
`304`	`304`	`continue`
`305`	`305`	`}`
`306`		`- isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, user.GetLogin(), owner, repo)`
	`306`	`+ info, err := cache.GetRepoAccessInfo(ctx, user.GetLogin(), owner, repo)`
`307`	`307`	`if err != nil {`
`308`	`308`	`return mcp.NewToolResultError(fmt.Sprintf("failed to check lockdown mode: %v", err)), nil`
`309`	`309`	`}`
`310`		`- if isPrivate {`
	`310`	`+ // Do not filter content for private repositories or if the comment author is the viewer`
	`311`	`+ if info.IsPrivate \|\| info.ViewerLogin == user.GetLogin() {`
`311`	`312`	`filteredComments = comments`
`312`	`313`	`break`
`313`	`314`	`}`
`314`		`- if hasPushAccess {`
	`315`	`+ if info.HasPushAccess {`
`315`	`316`	`filteredComments = append(filteredComments, comment)`
`316`	`317`	`}`
`317`	`318`	`}`
`@@ -353,14 +354,14 @@ func GetPullRequestReviews(ctx context.Context, client github.Client, cache lo`
`353`	`354`	`for _, review := range reviews {`
`354`	`355`	`login := review.GetUser().GetLogin()`
`355`	`356`	`if login != "" {`
`356`		`- isPrivate, hasPushAccess, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
	`357`	`+ info, err := cache.GetRepoAccessInfo(ctx, login, owner, repo)`
`357`	`358`	`if err != nil {`
`358`	`359`	`return nil, fmt.Errorf("failed to check lockdown mode: %w", err)`
`359`	`360`	`}`
`360`		`- if isPrivate {`
	`361`	`+ if info.IsPrivate \|\| info.ViewerLogin == login {`
`361`	`362`	`filteredReviews = reviews`
`362`	`363`	`}`
`363`		`- if hasPushAccess {`
	`364`	`+ if info.HasPushAccess {`
`364`	`365`	`filteredReviews = append(filteredReviews, review)`
`365`	`366`	`}`
`366`	`367`	`reviews = filteredReviews`