mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-24 19:54:08 +01:00
fix: require code permissions for branch feed
- The RSS and atom feed for branches exposes details about the code, it therefore should be guarded by the requirement that the doer has access to the code of that repository. - Added integration testing.
This commit is contained in:
parent
7067cc7da4
commit
3e3ef76808
6 changed files with 150 additions and 2 deletions
|
@ -1562,8 +1562,10 @@ func registerRoutes(m *web.Route) {
|
||||||
m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick)
|
m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick)
|
||||||
}, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader)
|
}, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader)
|
||||||
|
|
||||||
m.Get("/rss/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("rss"))
|
m.Group("", func() {
|
||||||
m.Get("/atom/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("atom"))
|
m.Get("/rss/branch/*", feed.RenderBranchFeed("rss"))
|
||||||
|
m.Get("/atom/branch/*", feed.RenderBranchFeed("atom"))
|
||||||
|
}, repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), reqRepoCodeReader, feedEnabled)
|
||||||
|
|
||||||
m.Group("/src", func() {
|
m.Group("/src", func() {
|
||||||
m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home)
|
m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home)
|
||||||
|
|
|
@ -109,4 +109,24 @@ func TestFeed(t *testing.T) {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("View permission", func(t *testing.T) {
|
||||||
|
t.Run("Anomynous", func(t *testing.T) {
|
||||||
|
defer tests.PrintCurrentTest(t)()
|
||||||
|
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
|
||||||
|
MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
})
|
||||||
|
t.Run("No code permission", func(t *testing.T) {
|
||||||
|
defer tests.PrintCurrentTest(t)()
|
||||||
|
session := loginUser(t, "user8")
|
||||||
|
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
|
||||||
|
session.MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
})
|
||||||
|
t.Run("With code permission", func(t *testing.T) {
|
||||||
|
defer tests.PrintCurrentTest(t)()
|
||||||
|
session := loginUser(t, "user9")
|
||||||
|
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
|
||||||
|
session.MakeRequest(t, req, http.StatusOK)
|
||||||
|
})
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
21
tests/integration/fixtures/TestFeed/team.yml
Normal file
21
tests/integration/fixtures/TestFeed/team.yml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
-
|
||||||
|
id: 1001
|
||||||
|
org_id: 3
|
||||||
|
lower_name: no_code
|
||||||
|
name: no_code
|
||||||
|
authorize: 1 # read
|
||||||
|
num_repos: 1
|
||||||
|
num_members: 1
|
||||||
|
includes_all_repositories: false
|
||||||
|
can_create_org_repo: false
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1002
|
||||||
|
org_id: 3
|
||||||
|
lower_name: read_code
|
||||||
|
name: no_code
|
||||||
|
authorize: 1 # read
|
||||||
|
num_repos: 1
|
||||||
|
num_members: 1
|
||||||
|
includes_all_repositories: false
|
||||||
|
can_create_org_repo: false
|
11
tests/integration/fixtures/TestFeed/team_repo.yml
Normal file
11
tests/integration/fixtures/TestFeed/team_repo.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-
|
||||||
|
id: 1001
|
||||||
|
org_id: 3
|
||||||
|
team_id: 1001
|
||||||
|
repo_id: 3
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1002
|
||||||
|
org_id: 3
|
||||||
|
team_id: 1002
|
||||||
|
repo_id: 3
|
83
tests/integration/fixtures/TestFeed/team_unit.yml
Normal file
83
tests/integration/fixtures/TestFeed/team_unit.yml
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
-
|
||||||
|
id: 1001
|
||||||
|
team_id: 1001
|
||||||
|
type: 1
|
||||||
|
access_mode: 0
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1002
|
||||||
|
team_id: 1001
|
||||||
|
type: 2
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1003
|
||||||
|
team_id: 1001
|
||||||
|
type: 3
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1004
|
||||||
|
team_id: 1001
|
||||||
|
type: 4
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1005
|
||||||
|
team_id: 1001
|
||||||
|
type: 5
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1006
|
||||||
|
team_id: 1001
|
||||||
|
type: 6
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1007
|
||||||
|
team_id: 1001
|
||||||
|
type: 7
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1008
|
||||||
|
team_id: 1002
|
||||||
|
type: 1
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1009
|
||||||
|
team_id: 1002
|
||||||
|
type: 2
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1010
|
||||||
|
team_id: 1002
|
||||||
|
type: 3
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1011
|
||||||
|
team_id: 1002
|
||||||
|
type: 4
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1012
|
||||||
|
team_id: 1002
|
||||||
|
type: 5
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1013
|
||||||
|
team_id: 1002
|
||||||
|
type: 6
|
||||||
|
access_mode: 1
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1014
|
||||||
|
team_id: 1002
|
||||||
|
type: 7
|
||||||
|
access_mode: 1
|
11
tests/integration/fixtures/TestFeed/team_user.yml
Normal file
11
tests/integration/fixtures/TestFeed/team_user.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-
|
||||||
|
id: 1001
|
||||||
|
org_id: 3
|
||||||
|
team_id: 1001
|
||||||
|
uid: 8
|
||||||
|
|
||||||
|
-
|
||||||
|
id: 1002
|
||||||
|
org_id: 3
|
||||||
|
team_id: 1002
|
||||||
|
uid: 9
|
Loading…
Reference in a new issue