Extend TestUserOrgs to cover permission cases (#14495)

* TestMyOrgs: add unauthorized test

* Extend TestUserOrgs, to cover permission cases

diff --git a/integrations/api_user_orgs_test.go b/integrations/api_user_orgs_test.go
index 849cb74c46ea5dec25a4e5e80f2cbf9b3804888d..c72ee76098d921b13d471d1500fd9b371d3573ca 100644 (file)
--- a/integrations/api_user_orgs_test.go
+++ b/integrations/api_user_orgs_test.go
@@ -19,15 +19,12 @@ func TestUserOrgs(t *testing.T) {
        defer prepareTestEnv(t)()
        adminUsername := "user1"
        normalUsername := "user2"
-       session := loginUser(t, adminUsername)
-       token := getTokenForLoggedInUser(t, session)
-       urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", normalUsername, token)
-       req := NewRequest(t, "GET", urlStr)
-       resp := session.MakeRequest(t, req, http.StatusOK)
-       var orgs []*api.Organization
-       user3 := models.AssertExistsAndLoadBean(t, &models.User{Name: "user3"}).(*models.User)
+       privateMemberUsername := "user4"
+       unrelatedUsername := "user5"
 
-       DecodeJSON(t, resp, &orgs)
+       orgs := getUserOrgs(t, adminUsername, normalUsername)
+
+       user3 := models.AssertExistsAndLoadBean(t, &models.User{Name: "user3"}).(*models.User)
 
        assert.Equal(t, []*api.Organization{
                {
@@ -41,16 +38,46 @@ func TestUserOrgs(t *testing.T) {
                        Visibility:  "public",
                },
        }, orgs)
+
+       // user itself should get it's org's he is a member of
+       orgs = getUserOrgs(t, privateMemberUsername, privateMemberUsername)
+       assert.Len(t, orgs, 1)
+
+       // unrelated user should not get private org membership of privateMemberUsername
+       orgs = getUserOrgs(t, unrelatedUsername, privateMemberUsername)
+       assert.Len(t, orgs, 0)
+
+       // not authenticated call also should hide org membership
+       orgs = getUserOrgs(t, "", privateMemberUsername)
+       assert.Len(t, orgs, 0)
+}
+
+func getUserOrgs(t *testing.T, userDoer, userCheck string) (orgs []*api.Organization) {
+       var token = ""
+       session := emptyTestSession(t)
+       if len(userDoer) != 0 {
+               session = loginUser(t, userDoer)
+               token = getTokenForLoggedInUser(t, session)
+       }
+       urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", userCheck, token)
+       req := NewRequest(t, "GET", urlStr)
+       resp := session.MakeRequest(t, req, http.StatusOK)
+       DecodeJSON(t, resp, &orgs)
+       return orgs
 }
 
 func TestMyOrgs(t *testing.T) {
        defer prepareTestEnv(t)()
 
+       session := emptyTestSession(t)
+       req := NewRequest(t, "GET", "/api/v1/user/orgs")
+       resp := session.MakeRequest(t, req, http.StatusUnauthorized)
+
        normalUsername := "user2"
-       session := loginUser(t, normalUsername)
+       session = loginUser(t, normalUsername)
        token := getTokenForLoggedInUser(t, session)
-       req := NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
-       resp := session.MakeRequest(t, req, http.StatusOK)
+       req = NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
+       resp = session.MakeRequest(t, req, http.StatusOK)
        var orgs []*api.Organization
        DecodeJSON(t, resp, &orgs)
        user3 := models.AssertExistsAndLoadBean(t, &models.User{Name: "user3"}).(*models.User)