Do not allow commiting to protected branch from online editor (#1502)

* Do not allow commiting to protected branch from online editor

* Add editor integration tests for adding new file and not allowing to add new file to protected branch

3 files changed, 297 insertions, 2 deletions

diff --git a/integrations/editor_test.go b/integrations/editor_test.go
new file mode 100644
index 0000000000..df0cfaa291
--- /dev/null
+++ b/integrations/editor_test.go
@@ -0,0 +1,106 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"bytes"
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCreateFile(t *testing.T) {
+	prepareTestEnv(t)
+
+	session := loginUser(t, "user2", "password")
+
+	// Request editor page
+	req, err := http.NewRequest("GET", "/user2/repo1/_new/master/", nil)
+	assert.NoError(t, err)
+	resp := session.MakeRequest(t, req)
+	assert.EqualValues(t, http.StatusOK, resp.HeaderCode)
+
+	doc, err := NewHtmlParser(resp.Body)
+	assert.NoError(t, err)
+	lastCommit := doc.GetInputValueByName("last_commit")
+	assert.NotEmpty(t, lastCommit)
+
+	// Save new file to master branch
+	req, err = http.NewRequest("POST", "/user2/repo1/_new/master/",
+		bytes.NewBufferString(url.Values{
+			"_csrf":         []string{doc.GetInputValueByName("_csrf")},
+			"last_commit":   []string{lastCommit},
+			"tree_path":     []string{"test.txt"},
+			"content":       []string{"Content"},
+			"commit_choice": []string{"direct"},
+		}.Encode()),
+	)
+	assert.NoError(t, err)
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp = session.MakeRequest(t, req)
+	assert.EqualValues(t, http.StatusFound, resp.HeaderCode)
+}
+
+func TestCreateFileOnProtectedBranch(t *testing.T) {
+	prepareTestEnv(t)
+
+	session := loginUser(t, "user2", "password")
+
+	// Open repository branch settings
+	req, err := http.NewRequest("GET", "/user2/repo1/settings/branches", nil)
+	assert.NoError(t, err)
+	resp := session.MakeRequest(t, req)
+	assert.EqualValues(t, http.StatusOK, resp.HeaderCode)
+
+	doc, err := NewHtmlParser(resp.Body)
+	assert.NoError(t, err)
+
+	// Change master branch to protected
+	req, err = http.NewRequest("POST", "/user2/repo1/settings/branches?action=protected_branch",
+		bytes.NewBufferString(url.Values{
+			"_csrf":      []string{doc.GetInputValueByName("_csrf")},
+			"branchName": []string{"master"},
+			"canPush":    []string{"true"},
+		}.Encode()),
+	)
+	assert.NoError(t, err)
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp = session.MakeRequest(t, req)
+	assert.EqualValues(t, http.StatusOK, resp.HeaderCode)
+	// Check if master branch has been locked successfully
+	flashCookie := session.GetCookie("macaron_flash")
+	assert.NotNil(t, flashCookie)
+	assert.EqualValues(t, flashCookie.Value, "success%3Dmaster%2BLocked%2Bsuccessfully")
+
+	// Request editor page
+	req, err = http.NewRequest("GET", "/user2/repo1/_new/master/", nil)
+	assert.NoError(t, err)
+	resp = session.MakeRequest(t, req)
+	assert.EqualValues(t, http.StatusOK, resp.HeaderCode)
+
+	doc, err = NewHtmlParser(resp.Body)
+	assert.NoError(t, err)
+	lastCommit := doc.GetInputValueByName("last_commit")
+	assert.NotEmpty(t, lastCommit)
+
+	// Save new file to master branch
+	req, err = http.NewRequest("POST", "/user2/repo1/_new/master/",
+		bytes.NewBufferString(url.Values{
+			"_csrf":         []string{doc.GetInputValueByName("_csrf")},
+			"last_commit":   []string{lastCommit},
+			"tree_path":     []string{"test.txt"},
+			"content":       []string{"Content"},
+			"commit_choice": []string{"direct"},
+		}.Encode()),
+	)
+	assert.NoError(t, err)
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp = session.MakeRequest(t, req)
+	assert.EqualValues(t, http.StatusOK, resp.HeaderCode)
+	// Check body for error message
+	assert.Contains(t, string(resp.Body), "Can not commit to protected branch 'master'.")
+}
diff --git a/integrations/html_helper.go b/integrations/html_helper.go
new file mode 100644
index 0000000000..db4e2953e6
--- /dev/null
+++ b/integrations/html_helper.go
@@ -0,0 +1,110 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"bytes"
+
+	"golang.org/x/net/html"
+)
+
+type HtmlDoc struct {
+	doc  *html.Node
+	body *html.Node
+}
+
+func NewHtmlParser(content []byte) (*HtmlDoc, error) {
+	doc, err := html.Parse(bytes.NewReader(content))
+	if err != nil {
+		return nil, err
+	}
+
+	return &HtmlDoc{doc: doc}, nil
+}
+
+func (doc *HtmlDoc) GetBody() *html.Node {
+	if doc.body == nil {
+		var b *html.Node
+		var f func(*html.Node)
+		f = func(n *html.Node) {
+			if n.Type == html.ElementNode && n.Data == "body" {
+				b = n
+				return
+			}
+			for c := n.FirstChild; c != nil; c = c.NextSibling {
+				f(c)
+			}
+		}
+		f(doc.doc)
+		if b != nil {
+			doc.body = b
+		} else {
+			doc.body = doc.doc
+		}
+	}
+	return doc.body
+}
+
+func (doc *HtmlDoc) GetAttribute(n *html.Node, key string) (string, bool) {
+	for _, attr := range n.Attr {
+		if attr.Key == key {
+			return attr.Val, true
+		}
+	}
+	return "", false
+}
+
+func (doc *HtmlDoc) checkAttr(n *html.Node, attr, val string) bool {
+	if n.Type == html.ElementNode {
+		s, ok := doc.GetAttribute(n, attr)
+		if ok && s == val {
+			return true
+		}
+	}
+	return false
+}
+
+func (doc *HtmlDoc) traverse(n *html.Node, attr, val string) *html.Node {
+	if doc.checkAttr(n, attr, val) {
+		return n
+	}
+
+	for c := n.FirstChild; c != nil; c = c.NextSibling {
+		result := doc.traverse(c, attr, val)
+		if result != nil {
+			return result
+		}
+	}
+
+	return nil
+}
+
+func (doc *HtmlDoc) GetElementById(id string) *html.Node {
+	return doc.traverse(doc.GetBody(), "id", id)
+}
+
+func (doc *HtmlDoc) GetInputValueById(id string) string {
+	inp := doc.GetElementById(id)
+	if inp == nil {
+		return ""
+	}
+
+	val, _ := doc.GetAttribute(inp, "value")
+	return val
+}
+
+func (doc *HtmlDoc) GetElementByName(name string) *html.Node {
+	return doc.traverse(doc.GetBody(), "name", name)
+}
+
+func (doc *HtmlDoc) GetInputValueByName(name string) string {
+	inp := doc.GetElementByName(name)
+	if inp == nil {
+		return ""
+	}
+
+	val, _ := doc.GetAttribute(inp, "value")
+	return val
+}
diff --git a/integrations/integration_test.go b/integrations/integration_test.go
index e13c3b512f..6696ff65fc 100644
--- a/integrations/integration_test.go
+++ b/integrations/integration_test.go
@@ -11,7 +11,10 @@ import (
 	"io"
 	"log"
 	"net/http"
+	"net/http/cookiejar"
+	"net/url"
 	"os"
+	"strings"
 	"testing"
 
 	"code.gitea.io/gitea/models"
@@ -60,6 +63,10 @@ func initIntegrationTest() {
 		fmt.Println("Environment variable $GITEA_CONF not set")
 		os.Exit(1)
 	}
+	if os.Getenv("GITEA_ROOT") == "" {
+		fmt.Println("Environment variable $GITEA_ROOT not set")
+		os.Exit(1)
+	}
 
 	setting.NewContext()
 	models.LoadConfigs()
@@ -103,13 +110,82 @@ func prepareTestEnv(t *testing.T) {
 	assert.NoError(t, com.CopyDir("integrations/gitea-integration-meta", "integrations/gitea-integration"))
 }
 
+type TestSession struct {
+	jar http.CookieJar
+}
+
+func (s *TestSession) GetCookie(name string) *http.Cookie {
+	baseURL, err := url.Parse(setting.AppURL)
+	if err != nil {
+		return nil
+	}
+
+	for _, c := range s.jar.Cookies(baseURL) {
+		if c.Name == name {
+			return c
+		}
+	}
+	return nil
+}
+
+func (s *TestSession) MakeRequest(t *testing.T, req *http.Request) *TestResponse {
+	baseURL, err := url.Parse(setting.AppURL)
+	assert.NoError(t, err)
+	for _, c := range s.jar.Cookies(baseURL) {
+		req.AddCookie(c)
+	}
+	resp := MakeRequest(req)
+
+	ch := http.Header{}
+	ch.Add("Cookie", strings.Join(resp.Headers["Set-Cookie"], ";"))
+	cr := http.Request{Header: ch}
+	s.jar.SetCookies(baseURL, cr.Cookies())
+
+	return resp
+}
+
+func loginUser(t *testing.T, userName, password string) *TestSession {
+	req, err := http.NewRequest("GET", "/user/login", nil)
+	assert.NoError(t, err)
+	resp := MakeRequest(req)
+	assert.EqualValues(t, http.StatusOK, resp.HeaderCode)
+
+	doc, err := NewHtmlParser(resp.Body)
+	assert.NoError(t, err)
+
+	req, err = http.NewRequest("POST", "/user/login",
+		bytes.NewBufferString(url.Values{
+			"_csrf":     []string{doc.GetInputValueByName("_csrf")},
+			"user_name": []string{userName},
+			"password":  []string{password},
+		}.Encode()),
+	)
+	assert.NoError(t, err)
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp = MakeRequest(req)
+	assert.EqualValues(t, http.StatusFound, resp.HeaderCode)
+
+	ch := http.Header{}
+	ch.Add("Cookie", strings.Join(resp.Headers["Set-Cookie"], ";"))
+	cr := http.Request{Header: ch}
+
+	jar, err := cookiejar.New(nil)
+	assert.NoError(t, err)
+	baseURL, err := url.Parse(setting.AppURL)
+	assert.NoError(t, err)
+	jar.SetCookies(baseURL, cr.Cookies())
+
+	return &TestSession{jar: jar}
+}
+
 type TestResponseWriter struct {
 	HeaderCode int
 	Writer     io.Writer
+	Headers    http.Header
 }
 
 func (w *TestResponseWriter) Header() http.Header {
-	return make(map[string][]string)
+	return w.Headers
 }
 
 func (w *TestResponseWriter) Write(b []byte) (int, error) {
@@ -123,16 +199,19 @@ func (w *TestResponseWriter) WriteHeader(n int) {
 type TestResponse struct {
 	HeaderCode int
 	Body       []byte
+	Headers    http.Header
 }
 
 func MakeRequest(req *http.Request) *TestResponse {
 	buffer := bytes.NewBuffer(nil)
 	respWriter := &TestResponseWriter{
-		Writer: buffer,
+		Writer:  buffer,
+		Headers: make(map[string][]string),
 	}
 	mac.ServeHTTP(respWriter, req)
 	return &TestResponse{
 		HeaderCode: respWriter.HeaderCode,
 		Body:       buffer.Bytes(),
+		Headers:    respWriter.Headers,
 	}
 }