summaryrefslogtreecommitdiffstats
path: root/tests/integration
diff options
context:
space:
mode:
authoryp05327 <576951401@qq.com>2023-04-06 23:18:29 +0900
committerGitHub <noreply@github.com>2023-04-06 22:18:29 +0800
commitbbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0 (patch)
tree86f6b9e782874c8a88447f246ee6a9fbe2ee130d /tests/integration
parent5cb394ff2fb93935b90493894b97371734f1384e (diff)
downloadgitea-bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0.tar.gz
gitea-bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0.zip
Improve permission check of packages (#23879)
At first, we have one unified team unit permission which is called `Team.Authorize` in DB. But since https://github.com/go-gitea/gitea/pull/17811, we allowed different units to have different permission. The old code is only designed for the old version. So after #17811, if org users have write permission of other units, but have no permission of packages, they can also get write permission of packages. Co-authored-by: delvh <dev.lh@web.de>
Diffstat (limited to 'tests/integration')
-rw-r--r--tests/integration/api_packages_test.go10
1 files changed, 10 insertions, 0 deletions
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index 4228003e2d..74a7e3c795 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -157,6 +157,7 @@ func TestPackageAccess(t *testing.T) {
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
+ privatedOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23})
uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
@@ -170,6 +171,15 @@ func TestPackageAccess(t *testing.T) {
uploadPackage(inactive, user, http.StatusUnauthorized)
uploadPackage(admin, inactive, http.StatusCreated)
uploadPackage(admin, user, http.StatusCreated)
+
+ // team.authorize is write, but team_unit.access_mode is none
+ // so the user can not upload packages or get package list
+ uploadPackage(user, privatedOrg, http.StatusUnauthorized)
+
+ session := loginUser(t, user.Name)
+ tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
+ req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?token=%s", privatedOrg.Name, tokenReadPackage))
+ MakeRequest(t, req, http.StatusForbidden)
}
func TestPackageQuota(t *testing.T) {