diff options
author | yp05327 <576951401@qq.com> | 2023-04-06 23:18:29 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-06 22:18:29 +0800 |
commit | bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0 (patch) | |
tree | 86f6b9e782874c8a88447f246ee6a9fbe2ee130d /tests/integration | |
parent | 5cb394ff2fb93935b90493894b97371734f1384e (diff) | |
download | gitea-bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0.tar.gz gitea-bbf83f5d4bd8dbe1cd6dbcf7b45ef47072e5add0.zip |
Improve permission check of packages (#23879)
At first, we have one unified team unit permission which is called
`Team.Authorize` in DB.
But since https://github.com/go-gitea/gitea/pull/17811, we allowed
different units to have different permission.
The old code is only designed for the old version. So after #17811, if
org users have write permission of other units, but have no permission
of packages, they can also get write permission of packages.
Co-authored-by: delvh <dev.lh@web.de>
Diffstat (limited to 'tests/integration')
-rw-r--r-- | tests/integration/api_packages_test.go | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go index 4228003e2d..74a7e3c795 100644 --- a/tests/integration/api_packages_test.go +++ b/tests/integration/api_packages_test.go @@ -157,6 +157,7 @@ func TestPackageAccess(t *testing.T) { admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9}) + privatedOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23}) uploadPackage := func(doer, owner *user_model.User, expectedStatus int) { url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name) @@ -170,6 +171,15 @@ func TestPackageAccess(t *testing.T) { uploadPackage(inactive, user, http.StatusUnauthorized) uploadPackage(admin, inactive, http.StatusCreated) uploadPackage(admin, user, http.StatusCreated) + + // team.authorize is write, but team_unit.access_mode is none + // so the user can not upload packages or get package list + uploadPackage(user, privatedOrg, http.StatusUnauthorized) + + session := loginUser(t, user.Name) + tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage) + req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?token=%s", privatedOrg.Name, tokenReadPackage)) + MakeRequest(t, req, http.StatusForbidden) } func TestPackageQuota(t *testing.T) { |