diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2023-04-28 04:43:27 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-27 22:43:27 +0200 |
| commit | ecf1f2d3f619e5e9dfe1e1782c39604d63ae4c38 (patch) | |
| tree | 27d744a25a96dd41e1b9e15820a169f7f7358013 /tests | |
| parent | 5141bbd9ba1445a9cbe3103319ae516c178d4e17 (diff) | |
| download | gitea-ecf1f2d3f619e5e9dfe1e1782c39604d63ae4c38.tar.gz gitea-ecf1f2d3f619e5e9dfe1e1782c39604d63ae4c38.zip | |
Fix auth check bug (#24382)
Fix https://github.com/go-gitea/gitea/pull/24362/files#r1179095324
`getAuthenticatedMeta` has checked them, these code are duplicated one.
And the first invokation has a wrong permission check. `DownloadHandle`
should require read permission but not write.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/integration/lfs_getobject_test.go | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/tests/integration/lfs_getobject_test.go b/tests/integration/lfs_getobject_test.go index 7b1b3e109c..ba236d355f 100644 --- a/tests/integration/lfs_getobject_test.go +++ b/tests/integration/lfs_getobject_test.go @@ -11,6 +11,7 @@ import ( "net/http/httptest" "testing" + "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" git_model "code.gitea.io/gitea/models/git" repo_model "code.gitea.io/gitea/models/repo" @@ -40,6 +41,31 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string return pointer.Oid } +func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { + repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") + assert.NoError(t, err) + oid := storeObjectInRepo(t, repo.ID, content) + defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid) + + token := getUserToken(t, "user2", ts) + + // Request OID + req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test") + req.Header.Set("Accept-Encoding", "gzip") + req.SetBasicAuth("user2", token) + if extraHeader != nil { + for key, values := range *extraHeader { + for _, value := range values { + req.Header.Add(key, value) + } + } + } + + resp := MakeRequest(t, req, expectedStatus) + + return resp +} + func storeAndGetLfs(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder { repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1") assert.NoError(t, err) @@ -89,6 +115,21 @@ func TestGetLFSSmall(t *testing.T) { checkResponseTestContentEncoding(t, &content, resp, false) } +func TestGetLFSSmallToken(t *testing.T) { + defer tests.PrepareTestEnv(t)() + content := []byte("A very small file\n") + + resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK) + checkResponseTestContentEncoding(t, &content, resp, false) +} + +func TestGetLFSSmallTokenFail(t *testing.T) { + defer tests.PrepareTestEnv(t)() + content := []byte("A very small file\n") + + storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden) +} + func TestGetLFSLarge(t *testing.T) { defer tests.PrepareTestEnv(t)() content := make([]byte, web.GzipMinSize*10) |