Fix bug when a token is given public only (#32204)

author: Lunny Xiao <xiaolunwen@gmail.com> 2024-10-08 17:51:09 +0800
committer: GitHub <noreply@github.com> 2024-10-08 12:51:09 +0300
commit: d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e (patch)
tree: 710dd914452b0c11b39aa6cbc9f431302af0b1f9 /tests
parent: d3ada91ea41b2f2eb58d637ab4c0a2dde07f20ce (diff)
download: gitea-d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e.tar.gz
gitea-d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e.zip
3 files changed, 57 insertions, 1 deletions
diff --git a/tests/integration/api_issue_test.go b/tests/integration/api_issue_test.go
index 8bfb6fabe2..5b9f16ef96 100644
--- a/tests/integration/api_issue_test.go
+++ b/tests/integration/api_issue_test.go
@@ -75,6 +75,34 @@ func TestAPIListIssues(t *testing.T) {
 	}
 }
 
+func TestAPIListIssuesPublicOnly(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo1.OwnerID})
+
+	session := loginUser(t, owner1.Name)
+	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
+	link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues", owner1.Name, repo1.Name))
+	link.RawQuery = url.Values{"state": {"all"}}.Encode()
+	req := NewRequest(t, "GET", link.String()).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusOK)
+
+	repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
+	owner2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo2.OwnerID})
+
+	session = loginUser(t, owner2.Name)
+	token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
+	link, _ = url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues", owner2.Name, repo2.Name))
+	link.RawQuery = url.Values{"state": {"all"}}.Encode()
+	req = NewRequest(t, "GET", link.String()).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusOK)
+
+	publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue, auth_model.AccessTokenScopePublicOnly)
+	req = NewRequest(t, "GET", link.String()).AddTokenAuth(publicOnlyToken)
+	MakeRequest(t, req, http.StatusForbidden)
+}
+
 func TestAPICreateIssue(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	const body, title = "apiTestBody", "apiTestTitle"
@@ -243,6 +271,12 @@ func TestAPISearchIssues(t *testing.T) {
 	DecodeJSON(t, resp, &apiIssues)
 	assert.Len(t, apiIssues, expectedIssueCount)
 
+	publicOnlyToken := getUserToken(t, "user1", auth_model.AccessTokenScopeReadIssue, auth_model.AccessTokenScopePublicOnly)
+	req = NewRequest(t, "GET", link.String()).AddTokenAuth(publicOnlyToken)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &apiIssues)
+	assert.Len(t, apiIssues, 15) // 15 public issues
+
 	since := "2000-01-01T00:50:01+00:00" // 946687801
 	before := time.Unix(999307200, 0).Format(time.RFC3339)
 	query.Add("since", since)
diff --git a/tests/integration/api_repo_branch_test.go b/tests/integration/api_repo_branch_test.go
index b0ac2286c9..63080b308c 100644
--- a/tests/integration/api_repo_branch_test.go
+++ b/tests/integration/api_repo_branch_test.go
@@ -28,9 +28,13 @@ func TestAPIRepoBranchesPlain(t *testing.T) {
 		repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
 		user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 		session := loginUser(t, user1.LowerName)
-		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 
+		// public only token should be forbidden
+		publicOnlyToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopePublicOnly, auth_model.AccessTokenScopeWriteRepository)
 		link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/org3/%s/branches", repo3.Name)) // a plain repo
+		MakeRequest(t, NewRequest(t, "GET", link.String()).AddTokenAuth(publicOnlyToken), http.StatusForbidden)
+
+		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
 		resp := MakeRequest(t, NewRequest(t, "GET", link.String()).AddTokenAuth(token), http.StatusOK)
 		bs, err := io.ReadAll(resp.Body)
 		assert.NoError(t, err)
@@ -42,6 +46,8 @@ func TestAPIRepoBranchesPlain(t *testing.T) {
 		assert.EqualValues(t, "master", branches[1].Name)
 
 		link2, _ := url.Parse(fmt.Sprintf("/api/v1/repos/org3/%s/branches/test_branch", repo3.Name))
+		MakeRequest(t, NewRequest(t, "GET", link2.String()).AddTokenAuth(publicOnlyToken), http.StatusForbidden)
+
 		resp = MakeRequest(t, NewRequest(t, "GET", link2.String()).AddTokenAuth(token), http.StatusOK)
 		bs, err = io.ReadAll(resp.Body)
 		assert.NoError(t, err)
@@ -49,6 +55,8 @@ func TestAPIRepoBranchesPlain(t *testing.T) {
 		assert.NoError(t, json.Unmarshal(bs, &branch))
 		assert.EqualValues(t, "test_branch", branch.Name)
 
+		MakeRequest(t, NewRequest(t, "POST", link.String()).AddTokenAuth(publicOnlyToken), http.StatusForbidden)
+
 		req := NewRequest(t, "POST", link.String()).AddTokenAuth(token)
 		req.Header.Add("Content-Type", "application/json")
 		req.Body = io.NopCloser(bytes.NewBufferString(`{"new_branch_name":"test_branch2", "old_branch_name": "test_branch", "old_ref_name":"refs/heads/test_branch"}`))
@@ -73,6 +81,7 @@ func TestAPIRepoBranchesPlain(t *testing.T) {
 
 		link3, _ := url.Parse(fmt.Sprintf("/api/v1/repos/org3/%s/branches/test_branch2", repo3.Name))
 		MakeRequest(t, NewRequest(t, "DELETE", link3.String()), http.StatusNotFound)
+		MakeRequest(t, NewRequest(t, "DELETE", link3.String()).AddTokenAuth(publicOnlyToken), http.StatusForbidden)
 
 		MakeRequest(t, NewRequest(t, "DELETE", link3.String()).AddTokenAuth(token), http.StatusNoContent)
 		assert.NoError(t, err)
diff --git a/tests/integration/api_user_search_test.go b/tests/integration/api_user_search_test.go
index ff4671c54e..e9805a5139 100644
--- a/tests/integration/api_user_search_test.go
+++ b/tests/integration/api_user_search_test.go
@@ -38,6 +38,19 @@ func TestAPIUserSearchLoggedIn(t *testing.T) {
 		assert.Contains(t, user.UserName, query)
 		assert.NotEmpty(t, user.Email)
 	}
+
+	publicToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopePublicOnly)
+	req = NewRequestf(t, "GET", "/api/v1/users/search?q=%s", query).
+		AddTokenAuth(publicToken)
+	resp = MakeRequest(t, req, http.StatusOK)
+	results = SearchResults{}
+	DecodeJSON(t, resp, &results)
+	assert.NotEmpty(t, results.Data)
+	for _, user := range results.Data {
+		assert.Contains(t, user.UserName, query)
+		assert.NotEmpty(t, user.Email)
+		assert.True(t, user.Visibility == "public")
+	}
 }
 
 func TestAPIUserSearchNotLoggedIn(t *testing.T) {
author	Lunny Xiao <xiaolunwen@gmail.com>	2024-10-08 17:51:09 +0800
committer	GitHub <noreply@github.com>	2024-10-08 12:51:09 +0300
commit	d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e (patch)
tree	710dd914452b0c11b39aa6cbc9f431302af0b1f9 /tests
parent	d3ada91ea41b2f2eb58d637ab4c0a2dde07f20ce (diff)
download	gitea-d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e.tar.gz gitea-d6d3c96e6555fc91b3e2ef21f4d8d7475564bb3e.zip