summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorKN4CK3R <admin@oldschoolhack.me>2022-10-24 21:23:25 +0200
committerGitHub <noreply@github.com>2022-10-24 22:23:25 +0300
commit7c11a73833f3aa9783015e5e13871d3c298d3ef6 (patch)
treeae362008dffd5f24d750b7a51294e6b5b4f07636 /tests
parent49a4464160254604d2c42b760a901952d8bc3c8b (diff)
downloadgitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.tar.gz
gitea-7c11a73833f3aa9783015e5e13871d3c298d3ef6.zip
Fix package access for admins and inactive users (#21580)
I noticed an admin is not allowed to upload packages for other users because `ctx.IsSigned` was not set. I added a check for `user.IsActive` and `user.ProhibitLogin` too because both was not checked. Tests enforce this now. Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'tests')
-rw-r--r--tests/integration/api_packages_container_test.go4
-rw-r--r--tests/integration/api_packages_test.go22
2 files changed, 26 insertions, 0 deletions
diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go
index b8a3884371..ba76ee4baa 100644
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@@ -471,6 +471,10 @@ func TestPackageContainer(t *testing.T) {
assert.Equal(t, fmt.Sprintf("%d", len(blobContent)), resp.Header().Get("Content-Length"))
assert.Equal(t, blobDigest, resp.Header().Get("Docker-Content-Digest"))
+
+ req = NewRequest(t, "HEAD", fmt.Sprintf("%s/blobs/%s", url, blobDigest))
+ addTokenAuthHeader(req, anonymousToken)
+ MakeRequest(t, req, http.StatusOK)
})
t.Run("GetBlob", func(t *testing.T) {
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
index 86d81994d4..25f5b3f2a1 100644
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@@ -25,6 +25,7 @@ import (
func TestPackageAPI(t *testing.T) {
defer tests.PrepareTestEnv(t)()
+
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
@@ -144,6 +145,27 @@ func TestPackageAPI(t *testing.T) {
})
}
+func TestPackageAccess(t *testing.T) {
+ defer tests.PrepareTestEnv(t)()
+
+ admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+ user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+ inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
+
+ uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
+ url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
+ req := NewRequestWithBody(t, "PUT", url, bytes.NewReader([]byte{1}))
+ AddBasicAuthHeader(req, doer.Name)
+ MakeRequest(t, req, expectedStatus)
+ }
+
+ uploadPackage(user, inactive, http.StatusUnauthorized)
+ uploadPackage(inactive, inactive, http.StatusUnauthorized)
+ uploadPackage(inactive, user, http.StatusUnauthorized)
+ uploadPackage(admin, inactive, http.StatusCreated)
+ uploadPackage(admin, user, http.StatusCreated)
+}
+
func TestPackageCleanup(t *testing.T) {
defer tests.PrepareTestEnv(t)()