summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--integrations/org_test.go63
-rw-r--r--models/fixtures/repository.yml4
-rw-r--r--modules/context/repo.go2
-rw-r--r--routers/api/v1/repo/release.go2
4 files changed, 67 insertions, 4 deletions
diff --git a/integrations/org_test.go b/integrations/org_test.go
index ee61aae6f5..ac234de650 100644
--- a/integrations/org_test.go
+++ b/integrations/org_test.go
@@ -5,10 +5,12 @@
package integrations
import (
+ "fmt"
"net/http"
"strings"
"testing"
+ api "code.gitea.io/gitea/modules/structs"
"github.com/stretchr/testify/assert"
)
@@ -110,3 +112,64 @@ func TestPrivateOrg(t *testing.T) {
req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org")
session.MakeRequest(t, req, http.StatusOK)
}
+
+func TestOrgRestrictedUser(t *testing.T) {
+ defer prepareTestEnv(t)()
+
+ // privated_org is a private org who has id 23
+ orgName := "privated_org"
+
+ // public_repo_on_private_org is a public repo on privated_org
+ repoName := "public_repo_on_private_org"
+
+ // user29 is a restricted user who is not a member of the organization
+ restrictedUser := "user29"
+
+ // #17003 reports a bug whereby adding a restricted user to a read-only team doesn't work
+
+ // assert restrictedUser cannot see the org or the public repo
+ restrictedSession := loginUser(t, restrictedUser)
+ req := NewRequest(t, "GET", fmt.Sprintf("/%s", orgName))
+ restrictedSession.MakeRequest(t, req, http.StatusNotFound)
+
+ req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s", orgName, repoName))
+ restrictedSession.MakeRequest(t, req, http.StatusNotFound)
+
+ // Therefore create a read-only team
+ adminSession := loginUser(t, "user1")
+ token := getTokenForLoggedInUser(t, adminSession)
+
+ teamToCreate := &api.CreateTeamOption{
+ Name: "codereader",
+ Description: "Code Reader",
+ IncludesAllRepositories: true,
+ Permission: "read",
+ Units: []string{"repo.code"},
+ }
+
+ req = NewRequestWithJSON(t, "POST",
+ fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", orgName, token), teamToCreate)
+
+ var apiTeam api.Team
+
+ resp := adminSession.MakeRequest(t, req, http.StatusCreated)
+ DecodeJSON(t, resp, &apiTeam)
+ checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
+ teamToCreate.Permission, teamToCreate.Units)
+ checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories,
+ teamToCreate.Permission, teamToCreate.Units)
+ //teamID := apiTeam.ID
+
+ // Now we need to add the restricted user to the team
+ req = NewRequest(t, "PUT",
+ fmt.Sprintf("/api/v1/teams/%d/members/%s?token=%s", apiTeam.ID, restrictedUser, token))
+ _ = adminSession.MakeRequest(t, req, http.StatusNoContent)
+
+ // Now we need to check if the restrictedUser can access the repo
+ req = NewRequest(t, "GET", fmt.Sprintf("/%s", orgName))
+ restrictedSession.MakeRequest(t, req, http.StatusOK)
+
+ req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s", orgName, repoName))
+ restrictedSession.MakeRequest(t, req, http.StatusOK)
+
+}
diff --git a/models/fixtures/repository.yml b/models/fixtures/repository.yml
index 6860d00b30..dc8ebecfc5 100644
--- a/models/fixtures/repository.yml
+++ b/models/fixtures/repository.yml
@@ -568,7 +568,7 @@
-
id: 40
owner_id: 23
- owner_name: limited_org
+ owner_name: privated_org
lower_name: public_repo_on_private_org
name: public_repo_on_private_org
is_private: false
@@ -581,7 +581,7 @@
-
id: 41
owner_id: 23
- owner_name: limited_org
+ owner_name: privated_org
lower_name: private_repo_on_private_org
name: private_repo_on_private_org
is_private: true
diff --git a/modules/context/repo.go b/modules/context/repo.go
index 8972cd28bc..88f4d27658 100644
--- a/modules/context/repo.go
+++ b/modules/context/repo.go
@@ -345,7 +345,7 @@ func repoAssignment(ctx *Context, repo *models.Repository) {
}
// Check access.
- if ctx.Repo.Permission.AccessMode == models.AccessModeNone {
+ if !ctx.Repo.Permission.HasAccess() {
if ctx.FormString("go-get") == "1" {
EarlyResponseForGoGetMeta(ctx)
return
diff --git a/routers/api/v1/repo/release.go b/routers/api/v1/repo/release.go
index 6438c6e9b4..a600a1e33f 100644
--- a/routers/api/v1/repo/release.go
+++ b/routers/api/v1/repo/release.go
@@ -114,7 +114,7 @@ func ListReleases(ctx *context.APIContext) {
opts := models.FindReleasesOptions{
ListOptions: listOptions,
- IncludeDrafts: ctx.Repo.AccessMode >= models.AccessModeWrite,
+ IncludeDrafts: ctx.Repo.AccessMode >= models.AccessModeWrite || ctx.Repo.UnitAccessMode(models.UnitTypeReleases) >= models.AccessModeWrite,
IncludeTags: false,
IsDraft: ctx.FormOptionalBool("draft"),
IsPreRelease: ctx.FormOptionalBool("pre-release"),