luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-05-04 13:50:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

security: add permission check to 'delete branch after merge'

Browse source 
- Add a permission check that the doer has write permissions to the head
repository if the the 'delete branch after merge' is enabled when
merging a pull request.
- Unify the checks in the web and API router to `DeleteBranchAfterMerge`.
- Added integration tests.
This commit is contained in:
Gusted 2024-10-23 00:48:46 +02:00 committed by Earl Warren
parent 00379db370
commit 266e0b2ce9
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
7 changed files with 139 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

32
tests/integration/pull_merge_test.go
View file

@ -37,6 +37,7 @@ import (
"code.gitea.io/gitea/modules/test"
"code.gitea.io/gitea/modules/translation"
"code.gitea.io/gitea/services/automerge"
forgejo_context "code.gitea.io/gitea/services/context"
"code.gitea.io/gitea/services/forms"
"code.gitea.io/gitea/services/pull"
commitstatus_service "code.gitea.io/gitea/services/repository/commitstatus"
@ -1150,3 +1151,34 @@ func TestPullAutoMergeAfterCommitStatusSucceedAndApprovalForAgitFlow(t *testing.
unittest.AssertNotExistsBean(t, &pull_model.AutoMerge{PullID: pr.ID})
})
}
func TestPullDeleteBranchPerms(t *testing.T) {
onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
user2Session := loginUser(t, "user2")
user4Session := loginUser(t, "user4")
testRepoFork(t, user4Session, "user2", "repo1", "user4", "repo1")
testEditFileToNewBranch(t, user2Session, "user2", "repo1", "master", "base-pr", "README.md", "Hello, World\n(Edited - base PR)\n")
req := NewRequestWithValues(t, "POST", "/user4/repo1/compare/master...user2/repo1:base-pr", map[string]string{
"_csrf": GetCSRF(t, user4Session, "/user4/repo1/compare/master...user2/repo1:base-pr"),
"title": "Testing PR",
})
resp := user4Session.MakeRequest(t, req, http.StatusOK)
elem := strings.Split(test.RedirectURL(resp), "/")
req = NewRequestWithValues(t, "POST", "/user4/repo1/pulls/"+elem[4]+"/merge", map[string]string{
"_csrf": GetCSRF(t, user4Session, "/user4/repo1/pulls/"+elem[4]),
"do": "merge",
"delete_branch_after_merge": "on",
})
user4Session.MakeRequest(t, req, http.StatusOK)
flashCookie := user4Session.GetCookie(forgejo_context.CookieNameFlash)
assert.NotNil(t, flashCookie)
assert.EqualValues(t, "error%3DYou%2Bdon%2527t%2Bhave%2Bpermission%2Bto%2Bdelete%2Bthe%2Bhead%2Bbranch.", flashCookie.Value)
// Check that the branch still exist.
req = NewRequest(t, "GET", "/user2/repo1/src/branch/base-pr")
user4Session.MakeRequest(t, req, http.StatusOK)
})
}