luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-05-16 23:12:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

[GITEA] Fix panic in canSoftDeleteContentHistory

Browse source 
- It's possible that `canSoftDeleteContentHistory` is called without
`ctx.Doer` being set, such as an anonymous user requesting the
`/content-history/detail` endpoint.
- Add a simple condition to always set to `canSoftDelete` to false if an
anonymous user is requesting this, this avoids a panic in the code that
assumes `ctx.Doer` is set.
- Added integration testing.

(cherry picked from commit 0b5db0dcc6)
(cherry picked from commit 30d168bcc8)
(cherry picked from commit 19be82b7ef)
This commit is contained in:
Gusted 2024-01-13 11:55:33 +01:00 committed by Earl Warren
parent 838ab9740a
commit 334b703b17
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 71 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

52
tests/integration/issue_test.go
View file

@ -718,3 +718,55 @@ func TestIssueReferenceURL(t *testing.T) {
ref, _ = htmlDoc.Find(`.timeline-item.comment:not(.first) .reference-issue`).Attr("data-reference")
assert.EqualValues(t, "/user2/repo1/issues/1#issuecomment-2", ref)
}
func TestGetContentHistory(t *testing.T) {
defer tests.AddFixtures("tests/integration/fixtures/TestGetContentHistory/")()
defer tests.PrepareTestEnv(t)()
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
issueURL := fmt.Sprintf("%s/issues/%d", repo.FullName(), issue.Index)
contentHistory := unittest.AssertExistsAndLoadBean(t, &issues_model.ContentHistory{ID: 2, IssueID: issue.ID})
contentHistoryURL := fmt.Sprintf("%s/issues/%d/content-history/detail?comment_id=%d&history_id=%d", repo.FullName(), issue.Index, contentHistory.CommentID, contentHistory.ID)
type contentHistoryResp struct {
CanSoftDelete bool `json:"canSoftDelete"`
HistoryID int `json:"historyId"`
PrevHistoryID int `json:"prevHistoryId"`
}
testCase := func(t *testing.T, session *TestSession, canDelete bool) {
t.Helper()
contentHistoryURL := contentHistoryURL + "&_csrf=" + GetCSRF(t, session, issueURL)
req := NewRequest(t, "GET", contentHistoryURL)
resp := session.MakeRequest(t, req, http.StatusOK)
var respJSON contentHistoryResp
DecodeJSON(t, resp, &respJSON)
assert.EqualValues(t, canDelete, respJSON.CanSoftDelete)
assert.EqualValues(t, contentHistory.ID, respJSON.HistoryID)
assert.EqualValues(t, contentHistory.ID-1, respJSON.PrevHistoryID)
}
t.Run("Anonymous", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCase(t, emptyTestSession(t), false)
})
t.Run("Another user", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCase(t, loginUser(t, "user8"), false)
})
t.Run("Repo owner", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCase(t, loginUser(t, "user2"), true)
})
t.Run("Poster", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCase(t, loginUser(t, "user5"), true)
})
}