luckyimnotanigger/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-06-09 08:07:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

fix: require code permissions for branch feed

Browse source 
- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.

(cherry picked from commit 3e3ef76808)
This commit is contained in:
Gusted 2024-11-02 17:41:34 +01:00 committed by Earl Warren
parent 36300be94e
commit 6c75d1a504
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
6 changed files with 150 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

20
tests/integration/api_feed_user_test.go
View file

@ -109,4 +109,24 @@ func TestFeed(t *testing.T) {
})
})
})
t.Run("View permission", func(t *testing.T) {
t.Run("Anomynous", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
MakeRequest(t, req, http.StatusNotFound)
})
t.Run("No code permission", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, "user8")
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
session.MakeRequest(t, req, http.StatusNotFound)
})
t.Run("With code permission", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, "user9")
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
session.MakeRequest(t, req, http.StatusOK)
})
})
}