mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-06-04 05:40:13 +00:00
747be949a1
- Ensure that the doer and blocked user cannot add each other as collaborators to repositories. - The Web UI gets an detailed message of the specific situation, the API gets an generic Forbidden code. - Unit tests has been added. - Integration testing for Web and API has been added. - This commit doesn't introduce removing each other as collaborators on the block action, due to the complexity of database calls that needs to be figured out. That deserves its own commit and test code.
307 lines
11 KiB
Go
307 lines
11 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package repository
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
"code.gitea.io/gitea/models/organization"
|
|
perm_model "code.gitea.io/gitea/models/perm"
|
|
access_model "code.gitea.io/gitea/models/perm/access"
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
|
"code.gitea.io/gitea/models/unit"
|
|
"code.gitea.io/gitea/models/unittest"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestRepository_AddCollaborator(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
testSuccess := func(repoID, userID int64) {
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
|
|
assert.NoError(t, repo.LoadOwner(db.DefaultContext))
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userID})
|
|
assert.NoError(t, AddCollaborator(db.DefaultContext, repo, user))
|
|
unittest.CheckConsistencyFor(t, &repo_model.Repository{ID: repoID}, &user_model.User{ID: userID})
|
|
}
|
|
testSuccess(1, 4)
|
|
testSuccess(1, 4)
|
|
testSuccess(3, 4)
|
|
}
|
|
|
|
func TestRepository_AddCollaborator_IsBlocked(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
testSuccess := func(repoID, userID int64) {
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: repoID})
|
|
assert.NoError(t, repo.LoadOwner(db.DefaultContext))
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: userID})
|
|
|
|
// Owner blocked user.
|
|
unittest.AssertSuccessfulInsert(t, &user_model.BlockedUser{UserID: repo.OwnerID, BlockID: userID})
|
|
assert.ErrorIs(t, AddCollaborator(db.DefaultContext, repo, user), user_model.ErrBlockedByUser)
|
|
unittest.CheckConsistencyFor(t, &repo_model.Repository{ID: repoID}, &user_model.User{ID: userID})
|
|
_, err := db.DeleteByBean(db.DefaultContext, &user_model.BlockedUser{UserID: repo.OwnerID, BlockID: userID})
|
|
assert.NoError(t, err)
|
|
|
|
// User has owner blocked.
|
|
unittest.AssertSuccessfulInsert(t, &user_model.BlockedUser{UserID: userID, BlockID: repo.OwnerID})
|
|
assert.ErrorIs(t, AddCollaborator(db.DefaultContext, repo, user), user_model.ErrBlockedByUser)
|
|
unittest.CheckConsistencyFor(t, &repo_model.Repository{ID: repoID}, &user_model.User{ID: userID})
|
|
}
|
|
// Ensure idempotency (public repository).
|
|
testSuccess(1, 4)
|
|
testSuccess(1, 4)
|
|
// Add collaborator to private repository.
|
|
testSuccess(3, 4)
|
|
}
|
|
|
|
func TestRepoPermissionPublicNonOrgRepo(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
// public non-organization repo
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
|
|
assert.NoError(t, repo.LoadUnits(db.DefaultContext))
|
|
|
|
// plain user
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
perm, err := access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// change to collaborator
|
|
assert.NoError(t, AddCollaborator(db.DefaultContext, repo, user))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// collaborator
|
|
collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, collaborator)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// owner
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, owner)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// admin
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, admin)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
}
|
|
|
|
func TestRepoPermissionPrivateNonOrgRepo(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
// private non-organization repo
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
|
|
assert.NoError(t, repo.LoadUnits(db.DefaultContext))
|
|
|
|
// plain user
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
perm, err := access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.False(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// change to collaborator to default write access
|
|
assert.NoError(t, AddCollaborator(db.DefaultContext, repo, user))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
assert.NoError(t, repo_model.ChangeCollaborationAccessMode(db.DefaultContext, repo, user.ID, perm_model.AccessModeRead))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// owner
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, owner)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// admin
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, admin)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
}
|
|
|
|
func TestRepoPermissionPublicOrgRepo(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
// public organization repo
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 32})
|
|
assert.NoError(t, repo.LoadUnits(db.DefaultContext))
|
|
|
|
// plain user
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
|
perm, err := access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// change to collaborator to default write access
|
|
assert.NoError(t, AddCollaborator(db.DefaultContext, repo, user))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
assert.NoError(t, repo_model.ChangeCollaborationAccessMode(db.DefaultContext, repo, user.ID, perm_model.AccessModeRead))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// org member team owner
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, owner)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// org member team tester
|
|
member := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 15})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, member)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
}
|
|
assert.True(t, perm.CanWrite(unit.TypeIssues))
|
|
assert.False(t, perm.CanWrite(unit.TypeCode))
|
|
|
|
// admin
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, admin)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
}
|
|
|
|
func TestRepoPermissionPrivateOrgRepo(t *testing.T) {
|
|
assert.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
// private organization repo
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 24})
|
|
assert.NoError(t, repo.LoadUnits(db.DefaultContext))
|
|
|
|
// plain user
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
|
perm, err := access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.False(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// change to collaborator to default write access
|
|
assert.NoError(t, AddCollaborator(db.DefaultContext, repo, user))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
assert.NoError(t, repo_model.ChangeCollaborationAccessMode(db.DefaultContext, repo, user.ID, perm_model.AccessModeRead))
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, user)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.False(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// org member team owner
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 15})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, owner)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// update team information and then check permission
|
|
team := unittest.AssertExistsAndLoadBean(t, &organization.Team{ID: 5})
|
|
err = organization.UpdateTeamUnits(team, nil)
|
|
assert.NoError(t, err)
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, owner)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
|
|
// org member team tester
|
|
tester := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, tester)
|
|
assert.NoError(t, err)
|
|
assert.True(t, perm.CanWrite(unit.TypeIssues))
|
|
assert.False(t, perm.CanWrite(unit.TypeCode))
|
|
assert.False(t, perm.CanRead(unit.TypeCode))
|
|
|
|
// org member team reviewer
|
|
reviewer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 20})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, reviewer)
|
|
assert.NoError(t, err)
|
|
assert.False(t, perm.CanRead(unit.TypeIssues))
|
|
assert.False(t, perm.CanWrite(unit.TypeCode))
|
|
assert.True(t, perm.CanRead(unit.TypeCode))
|
|
|
|
// admin
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
perm, err = access_model.GetUserRepoPermission(db.DefaultContext, repo, admin)
|
|
assert.NoError(t, err)
|
|
for _, unit := range repo.Units {
|
|
assert.True(t, perm.CanRead(unit.Type))
|
|
assert.True(t, perm.CanWrite(unit.Type))
|
|
}
|
|
}
|