From 3e3ef76808100cb1c853378733d0f6a910324ac6 Mon Sep 17 00:00:00 2001 From: Gusted Date: Sat, 2 Nov 2024 17:41:34 +0100 Subject: [PATCH] fix: require code permissions for branch feed - The RSS and atom feed for branches exposes details about the code, it therefore should be guarded by the requirement that the doer has access to the code of that repository. - Added integration testing. --- routers/web/web.go | 6 +- tests/integration/api_feed_user_test.go | 20 +++++ tests/integration/fixtures/TestFeed/team.yml | 21 +++++ .../fixtures/TestFeed/team_repo.yml | 11 +++ .../fixtures/TestFeed/team_unit.yml | 83 +++++++++++++++++++ .../fixtures/TestFeed/team_user.yml | 11 +++ 6 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 tests/integration/fixtures/TestFeed/team.yml create mode 100644 tests/integration/fixtures/TestFeed/team_repo.yml create mode 100644 tests/integration/fixtures/TestFeed/team_unit.yml create mode 100644 tests/integration/fixtures/TestFeed/team_user.yml diff --git a/routers/web/web.go b/routers/web/web.go index 34880bdda1..ecdd5d8d92 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -1562,8 +1562,10 @@ func registerRoutes(m *web.Route) { m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick) }, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader) - m.Get("/rss/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("rss")) - m.Get("/atom/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("atom")) + m.Group("", func() { + m.Get("/rss/branch/*", feed.RenderBranchFeed("rss")) + m.Get("/atom/branch/*", feed.RenderBranchFeed("atom")) + }, repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), reqRepoCodeReader, feedEnabled) m.Group("/src", func() { m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home) diff --git a/tests/integration/api_feed_user_test.go b/tests/integration/api_feed_user_test.go index 3fa9b86150..e0e5faed1b 100644 --- a/tests/integration/api_feed_user_test.go +++ b/tests/integration/api_feed_user_test.go @@ -109,4 +109,24 @@ func TestFeed(t *testing.T) { }) }) }) + + t.Run("View permission", func(t *testing.T) { + t.Run("Anomynous", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master") + MakeRequest(t, req, http.StatusNotFound) + }) + t.Run("No code permission", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + session := loginUser(t, "user8") + req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master") + session.MakeRequest(t, req, http.StatusNotFound) + }) + t.Run("With code permission", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + session := loginUser(t, "user9") + req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master") + session.MakeRequest(t, req, http.StatusOK) + }) + }) } diff --git a/tests/integration/fixtures/TestFeed/team.yml b/tests/integration/fixtures/TestFeed/team.yml new file mode 100644 index 0000000000..da27ac7c0c --- /dev/null +++ b/tests/integration/fixtures/TestFeed/team.yml @@ -0,0 +1,21 @@ +- + id: 1001 + org_id: 3 + lower_name: no_code + name: no_code + authorize: 1 # read + num_repos: 1 + num_members: 1 + includes_all_repositories: false + can_create_org_repo: false + +- + id: 1002 + org_id: 3 + lower_name: read_code + name: no_code + authorize: 1 # read + num_repos: 1 + num_members: 1 + includes_all_repositories: false + can_create_org_repo: false diff --git a/tests/integration/fixtures/TestFeed/team_repo.yml b/tests/integration/fixtures/TestFeed/team_repo.yml new file mode 100644 index 0000000000..922d1ef51e --- /dev/null +++ b/tests/integration/fixtures/TestFeed/team_repo.yml @@ -0,0 +1,11 @@ +- + id: 1001 + org_id: 3 + team_id: 1001 + repo_id: 3 + +- + id: 1002 + org_id: 3 + team_id: 1002 + repo_id: 3 diff --git a/tests/integration/fixtures/TestFeed/team_unit.yml b/tests/integration/fixtures/TestFeed/team_unit.yml new file mode 100644 index 0000000000..9fcb4396dc --- /dev/null +++ b/tests/integration/fixtures/TestFeed/team_unit.yml @@ -0,0 +1,83 @@ +- + id: 1001 + team_id: 1001 + type: 1 + access_mode: 0 + +- + id: 1002 + team_id: 1001 + type: 2 + access_mode: 1 + +- + id: 1003 + team_id: 1001 + type: 3 + access_mode: 1 + +- + id: 1004 + team_id: 1001 + type: 4 + access_mode: 1 + +- + id: 1005 + team_id: 1001 + type: 5 + access_mode: 1 + +- + id: 1006 + team_id: 1001 + type: 6 + access_mode: 1 + +- + id: 1007 + team_id: 1001 + type: 7 + access_mode: 1 + +- + id: 1008 + team_id: 1002 + type: 1 + access_mode: 1 + +- + id: 1009 + team_id: 1002 + type: 2 + access_mode: 1 + +- + id: 1010 + team_id: 1002 + type: 3 + access_mode: 1 + +- + id: 1011 + team_id: 1002 + type: 4 + access_mode: 1 + +- + id: 1012 + team_id: 1002 + type: 5 + access_mode: 1 + +- + id: 1013 + team_id: 1002 + type: 6 + access_mode: 1 + +- + id: 1014 + team_id: 1002 + type: 7 + access_mode: 1 diff --git a/tests/integration/fixtures/TestFeed/team_user.yml b/tests/integration/fixtures/TestFeed/team_user.yml new file mode 100644 index 0000000000..15fa3ebb1d --- /dev/null +++ b/tests/integration/fixtures/TestFeed/team_user.yml @@ -0,0 +1,11 @@ +- + id: 1001 + org_id: 3 + team_id: 1001 + uid: 8 + +- + id: 1002 + org_id: 3 + team_id: 1002 + uid: 9