1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-25 08:59:31 -05:00

fix: require code permissions for branch feed

- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.

(cherry picked from commit 3e3ef76808)
This commit is contained in:
Gusted 2024-11-02 17:41:34 +01:00 committed by Earl Warren
parent 36300be94e
commit 6c75d1a504
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
6 changed files with 150 additions and 2 deletions

View file

@ -1562,8 +1562,10 @@ func registerRoutes(m *web.Route) {
m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick) m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick)
}, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader) }, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader)
m.Get("/rss/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("rss")) m.Group("", func() {
m.Get("/atom/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("atom")) m.Get("/rss/branch/*", feed.RenderBranchFeed("rss"))
m.Get("/atom/branch/*", feed.RenderBranchFeed("atom"))
}, repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), reqRepoCodeReader, feedEnabled)
m.Group("/src", func() { m.Group("/src", func() {
m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home) m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home)

View file

@ -109,4 +109,24 @@ func TestFeed(t *testing.T) {
}) })
}) })
}) })
t.Run("View permission", func(t *testing.T) {
t.Run("Anomynous", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
MakeRequest(t, req, http.StatusNotFound)
})
t.Run("No code permission", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, "user8")
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
session.MakeRequest(t, req, http.StatusNotFound)
})
t.Run("With code permission", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, "user9")
req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
session.MakeRequest(t, req, http.StatusOK)
})
})
} }

View file

@ -0,0 +1,21 @@
-
id: 1001
org_id: 3
lower_name: no_code
name: no_code
authorize: 1 # read
num_repos: 1
num_members: 1
includes_all_repositories: false
can_create_org_repo: false
-
id: 1002
org_id: 3
lower_name: read_code
name: no_code
authorize: 1 # read
num_repos: 1
num_members: 1
includes_all_repositories: false
can_create_org_repo: false

View file

@ -0,0 +1,11 @@
-
id: 1001
org_id: 3
team_id: 1001
repo_id: 3
-
id: 1002
org_id: 3
team_id: 1002
repo_id: 3

View file

@ -0,0 +1,83 @@
-
id: 1001
team_id: 1001
type: 1
access_mode: 0
-
id: 1002
team_id: 1001
type: 2
access_mode: 1
-
id: 1003
team_id: 1001
type: 3
access_mode: 1
-
id: 1004
team_id: 1001
type: 4
access_mode: 1
-
id: 1005
team_id: 1001
type: 5
access_mode: 1
-
id: 1006
team_id: 1001
type: 6
access_mode: 1
-
id: 1007
team_id: 1001
type: 7
access_mode: 1
-
id: 1008
team_id: 1002
type: 1
access_mode: 1
-
id: 1009
team_id: 1002
type: 2
access_mode: 1
-
id: 1010
team_id: 1002
type: 3
access_mode: 1
-
id: 1011
team_id: 1002
type: 4
access_mode: 1
-
id: 1012
team_id: 1002
type: 5
access_mode: 1
-
id: 1013
team_id: 1002
type: 6
access_mode: 1
-
id: 1014
team_id: 1002
type: 7
access_mode: 1

View file

@ -0,0 +1,11 @@
-
id: 1001
org_id: 3
team_id: 1001
uid: 8
-
id: 1002
org_id: 3
team_id: 1002
uid: 9