Improve permission check of packages (#23879)

At first, we have one unified team unit permission which is called `Team.Authorize` in DB. But since https://github.com/go-gitea/gitea/pull/17811, we allowed different units to have different permission. The old code is only designed for the old version. So after #17811, if org users have write permission of other units, but have no permission of packages, they can also get write permission of packages. Co-authored-by: delvh <dev.lh@web.de>
2023-04-06 23:18:29 +09:00 · 2023-04-06 23:18:29 +09:00 · bbf83f5d4b
commit bbf83f5d4b
parent 5cb394ff2f
8 changed files with 63 additions and 26 deletions
--- a/tests/integration/api_packages_test.go
+++ b/tests/integration/api_packages_test.go
@ -157,6 +157,7 @@ func TestPackageAccess(t *testing.T) {
 	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
 	inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
+	privatedOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23})

 	uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
 		url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
@ -170,6 +171,15 @@ func TestPackageAccess(t *testing.T) {
 	uploadPackage(inactive, user, http.StatusUnauthorized)
 	uploadPackage(admin, inactive, http.StatusCreated)
 	uploadPackage(admin, user, http.StatusCreated)
+
+	// team.authorize is write, but team_unit.access_mode is none
+	// so the user can not upload packages or get package list
+	uploadPackage(user, privatedOrg, http.StatusUnauthorized)
+
+	session := loginUser(t, user.Name)
+	tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?token=%s", privatedOrg.Name, tokenReadPackage))
+	MakeRequest(t, req, http.StatusForbidden)
 }

 func TestPackageQuota(t *testing.T) {