domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Fix comment permissions (#28213) (#28216)

Browse source 
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit bc3d8bff73)
This commit is contained in:
Lunny Xiao 2023-11-26 07:43:23 +08:00 committed by Earl Warren
parent 29556fafb5
commit f4310d74ee
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
39 changed files with 439 additions and 127 deletions
Download patch file Download diff file Expand all files Collapse all files

11
tests/integration/api_keys_test.go
View file

@ -72,6 +72,17 @@ func TestCreateReadOnlyDeployKey(t *testing.T) {
Content: rawKeyBody.Key,
Mode: perm.AccessModeRead,
})
// Using the ID of a key that does not belong to the repository must fail
{
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/keys/%d?token=%s", repoOwner.Name, repo.Name, newDeployKey.ID, token))
MakeRequest(t, req, http.StatusOK)
session5 := loginUser(t, "user5")
token5 := getTokenForLoggedInUser(t, session5, auth_model.AccessTokenScopeWriteRepository)
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/user5/repo4/keys/%d?token=%s", newDeployKey.ID, token5))
MakeRequest(t, req, http.StatusNotFound)
}
}
func TestCreateReadWriteDeployKey(t *testing.T) {