mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-07-22 17:18:33 +00:00
fix(sec): add tests for private issues on projects
- Add integration and unit tests to ensure that private issues on projects are not shown in any way, shape or form when the doer has no access to it. (cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)
This commit is contained in:
Gusted
Earl Warren
parent
913e3b536e
commit
4159529a06
6 changed files with 242 additions and 0 deletions
100
models/issues/issue_project_test.go
Normal file
100
models/issues/issue_project_test.go
Normal file
|
|
@ -0,0 +1,100 @@
|
|||
// Copyright 2025 The Forgejo Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
package issues_test
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"code.gitea.io/gitea/models/db"
|
||||
"code.gitea.io/gitea/models/issues"
|
||||
"code.gitea.io/gitea/models/organization"
|
||||
"code.gitea.io/gitea/models/project"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/modules/optional"
|
||||
"code.gitea.io/gitea/tests"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestPrivateIssueProjects(t *testing.T) {
|
||||
defer tests.AddFixtures("models/fixtures/PrivateIssueProjects/")()
|
||||
require.NoError(t, unittest.PrepareTestDatabase())
|
||||
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
t.Run("Organization project", func(t *testing.T) {
|
||||
org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3})
|
||||
orgProject := unittest.AssertExistsAndLoadBean(t, &project.Project{ID: 1001, OwnerID: org.ID})
|
||||
board := unittest.AssertExistsAndLoadBean(t, &project.Board{ID: 1001, ProjectID: orgProject.ID})
|
||||
|
||||
t.Run("Authenticated user", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
issueList, err := issues.LoadIssuesFromBoard(db.DefaultContext, board, user2, org, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, issueList, 1)
|
||||
assert.EqualValues(t, 6, issueList[0].ID)
|
||||
|
||||
issuesNum, err := issues.NumIssuesInProject(db.DefaultContext, orgProject, user2, org, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 1, issuesNum)
|
||||
|
||||
issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, orgProject, user2, org, optional.Some(true))
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 0, issuesNum)
|
||||
|
||||
issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, orgProject, user2, org, optional.Some(false))
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 1, issuesNum)
|
||||
})
|
||||
|
||||
t.Run("Anonymous user", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
issueList, err := issues.LoadIssuesFromBoard(db.DefaultContext, board, nil, org, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.Empty(t, issueList)
|
||||
|
||||
issuesNum, err := issues.NumIssuesInProject(db.DefaultContext, orgProject, nil, org, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 0, issuesNum)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("User project", func(t *testing.T) {
|
||||
userProject := unittest.AssertExistsAndLoadBean(t, &project.Project{ID: 1002, OwnerID: user2.ID})
|
||||
board := unittest.AssertExistsAndLoadBean(t, &project.Board{ID: 1002, ProjectID: userProject.ID})
|
||||
|
||||
t.Run("Authenticated user", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
issueList, err := issues.LoadIssuesFromBoard(db.DefaultContext, board, user2, nil, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, issueList, 1)
|
||||
assert.EqualValues(t, 7, issueList[0].ID)
|
||||
|
||||
issuesNum, err := issues.NumIssuesInProject(db.DefaultContext, userProject, user2, nil, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 1, issuesNum)
|
||||
|
||||
issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, userProject, user2, nil, optional.Some(true))
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 0, issuesNum)
|
||||
|
||||
issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, userProject, user2, nil, optional.Some(false))
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 1, issuesNum)
|
||||
})
|
||||
|
||||
t.Run("Anonymous user", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
issueList, err := issues.LoadIssuesFromBoard(db.DefaultContext, board, nil, nil, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.Empty(t, issueList)
|
||||
|
||||
issuesNum, err := issues.NumIssuesInProject(db.DefaultContext, userProject, nil, nil, optional.None[bool]())
|
||||
require.NoError(t, err)
|
||||
assert.EqualValues(t, 0, issuesNum)
|
||||
})
|
||||
})
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue