test/gitea-mirror
1
0
Fork 0
mirror of https://gitea.com/gitea/gitea-mirror.git synced 2026-03-20 03:40:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix release draft access check logic (#36720)

Browse Source 
1. remove hasRepoWriteScope to avoid abuse
2. clarify "ctx.Written" behavior
3. merge "read-only" tests to slightly improve performance
This commit is contained in:
wxiaoguang
2026-02-26 04:59:29 +08:00
committed by GitHub
parent 9ae28b6f39
commit 840cf68c3e
4 changed files with 38 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tests/integration/api_releases_attachment_test.go
View File

@@ -15,16 +15,13 @@ import (
"code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/test"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/assert"
)
func TestAPIEditReleaseAttachmentWithUnallowedFile(t *testing.T) {
func testAPIEditReleaseAttachmentWithUnallowedFile(t *testing.T) {
// Limit the allowed release types (since by default there is no restriction)
defer test.MockVariableValue(&setting.Repository.Release.AllowedTypes, ".exe")()
defer tests.PrepareTestEnv(t)()
attachment := unittest.AssertExistsAndLoadBean(t, &repo_model.Attachment{ID: 9})
release := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{ID: attachment.ReleaseID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: attachment.RepoID})
@@ -42,9 +39,7 @@ func TestAPIEditReleaseAttachmentWithUnallowedFile(t *testing.T) {
session.MakeRequest(t, req, http.StatusUnprocessableEntity)
}
func TestAPIDraftReleaseAttachmentAccess(t *testing.T) {
defer tests.PrepareTestEnv(t)()
func testAPIDraftReleaseAttachmentAccess(t *testing.T) {
attachment := unittest.AssertExistsAndLoadBean(t, &repo_model.Attachment{ID: 13})
release := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{ID: attachment.ReleaseID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: attachment.RepoID})

32
tests/integration/api_releases_test.go
View File

@@ -29,9 +29,19 @@ import (
"github.com/stretchr/testify/assert"
)
func TestAPIListReleasesWithWriteToken(t *testing.T) {
func TestAPIReleaseRead(t *testing.T) {
defer tests.PrepareTestEnv(t)()
t.Run("DraftReleaseAttachmentAccess", testAPIDraftReleaseAttachmentAccess)
t.Run("ListReleasesWithWriteToken", testAPIListReleasesWithWriteToken)
t.Run("ListReleasesWithReadToken", testAPIListReleasesWithReadToken)
t.Run("GetDraftRelease", testAPIGetDraftRelease)
t.Run("GetLatestRelease", testAPIGetLatestRelease)
t.Run("GetReleaseByTag", testAPIGetReleaseByTag)
t.Run("GetDraftReleaseByTag", testAPIGetDraftReleaseByTag)
t.Run("EditReleaseAttachmentWithUnallowedFile", testAPIEditReleaseAttachmentWithUnallowedFile) // failed attempt, so it is also a read test
}
func testAPIListReleasesWithWriteToken(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
token := getUserToken(t, user2.LowerName, auth_model.AccessTokenScopeWriteRepository)
@@ -81,9 +91,7 @@ func TestAPIListReleasesWithWriteToken(t *testing.T) {
testFilterByLen(true, url.Values{"draft": {"true"}, "pre-release": {"true"}}, 0, "there is no pre-release draft")
}
func TestAPIListReleasesWithReadToken(t *testing.T) {
defer tests.PrepareTestEnv(t)()
func testAPIListReleasesWithReadToken(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
token := getUserToken(t, user2.LowerName, auth_model.AccessTokenScopeReadRepository)
@@ -129,9 +137,7 @@ func TestAPIListReleasesWithReadToken(t *testing.T) {
testFilterByLen(true, url.Values{"draft": {"true"}, "pre-release": {"true"}}, 0, "there is no pre-release draft")
}
func TestAPIGetDraftRelease(t *testing.T) {
defer tests.PrepareTestEnv(t)()
func testAPIGetDraftRelease(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
release := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{ID: 4})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
@@ -300,9 +306,7 @@ func TestAPICreateReleaseGivenInvalidTarget(t *testing.T) {
MakeRequest(t, req, http.StatusNotFound)
}
func TestAPIGetLatestRelease(t *testing.T) {
defer tests.PrepareTestEnv(t)()
func testAPIGetLatestRelease(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
@@ -315,9 +319,7 @@ func TestAPIGetLatestRelease(t *testing.T) {
assert.Equal(t, "testing-release", release.Title)
}
func TestAPIGetReleaseByTag(t *testing.T) {
defer tests.PrepareTestEnv(t)()
func testAPIGetReleaseByTag(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
@@ -341,9 +343,7 @@ func TestAPIGetReleaseByTag(t *testing.T) {
assert.NotEmpty(t, err.Message)
}
func TestAPIGetDraftReleaseByTag(t *testing.T) {
defer tests.PrepareTestEnv(t)()
func testAPIGetDraftReleaseByTag(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})