mirror
/
gitea
mirror of https://github.com/go-gitea/gitea
2
0
Fork 0
Code Issues Releases Wiki Activity

Fix system admin cannot fork or get private fork with API (#33401) (#33417)

Browse Source 
Backport #33401 by @lunny

Fix #33368

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
pull/33421/head
Giteabot 4 days ago committed by GitHub
parent 2674d27fb8
commit b6fd8741ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 47 additions and 13 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 16
      routers/api/v1/repo/fork.go
  2. 8
      services/repository/fork.go
  3. 33
      tests/integration/api_fork_test.go
  4. 3
      tests/integration/repo_fork_test.go

16
routers/api/v1/repo/fork.go
Unescape View File

@ -132,13 +132,15 @@ func CreateFork(ctx *context.APIContext) {
} }
return return
} }
isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID) if !ctx.Doer.IsAdmin {
if err != nil { isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID)
ctx.Error(http.StatusInternalServerError, "IsOrgMember", err) if err != nil {
return ctx.Error(http.StatusInternalServerError, "IsOrgMember", err)
} else if !isMember { return
ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name)) } else if !isMember {
return ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))
return
}
} }
forker = org.AsUser() forker = org.AsUser()
} }

8
services/repository/fork.go
Unescape View File

@ -258,9 +258,11 @@ type findForksOptions struct {
} }
func (opts findForksOptions) ToConds() builder.Cond { func (opts findForksOptions) ToConds() builder.Cond {
return builder.Eq{"fork_id": opts.RepoID}.And( cond := builder.Eq{"fork_id": opts.RepoID}
repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid), if opts.Doer != nil && opts.Doer.IsAdmin {
) return cond
}
return cond.And(repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid))
} }
// FindForks returns all the forks of the repository // FindForks returns all the forks of the repository

33
tests/integration/api_fork_test.go
Unescape View File

@ -10,6 +10,7 @@ import (
auth_model "code.gitea.io/gitea/models/auth" auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/db"
org_model "code.gitea.io/gitea/models/organization" org_model "code.gitea.io/gitea/models/organization"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unittest" "code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs"
@ -81,8 +82,8 @@ func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
var forks []*api.Repository var forks []*api.Repository
DecodeJSON(t, resp, &forks) DecodeJSON(t, resp, &forks)
assert.Len(t, forks, 1) assert.Len(t, forks, 2)
assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count")) assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count"))
assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1)) assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1))
@ -96,3 +97,31 @@ func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count")) assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count"))
}) })
} }
func TestGetPrivateReposForks(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user1Sess := loginUser(t, "user1")
repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) // private repository
privateOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23})
user1Token := getTokenForLoggedInUser(t, user1Sess, auth_model.AccessTokenScopeWriteRepository)
forkedRepoName := "forked-repo"
// create fork from a private repository
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+repo2.FullName()+"/forks", &api.CreateForkOption{
Organization: &privateOrg.Name,
Name: &forkedRepoName,
}).AddTokenAuth(user1Token)
MakeRequest(t, req, http.StatusAccepted)
// test get a private fork without clear permissions
req = NewRequest(t, "GET", "/api/v1/repos/"+repo2.FullName()+"/forks").AddTokenAuth(user1Token)
resp := MakeRequest(t, req, http.StatusOK)
forks := []*api.Repository{}
DecodeJSON(t, resp, &forks)
assert.Len(t, forks, 1)
assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count"))
assert.EqualValues(t, "forked-repo", forks[0].Name)
assert.EqualValues(t, privateOrg.Name, forks[0].Owner.UserName)
}

3
tests/integration/repo_fork_test.go
Unescape View File

@ -118,7 +118,8 @@ func TestForkListLimitedAndPrivateRepos(t *testing.T) {
req := NewRequest(t, "GET", "/user2/repo1/forks") req := NewRequest(t, "GET", "/user2/repo1/forks")
resp := user1Sess.MakeRequest(t, req, http.StatusOK) resp := user1Sess.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body) htmlDoc := NewHTMLParser(t, resp.Body)
assert.EqualValues(t, 1, htmlDoc.Find(forkItemSelector).Length()) // since user1 is an admin, he can get both of the forked repositories
assert.EqualValues(t, 2, htmlDoc.Find(forkItemSelector).Length())
assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1)) assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1))
resp = user1Sess.MakeRequest(t, req, http.StatusOK) resp = user1Sess.MakeRequest(t, req, http.StatusOK)

Write Preview
Loading…
Cancel
Save