diff --git a/integrations/org_test.go b/integrations/org_test.go index ee61aae6f5..ac234de650 100644 --- a/integrations/org_test.go +++ b/integrations/org_test.go @@ -5,10 +5,12 @@ package integrations import ( + "fmt" "net/http" "strings" "testing" + api "code.gitea.io/gitea/modules/structs" "github.com/stretchr/testify/assert" ) @@ -110,3 +112,64 @@ func TestPrivateOrg(t *testing.T) { req = NewRequest(t, "GET", "/privated_org/private_repo_on_private_org") session.MakeRequest(t, req, http.StatusOK) } + +func TestOrgRestrictedUser(t *testing.T) { + defer prepareTestEnv(t)() + + // privated_org is a private org who has id 23 + orgName := "privated_org" + + // public_repo_on_private_org is a public repo on privated_org + repoName := "public_repo_on_private_org" + + // user29 is a restricted user who is not a member of the organization + restrictedUser := "user29" + + // #17003 reports a bug whereby adding a restricted user to a read-only team doesn't work + + // assert restrictedUser cannot see the org or the public repo + restrictedSession := loginUser(t, restrictedUser) + req := NewRequest(t, "GET", fmt.Sprintf("/%s", orgName)) + restrictedSession.MakeRequest(t, req, http.StatusNotFound) + + req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s", orgName, repoName)) + restrictedSession.MakeRequest(t, req, http.StatusNotFound) + + // Therefore create a read-only team + adminSession := loginUser(t, "user1") + token := getTokenForLoggedInUser(t, adminSession) + + teamToCreate := &api.CreateTeamOption{ + Name: "codereader", + Description: "Code Reader", + IncludesAllRepositories: true, + Permission: "read", + Units: []string{"repo.code"}, + } + + req = NewRequestWithJSON(t, "POST", + fmt.Sprintf("/api/v1/orgs/%s/teams?token=%s", orgName, token), teamToCreate) + + var apiTeam api.Team + + resp := adminSession.MakeRequest(t, req, http.StatusCreated) + DecodeJSON(t, resp, &apiTeam) + checkTeamResponse(t, &apiTeam, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories, + teamToCreate.Permission, teamToCreate.Units) + checkTeamBean(t, apiTeam.ID, teamToCreate.Name, teamToCreate.Description, teamToCreate.IncludesAllRepositories, + teamToCreate.Permission, teamToCreate.Units) + //teamID := apiTeam.ID + + // Now we need to add the restricted user to the team + req = NewRequest(t, "PUT", + fmt.Sprintf("/api/v1/teams/%d/members/%s?token=%s", apiTeam.ID, restrictedUser, token)) + _ = adminSession.MakeRequest(t, req, http.StatusNoContent) + + // Now we need to check if the restrictedUser can access the repo + req = NewRequest(t, "GET", fmt.Sprintf("/%s", orgName)) + restrictedSession.MakeRequest(t, req, http.StatusOK) + + req = NewRequest(t, "GET", fmt.Sprintf("/%s/%s", orgName, repoName)) + restrictedSession.MakeRequest(t, req, http.StatusOK) + +} diff --git a/models/fixtures/repository.yml b/models/fixtures/repository.yml index 6860d00b30..dc8ebecfc5 100644 --- a/models/fixtures/repository.yml +++ b/models/fixtures/repository.yml @@ -568,7 +568,7 @@ - id: 40 owner_id: 23 - owner_name: limited_org + owner_name: privated_org lower_name: public_repo_on_private_org name: public_repo_on_private_org is_private: false @@ -581,7 +581,7 @@ - id: 41 owner_id: 23 - owner_name: limited_org + owner_name: privated_org lower_name: private_repo_on_private_org name: private_repo_on_private_org is_private: true diff --git a/modules/context/repo.go b/modules/context/repo.go index 8972cd28bc..88f4d27658 100644 --- a/modules/context/repo.go +++ b/modules/context/repo.go @@ -345,7 +345,7 @@ func repoAssignment(ctx *Context, repo *models.Repository) { } // Check access. - if ctx.Repo.Permission.AccessMode == models.AccessModeNone { + if !ctx.Repo.Permission.HasAccess() { if ctx.FormString("go-get") == "1" { EarlyResponseForGoGetMeta(ctx) return diff --git a/routers/api/v1/repo/release.go b/routers/api/v1/repo/release.go index 6438c6e9b4..a600a1e33f 100644 --- a/routers/api/v1/repo/release.go +++ b/routers/api/v1/repo/release.go @@ -114,7 +114,7 @@ func ListReleases(ctx *context.APIContext) { opts := models.FindReleasesOptions{ ListOptions: listOptions, - IncludeDrafts: ctx.Repo.AccessMode >= models.AccessModeWrite, + IncludeDrafts: ctx.Repo.AccessMode >= models.AccessModeWrite || ctx.Repo.UnitAccessMode(models.UnitTypeReleases) >= models.AccessModeWrite, IncludeTags: false, IsDraft: ctx.FormOptionalBool("draft"), IsPreRelease: ctx.FormOptionalBool("pre-release"),