fix: consider issues in repository accessible via `access` table (#7270)

- Consider the following scenario: a private repository in an organization with a team that has no specific access to that repository. Members of that team are still able to visit the repository because of entries in the `access` table.
- Consider this specific scenario for the gathering of issues for project tables.
- Unit test added
- Resolves forgejo/forgejo#7217
- Ref: forgejo/forgejo#6843

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7270
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>

authored by

Gusted

Gusted and committed by

0ko 1 year ago 72ee7f3b 2cd9872b

+92

6 changed files

expand all

models

fixtures

TestPrivateRepoProjects

access.yml

project.yml

project_board.yml

project_issue.yml

issues

issue_project_test.go

issue_search.go

models/fixtures/TestPrivateRepoProjects/access.yml

··· 1 + - 2 + id: 1001 3 + user_id: 29 4 + repo_id: 3 5 + mode: 1

+11

models/fixtures/TestPrivateRepoProjects/project.yml

··· 1 + - 2 + id: 1001 3 + title: Org project that contains private issues 4 + owner_id: 3 5 + repo_id: 0 6 + is_closed: false 7 + creator_id: 2 8 + board_type: 1 9 + type: 3 10 + created_unix: 1738000000 11 + updated_unix: 1738000000

models/fixtures/TestPrivateRepoProjects/project_board.yml

··· 1 + - 2 + id: 1001 3 + project_id: 1001 4 + title: Triage 5 + creator_id: 2 6 + default: true 7 + created_unix: 1738000000 8 + updated_unix: 1738000000

+11

models/fixtures/TestPrivateRepoProjects/project_issue.yml

··· 1 + - 2 + id: 1001 3 + issue_id: 6 4 + project_id: 1001 5 + project_board_id: 1001 6 + 7 + - 8 + id: 1002 9 + issue_id: 15 10 + project_id: 1001 11 + project_board_id: 1001

+54

models/issues/issue_project_test.go

··· 117 117 }) 118 118 }) 119 119 } 120 + 121 + func TestPrivateRepoProjects(t *testing.T) { 122 + defer tests.AddFixtures("models/fixtures/TestPrivateRepoProjects/")() 123 + require.NoError(t, unittest.PrepareTestDatabase()) 124 + 125 + org := unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 3}) 126 + orgProject := unittest.AssertExistsAndLoadBean(t, &project.Project{ID: 1001, OwnerID: org.ID}) 127 + column := unittest.AssertExistsAndLoadBean(t, &project.Column{ID: 1001, ProjectID: orgProject.ID}) 128 + 129 + t.Run("Partial access", func(t *testing.T) { 130 + defer tests.PrintCurrentTest(t)() 131 + user29 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) 132 + 133 + issueList, err := issues.LoadIssuesFromColumn(db.DefaultContext, column, user29, org, optional.None[bool]()) 134 + require.NoError(t, err) 135 + assert.Len(t, issueList, 1) 136 + assert.EqualValues(t, 6, issueList[0].ID) 137 + 138 + issuesNum, err := issues.NumIssuesInProject(db.DefaultContext, orgProject, user29, org, optional.None[bool]()) 139 + require.NoError(t, err) 140 + assert.EqualValues(t, 1, issuesNum) 141 + 142 + issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, orgProject, user29, org, optional.Some(true)) 143 + require.NoError(t, err) 144 + assert.EqualValues(t, 0, issuesNum) 145 + 146 + issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, orgProject, user29, org, optional.Some(false)) 147 + require.NoError(t, err) 148 + assert.EqualValues(t, 1, issuesNum) 149 + }) 150 + 151 + t.Run("Full access", func(t *testing.T) { 152 + defer tests.PrintCurrentTest(t)() 153 + user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) 154 + 155 + issueList, err := issues.LoadIssuesFromColumn(db.DefaultContext, column, user2, org, optional.None[bool]()) 156 + require.NoError(t, err) 157 + assert.Len(t, issueList, 2) 158 + assert.EqualValues(t, 15, issueList[0].ID) 159 + assert.EqualValues(t, 6, issueList[1].ID) 160 + 161 + issuesNum, err := issues.NumIssuesInProject(db.DefaultContext, orgProject, user2, org, optional.None[bool]()) 162 + require.NoError(t, err) 163 + assert.EqualValues(t, 2, issuesNum) 164 + 165 + issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, orgProject, user2, org, optional.Some(true)) 166 + require.NoError(t, err) 167 + assert.EqualValues(t, 0, issuesNum) 168 + 169 + issuesNum, err = issues.NumIssuesInProject(db.DefaultContext, orgProject, user2, org, optional.Some(false)) 170 + require.NoError(t, err) 171 + assert.EqualValues(t, 2, issuesNum) 172 + }) 173 + }

models/issues/issue_search.go

··· 341 341 builder.Or( 342 342 repo_model.UserOrgUnitRepoCond(repoIDstr, userID, org.ID, unitType), // team member repos 343 343 repo_model.UserOrgPublicUnitRepoCond(userID, org.ID), // user org public non-member repos, TODO: check repo has issues 344 + builder.And( 345 + builder.In("issue.repo_id", builder.Select("id").From("repository").Where(builder.Eq{"owner_id": org.ID})), 346 + repo_model.UserAccessRepoCond(repoIDstr, userID)), // user can access org repo in a unit independent way 344 347 ), 345 348 ) 346 349 }

Configure Feed

Configure Feed