loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge pull request 'fix: check read permissions for code owner review requests' (#5996) from gusted/forgejo-codeowners into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5996
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>

Gusted e31090cf 2cc32787

+45 -1
+7 -1
services/issue/pull.go
··· 10 10 11 11 issues_model "code.gitea.io/gitea/models/issues" 12 12 org_model "code.gitea.io/gitea/models/organization" 13 + access_model "code.gitea.io/gitea/models/perm/access" 14 + "code.gitea.io/gitea/models/unit" 13 15 user_model "code.gitea.io/gitea/models/user" 14 16 "code.gitea.io/gitea/modules/git" 15 17 "code.gitea.io/gitea/modules/gitrepo" ··· 117 119 } 118 120 119 121 for _, u := range uniqUsers { 120 - if u.ID != issue.Poster.ID { 122 + permission, err := access_model.GetUserRepoPermission(ctx, issue.Repo, u) 123 + if err != nil { 124 + return nil, fmt.Errorf("GetUserRepoPermission: %w", err) 125 + } 126 + if u.ID != issue.Poster.ID && permission.CanRead(unit.TypePullRequests) { 121 127 comment, err := issues_model.AddReviewRequest(ctx, issue, u, issue.Poster) 122 128 if err != nil { 123 129 log.Warn("Failed add assignee user: %s to PR review: %s#%d, error: %s", u.Name, pr.BaseRepo.Name, pr.ID, err)
+38
tests/integration/codeowner_test.go
··· 14 14 "testing" 15 15 "time" 16 16 17 + "code.gitea.io/gitea/models/db" 17 18 issues_model "code.gitea.io/gitea/models/issues" 18 19 repo_model "code.gitea.io/gitea/models/repo" 19 20 unit_model "code.gitea.io/gitea/models/unit" ··· 158 159 159 160 pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{BaseRepoID: repo.ID, HeadBranch: "branch"}) 160 161 unittest.AssertExistsIf(t, true, &issues_model.Review{IssueID: pr.IssueID, Type: issues_model.ReviewTypeRequest, ReviewerID: 4}) 162 + }) 163 + 164 + t.Run("Codeowner user with no permission", func(t *testing.T) { 165 + defer tests.PrintCurrentTest(t)() 166 + 167 + // Make repository private, only user2 (owner of repository) has now access to this repository. 168 + repo.IsPrivate = true 169 + _, err := db.GetEngine(db.DefaultContext).Cols("is_private").Update(repo) 170 + require.NoError(t, err) 171 + 172 + err = os.WriteFile(path.Join(dstPath, "README.md"), []byte("## very senstive info"), 0o666) 173 + require.NoError(t, err) 174 + 175 + err = git.AddChanges(dstPath, true) 176 + require.NoError(t, err) 177 + 178 + err = git.CommitChanges(dstPath, git.CommitChangesOptions{ 179 + Committer: &git.Signature{ 180 + Email: "user2@example.com", 181 + Name: "user2", 182 + When: time.Now(), 183 + }, 184 + Author: &git.Signature{ 185 + Email: "user2@example.com", 186 + Name: "user2", 187 + When: time.Now(), 188 + }, 189 + Message: "Add secrets to the README.", 190 + }) 191 + require.NoError(t, err) 192 + 193 + err = git.NewCommand(git.DefaultContext, "push", "origin", "HEAD:refs/for/main", "-o", "topic=codeowner-private").Run(&git.RunOpts{Dir: dstPath}) 194 + require.NoError(t, err) 195 + 196 + // In CODEOWNERS file the codeowner for README.md is user5, but does not have access to this private repository. 197 + pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{BaseRepoID: repo.ID, HeadBranch: "user2/codeowner-private"}) 198 + unittest.AssertExistsIf(t, false, &issues_model.Review{IssueID: pr.IssueID, Type: issues_model.ReviewTypeRequest, ReviewerID: 5}) 161 199 }) 162 200 }) 163 201 }