mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-06-22 10:02:15 +00:00
4b83448b7d
- fix: prevent stored XSS in user display name on Actions page - fix: LFS locks must belong to the intended repo, port from Gitea - fix: prevent unauthorized access to draft releases via API - fix: prevent writes to OpenID visibility which may affect other users - fix: prevent viewing private PRs that are linked to public issues on public projects Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13001 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Reviewed-by: Beowulf <beowulf@beocode.eu>
82 lines
2.6 KiB
Go
82 lines
2.6 KiB
Go
// Copyright 2026 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package git
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
repo_model "forgejo.org/models/repo"
|
|
"forgejo.org/models/unittest"
|
|
user_model "forgejo.org/models/user"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func createTestLock(t *testing.T, repo *repo_model.Repository, owner *user_model.User) *LFSLock {
|
|
t.Helper()
|
|
|
|
path := fmt.Sprintf("%s-%d-%d", t.Name(), repo.ID, time.Now().UnixNano())
|
|
lock, err := CreateLFSLock(t.Context(), repo, &LFSLock{
|
|
OwnerID: owner.ID,
|
|
Path: path,
|
|
})
|
|
require.NoError(t, err)
|
|
return lock
|
|
}
|
|
|
|
func TestGetLFSLockByIDAndRepo(t *testing.T) {
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
|
repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
|
|
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
|
|
lockRepo1 := createTestLock(t, repo1, user2)
|
|
lockRepo3 := createTestLock(t, repo3, user4)
|
|
|
|
fetched, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo1.ID)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, lockRepo1.ID, fetched.ID)
|
|
assert.Equal(t, repo1.ID, fetched.RepoID)
|
|
|
|
_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo1.ID, repo3.ID)
|
|
require.Error(t, err)
|
|
assert.True(t, IsErrLFSLockNotExist(err))
|
|
|
|
_, err = GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo1.ID)
|
|
require.Error(t, err)
|
|
assert.True(t, IsErrLFSLockNotExist(err))
|
|
}
|
|
|
|
func TestDeleteLFSLockByIDRequiresRepoMatch(t *testing.T) {
|
|
require.NoError(t, unittest.PrepareTestDatabase())
|
|
|
|
repo1 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
|
repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
|
|
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
|
|
|
lockRepo1 := createTestLock(t, repo1, user2)
|
|
lockRepo3 := createTestLock(t, repo3, user4)
|
|
|
|
_, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo1, user2, true)
|
|
require.Error(t, err)
|
|
assert.True(t, IsErrLFSLockNotExist(err))
|
|
|
|
existing, err := GetLFSLockByIDAndRepo(t.Context(), lockRepo3.ID, repo3.ID)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, lockRepo3.ID, existing.ID)
|
|
|
|
deleted, err := DeleteLFSLockByID(t.Context(), lockRepo3.ID, repo3, user4, true)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, lockRepo3.ID, deleted.ID)
|
|
|
|
deleted, err = DeleteLFSLockByID(t.Context(), lockRepo1.ID, repo1, user2, false)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, lockRepo1.ID, deleted.ID)
|
|
}
|