afan
/
gitea
ウォッチ 1
お気に入りに登録 0
フォーク 0
コード 課題 0 プルリクエスト 0 リリース 0 Wiki アクティビティ
gitea源码
2 コミット
2 ブランチ
ツリー: f5d5e77162
ブランチ タグ
${ item.name }
ブランチ ${ searchTerm } を作成
'f5d5e77162' から
${ noResults }
gitea/models/perm/access/repo_permission_test.go

repo_permission_test.go 9.2KB
履歴 Raw形式

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234 
  1. // Copyright 2024 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package access

  5. 

  6. import (

  7. 	"testing"

  8. 

  9. 	"code.gitea.io/gitea/models/db"

  10. 	"code.gitea.io/gitea/models/organization"

  11. 	perm_model "code.gitea.io/gitea/models/perm"

  12. 	repo_model "code.gitea.io/gitea/models/repo"

  13. 	"code.gitea.io/gitea/models/unit"

  14. 	"code.gitea.io/gitea/models/unittest"

  15. 	user_model "code.gitea.io/gitea/models/user"

  16. 

  17. 	"github.com/stretchr/testify/assert"

  18. 	"github.com/stretchr/testify/require"

  19. )

  20. 

  21. func TestHasAnyUnitAccess(t *testing.T) {

  22. 	perm := Permission{}

  23. 	assert.False(t, perm.HasAnyUnitAccess())

  24. 

  25. 	perm = Permission{

  26. 		units: []*repo_model.RepoUnit{{Type: unit.TypeWiki}},

  27. 	}

  28. 	assert.False(t, perm.HasAnyUnitAccess())

  29. 	assert.False(t, perm.HasAnyUnitAccessOrPublicAccess())

  30. 

  31. 	perm = Permission{

  32. 		units:              []*repo_model.RepoUnit{{Type: unit.TypeWiki}},

  33. 		everyoneAccessMode: map[unit.Type]perm_model.AccessMode{unit.TypeIssues: perm_model.AccessModeRead},

  34. 	}

  35. 	assert.False(t, perm.HasAnyUnitAccess())

  36. 	assert.True(t, perm.HasAnyUnitAccessOrPublicAccess())

  37. 

  38. 	perm = Permission{

  39. 		units:               []*repo_model.RepoUnit{{Type: unit.TypeWiki}},

  40. 		anonymousAccessMode: map[unit.Type]perm_model.AccessMode{unit.TypeIssues: perm_model.AccessModeRead},

  41. 	}

  42. 	assert.False(t, perm.HasAnyUnitAccess())

  43. 	assert.True(t, perm.HasAnyUnitAccessOrPublicAccess())

  44. 

  45. 	perm = Permission{

  46. 		AccessMode: perm_model.AccessModeRead,

  47. 		units:      []*repo_model.RepoUnit{{Type: unit.TypeWiki}},

  48. 	}

  49. 	assert.True(t, perm.HasAnyUnitAccess())

  50. 

  51. 	perm = Permission{

  52. 		unitsMode: map[unit.Type]perm_model.AccessMode{unit.TypeWiki: perm_model.AccessModeRead},

  53. 	}

  54. 	assert.True(t, perm.HasAnyUnitAccess())

  55. }

  56. 

  57. func TestApplyPublicAccessRepoPermission(t *testing.T) {

  58. 	perm := Permission{

  59. 		AccessMode: perm_model.AccessModeNone,

  60. 		units: []*repo_model.RepoUnit{

  61. 			{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},

  62. 		},

  63. 	}

  64. 	finalProcessRepoUnitPermission(nil, &perm)

  65. 	assert.False(t, perm.CanRead(unit.TypeWiki))

  66. 

  67. 	perm = Permission{

  68. 		AccessMode: perm_model.AccessModeNone,

  69. 		units: []*repo_model.RepoUnit{

  70. 			{Type: unit.TypeWiki, AnonymousAccessMode: perm_model.AccessModeRead},

  71. 		},

  72. 	}

  73. 	finalProcessRepoUnitPermission(nil, &perm)

  74. 	assert.True(t, perm.CanRead(unit.TypeWiki))

  75. 

  76. 	perm = Permission{

  77. 		AccessMode: perm_model.AccessModeNone,

  78. 		units: []*repo_model.RepoUnit{

  79. 			{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},

  80. 		},

  81. 	}

  82. 	finalProcessRepoUnitPermission(&user_model.User{ID: 0}, &perm)

  83. 	assert.False(t, perm.CanRead(unit.TypeWiki))

  84. 

  85. 	perm = Permission{

  86. 		AccessMode: perm_model.AccessModeNone,

  87. 		units: []*repo_model.RepoUnit{

  88. 			{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},

  89. 		},

  90. 	}

  91. 	finalProcessRepoUnitPermission(&user_model.User{ID: 1}, &perm)

  92. 	assert.True(t, perm.CanRead(unit.TypeWiki))

  93. 

  94. 	perm = Permission{

  95. 		AccessMode: perm_model.AccessModeWrite,

  96. 		units: []*repo_model.RepoUnit{

  97. 			{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},

  98. 		},

  99. 	}

  100. 	finalProcessRepoUnitPermission(&user_model.User{ID: 1}, &perm)

  101. 	// it should work the same as "EveryoneAccessMode: none" because the default AccessMode should be applied to units

  102. 	assert.True(t, perm.CanWrite(unit.TypeWiki))

  103. 

  104. 	perm = Permission{

  105. 		units: []*repo_model.RepoUnit{

  106. 			{Type: unit.TypeCode}, // will be removed

  107. 			{Type: unit.TypeWiki, EveryoneAccessMode: perm_model.AccessModeRead},

  108. 		},

  109. 		unitsMode: map[unit.Type]perm_model.AccessMode{

  110. 			unit.TypeWiki: perm_model.AccessModeWrite,

  111. 		},

  112. 	}

  113. 	finalProcessRepoUnitPermission(&user_model.User{ID: 1}, &perm)

  114. 	assert.True(t, perm.CanWrite(unit.TypeWiki))

  115. 	assert.Len(t, perm.units, 1)

  116. }

  117. 

  118. func TestUnitAccessMode(t *testing.T) {

  119. 	perm := Permission{

  120. 		AccessMode: perm_model.AccessModeNone,

  121. 	}

  122. 	assert.Equal(t, perm_model.AccessModeNone, perm.UnitAccessMode(unit.TypeWiki), "no unit, no map, use AccessMode")

  123. 

  124. 	perm = Permission{

  125. 		AccessMode: perm_model.AccessModeRead,

  126. 		units: []*repo_model.RepoUnit{

  127. 			{Type: unit.TypeWiki},

  128. 		},

  129. 	}

  130. 	assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeWiki), "only unit, no map, use AccessMode")

  131. 

  132. 	perm = Permission{

  133. 		AccessMode: perm_model.AccessModeAdmin,

  134. 		unitsMode: map[unit.Type]perm_model.AccessMode{

  135. 			unit.TypeWiki: perm_model.AccessModeRead,

  136. 		},

  137. 	}

  138. 	assert.Equal(t, perm_model.AccessModeAdmin, perm.UnitAccessMode(unit.TypeWiki), "no unit, only map, admin overrides map")

  139. 

  140. 	perm = Permission{

  141. 		AccessMode: perm_model.AccessModeNone,

  142. 		unitsMode: map[unit.Type]perm_model.AccessMode{

  143. 			unit.TypeWiki: perm_model.AccessModeRead,

  144. 		},

  145. 	}

  146. 	assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeWiki), "no unit, only map, use map")

  147. 

  148. 	perm = Permission{

  149. 		AccessMode: perm_model.AccessModeNone,

  150. 		units: []*repo_model.RepoUnit{

  151. 			{Type: unit.TypeWiki},

  152. 		},

  153. 		unitsMode: map[unit.Type]perm_model.AccessMode{

  154. 			unit.TypeWiki: perm_model.AccessModeRead,

  155. 		},

  156. 	}

  157. 	assert.Equal(t, perm_model.AccessModeRead, perm.UnitAccessMode(unit.TypeWiki), "has unit, and map, use map")

  158. }

  159. 

  160. func TestGetUserRepoPermission(t *testing.T) {

  161. 	assert.NoError(t, unittest.PrepareTestDatabase())

  162. 	ctx := t.Context()

  163. 	repo32 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 32}) // org public repo

  164. 	require.NoError(t, repo32.LoadOwner(ctx))

  165. 	require.True(t, repo32.Owner.IsOrganization())

  166. 

  167. 	require.NoError(t, db.TruncateBeans(ctx, &organization.Team{}, &organization.TeamUser{}, &organization.TeamRepo{}, &organization.TeamUnit{}))

  168. 	org := repo32.Owner

  169. 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})

  170. 	team := &organization.Team{OrgID: org.ID, LowerName: "test_team"}

  171. 	require.NoError(t, db.Insert(ctx, team))

  172. 

  173. 	t.Run("DoerInTeamWithNoRepo", func(t *testing.T) {

  174. 		require.NoError(t, db.Insert(ctx, &organization.TeamUser{OrgID: org.ID, TeamID: team.ID, UID: user.ID}))

  175. 		perm, err := GetUserRepoPermission(ctx, repo32, user)

  176. 		require.NoError(t, err)

  177. 		assert.Equal(t, perm_model.AccessModeRead, perm.AccessMode)

  178. 		assert.Nil(t, perm.unitsMode) // doer in the team, but has no access to the repo

  179. 	})

  180. 

  181. 	require.NoError(t, db.Insert(ctx, &organization.TeamRepo{OrgID: org.ID, TeamID: team.ID, RepoID: repo32.ID}))

  182. 	require.NoError(t, db.Insert(ctx, &organization.TeamUnit{OrgID: org.ID, TeamID: team.ID, Type: unit.TypeCode, AccessMode: perm_model.AccessModeNone}))

  183. 	t.Run("DoerWithTeamUnitAccessNone", func(t *testing.T) {

  184. 		perm, err := GetUserRepoPermission(ctx, repo32, user)

  185. 		require.NoError(t, err)

  186. 		assert.Equal(t, perm_model.AccessModeRead, perm.AccessMode)

  187. 		assert.Equal(t, perm_model.AccessModeRead, perm.unitsMode[unit.TypeCode])

  188. 		assert.Equal(t, perm_model.AccessModeRead, perm.unitsMode[unit.TypeIssues])

  189. 	})

  190. 

  191. 	require.NoError(t, db.TruncateBeans(ctx, &organization.TeamUnit{}))

  192. 	require.NoError(t, db.Insert(ctx, &organization.TeamUnit{OrgID: org.ID, TeamID: team.ID, Type: unit.TypeCode, AccessMode: perm_model.AccessModeWrite}))

  193. 	t.Run("DoerWithTeamUnitAccessWrite", func(t *testing.T) {

  194. 		perm, err := GetUserRepoPermission(ctx, repo32, user)

  195. 		require.NoError(t, err)

  196. 		assert.Equal(t, perm_model.AccessModeRead, perm.AccessMode)

  197. 		assert.Equal(t, perm_model.AccessModeWrite, perm.unitsMode[unit.TypeCode])

  198. 		assert.Equal(t, perm_model.AccessModeRead, perm.unitsMode[unit.TypeIssues])

  199. 	})

  200. 

  201. 	repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3}) // org private repo, same org as repo 32

  202. 	require.NoError(t, repo3.LoadOwner(ctx))

  203. 	require.True(t, repo3.Owner.IsOrganization())

  204. 	require.NoError(t, db.TruncateBeans(ctx, &organization.TeamUnit{}, &Access{})) // The user has access set of that repo, remove it, it is useless for our test

  205. 	require.NoError(t, db.Insert(ctx, &organization.TeamRepo{OrgID: org.ID, TeamID: team.ID, RepoID: repo3.ID}))

  206. 	t.Run("DoerWithNoopTeamOnPrivateRepo", func(t *testing.T) {

  207. 		perm, err := GetUserRepoPermission(ctx, repo3, user)

  208. 		require.NoError(t, err)

  209. 		assert.Equal(t, perm_model.AccessModeNone, perm.AccessMode)

  210. 		assert.Equal(t, perm_model.AccessModeNone, perm.unitsMode[unit.TypeCode])

  211. 		assert.Equal(t, perm_model.AccessModeNone, perm.unitsMode[unit.TypeIssues])

  212. 	})

  213. 

  214. 	require.NoError(t, db.Insert(ctx, &organization.TeamUnit{OrgID: org.ID, TeamID: team.ID, Type: unit.TypeCode, AccessMode: perm_model.AccessModeNone}))

  215. 	require.NoError(t, db.Insert(ctx, &organization.TeamUnit{OrgID: org.ID, TeamID: team.ID, Type: unit.TypeIssues, AccessMode: perm_model.AccessModeRead}))

  216. 	t.Run("DoerWithReadIssueTeamOnPrivateRepo", func(t *testing.T) {

  217. 		perm, err := GetUserRepoPermission(ctx, repo3, user)

  218. 		require.NoError(t, err)

  219. 		assert.Equal(t, perm_model.AccessModeNone, perm.AccessMode)

  220. 		assert.Equal(t, perm_model.AccessModeNone, perm.unitsMode[unit.TypeCode])

  221. 		assert.Equal(t, perm_model.AccessModeRead, perm.unitsMode[unit.TypeIssues])

  222. 	})

  223. 

  224. 	require.NoError(t, db.Insert(ctx, repo_model.Collaboration{RepoID: repo3.ID, UserID: user.ID, Mode: perm_model.AccessModeWrite}))

  225. 	require.NoError(t, db.Insert(ctx, Access{RepoID: repo3.ID, UserID: user.ID, Mode: perm_model.AccessModeWrite}))

  226. 	t.Run("DoerWithReadIssueTeamAndWriteCollaboratorOnPrivateRepo", func(t *testing.T) {

  227. 		perm, err := GetUserRepoPermission(ctx, repo3, user)

  228. 		require.NoError(t, err)

  229. 		assert.Equal(t, perm_model.AccessModeWrite, perm.AccessMode)

  230. 		assert.Equal(t, perm_model.AccessModeWrite, perm.unitsMode[unit.TypeCode])

  231. 		assert.Equal(t, perm_model.AccessModeWrite, perm.unitsMode[unit.TypeIssues])

  232. 	})

  233. }