aniani/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-02-02 15:09:33 -05:00
Code

Fix system admin cannot fork or get private fork with API (#33401)

Browse Source 
Fix #33368
This commit is contained in:
Lunny Xiao 2025-01-27 08:25:14 -08:00 committed by GitHub
parent dcd3014567
commit 77d14fb6d3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 47 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
routers/api/v1/repo/fork.go
View File

@ -132,13 +132,15 @@ func CreateFork(ctx *context.APIContext) {
} }
return return
} }
isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID) if !ctx.Doer.IsAdmin {
if err != nil { isMember, err := org.IsOrgMember(ctx, ctx.Doer.ID)
ctx.Error(http.StatusInternalServerError, "IsOrgMember", err) if err != nil {
return ctx.Error(http.StatusInternalServerError, "IsOrgMember", err)
} else if !isMember { return
ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name)) } else if !isMember {
return ctx.Error(http.StatusForbidden, "isMemberNot", fmt.Sprintf("User is no Member of Organisation '%s'", org.Name))
return
}
} }
forker = org.AsUser() forker = org.AsUser()
} }

8
services/repository/fork.go
View File

@ -256,9 +256,11 @@ type findForksOptions struct {
} }
func (opts findForksOptions) ToConds() builder.Cond { func (opts findForksOptions) ToConds() builder.Cond {
return builder.Eq{"fork_id": opts.RepoID}.And( cond := builder.Eq{"fork_id": opts.RepoID}
repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid), if opts.Doer != nil && opts.Doer.IsAdmin {
) return cond
}
return cond.And(repo_model.AccessibleRepositoryCondition(opts.Doer, unit.TypeInvalid))
} }
// FindForks returns all the forks of the repository // FindForks returns all the forks of the repository

33
tests/integration/api_fork_test.go
View File

@ -10,6 +10,7 @@ import (
auth_model "code.gitea.io/gitea/models/auth" auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/db"
org_model "code.gitea.io/gitea/models/organization" org_model "code.gitea.io/gitea/models/organization"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unittest" "code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user" user_model "code.gitea.io/gitea/models/user"
api "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs"
@ -81,8 +82,8 @@ func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
var forks []*api.Repository var forks []*api.Repository
DecodeJSON(t, resp, &forks) DecodeJSON(t, resp, &forks)
assert.Len(t, forks, 1) assert.Len(t, forks, 2)
assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count")) assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count"))
assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1)) assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1))
@ -96,3 +97,31 @@ func TestAPIForkListLimitedAndPrivateRepos(t *testing.T) {
assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count")) assert.EqualValues(t, "2", resp.Header().Get("X-Total-Count"))
}) })
} }
func TestGetPrivateReposForks(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user1Sess := loginUser(t, "user1")
repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2}) // private repository
privateOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23})
user1Token := getTokenForLoggedInUser(t, user1Sess, auth_model.AccessTokenScopeWriteRepository)
forkedRepoName := "forked-repo"
// create fork from a private repository
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+repo2.FullName()+"/forks", &api.CreateForkOption{
Organization: &privateOrg.Name,
Name: &forkedRepoName,
}).AddTokenAuth(user1Token)
MakeRequest(t, req, http.StatusAccepted)
// test get a private fork without clear permissions
req = NewRequest(t, "GET", "/api/v1/repos/"+repo2.FullName()+"/forks").AddTokenAuth(user1Token)
resp := MakeRequest(t, req, http.StatusOK)
forks := []*api.Repository{}
DecodeJSON(t, resp, &forks)
assert.Len(t, forks, 1)
assert.EqualValues(t, "1", resp.Header().Get("X-Total-Count"))
assert.EqualValues(t, "forked-repo", forks[0].Name)
assert.EqualValues(t, privateOrg.Name, forks[0].Owner.UserName)
}

3
tests/integration/repo_fork_test.go
View File

@ -118,7 +118,8 @@ func TestForkListLimitedAndPrivateRepos(t *testing.T) {
req := NewRequest(t, "GET", "/user2/repo1/forks") req := NewRequest(t, "GET", "/user2/repo1/forks")
resp := user1Sess.MakeRequest(t, req, http.StatusOK) resp := user1Sess.MakeRequest(t, req, http.StatusOK)
htmlDoc := NewHTMLParser(t, resp.Body) htmlDoc := NewHTMLParser(t, resp.Body)
assert.EqualValues(t, 1, htmlDoc.Find(forkItemSelector).Length()) // since user1 is an admin, he can get both of the forked repositories
assert.EqualValues(t, 2, htmlDoc.Find(forkItemSelector).Length())
assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1)) assert.NoError(t, org_service.AddTeamMember(db.DefaultContext, ownerTeam2, user1))
resp = user1Sess.MakeRequest(t, req, http.StatusOK) resp = user1Sess.MakeRequest(t, req, http.StatusOK)