From 250f85816fb0a21d57e249fa9183a29f5f51fe98 Mon Sep 17 00:00:00 2001 From: Matti Ranta Date: Fri, 13 Jul 2018 21:19:23 -0400 Subject: [PATCH] add checks to api & some tests --- models/org_test.go | 69 +++++++++++++++++++++++++++++++++++++ routers/api/v1/org/org.go | 5 +++ routers/api/v1/repo/repo.go | 6 ++++ 3 files changed, 80 insertions(+) diff --git a/models/org_test.go b/models/org_test.go index c54e7a93b..6108decb6 100644 --- a/models/org_test.go +++ b/models/org_test.go @@ -544,3 +544,72 @@ func TestAccessibleReposEnv_MirrorRepos(t *testing.T) { testSuccess(2, []int64{5}) testSuccess(4, []int64{}) } + +func TestHasOrgVisibleTypePublic(t *testing.T) { + assert.NoError(t, PrepareTestDatabase()) + owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User) + user3 := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User) + + const newOrgName = "test-org-public" + org := &User{ + Name: newOrgName, + Visibility: VisibleTypePublic, + } + + AssertNotExistsBean(t, &User{Name: org.Name, Type: UserTypeOrganization}) + assert.NoError(t, CreateOrganization(org, owner)) + org = AssertExistsAndLoadBean(t, + &User{Name: org.Name, Type: UserTypeOrganization}).(*User) + test1 := HasOrgVisible([]*User{org}, owner) + test2 := HasOrgVisible([]*User{org}, user3) + test3 := HasOrgVisible([]*User{org}, nil) + assert.Equal(t, test1, true) // owner of org + assert.Equal(t, test2, true) // user not a part of org + assert.Equal(t, test3, true) // logged out user +} + +func TestHasOrgVisibleTypeLimited(t *testing.T) { + assert.NoError(t, PrepareTestDatabase()) + owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User) + user3 := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User) + + const newOrgName = "test-org-limited" + org := &User{ + Name: newOrgName, + Visibility: VisibleTypeLimited, + } + + AssertNotExistsBean(t, &User{Name: org.Name, Type: UserTypeOrganization}) + assert.NoError(t, CreateOrganization(org, owner)) + org = AssertExistsAndLoadBean(t, + &User{Name: org.Name, Type: UserTypeOrganization}).(*User) + test1 := HasOrgVisible([]*User{org}, owner) + test2 := HasOrgVisible([]*User{org}, user3) + test3 := HasOrgVisible([]*User{org}, nil) + assert.Equal(t, test1, true) // owner of org + assert.Equal(t, test2, true) // user not a part of org + assert.Equal(t, test3, false) // logged out user +} + +func TestHasOrgVisibleTypePrivate(t *testing.T) { + assert.NoError(t, PrepareTestDatabase()) + owner := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User) + user3 := AssertExistsAndLoadBean(t, &User{ID: 3}).(*User) + + const newOrgName = "test-org-private" + org := &User{ + Name: newOrgName, + Visibility: VisibleTypePrivate, + } + + AssertNotExistsBean(t, &User{Name: org.Name, Type: UserTypeOrganization}) + assert.NoError(t, CreateOrganization(org, owner)) + org = AssertExistsAndLoadBean(t, + &User{Name: org.Name, Type: UserTypeOrganization}).(*User) + test1 := HasOrgVisible([]*User{org}, owner) + test2 := HasOrgVisible([]*User{org}, user3) + test3 := HasOrgVisible([]*User{org}, nil) + assert.Equal(t, test1, true) // owner of org + assert.Equal(t, test2, false) // user not a part of org + assert.Equal(t, test3, false) // logged out user +} diff --git a/routers/api/v1/org/org.go b/routers/api/v1/org/org.go index 29d45d2f2..61bcbf4c9 100644 --- a/routers/api/v1/org/org.go +++ b/routers/api/v1/org/org.go @@ -78,6 +78,11 @@ func Get(ctx *context.APIContext) { // responses: // "200": // "$ref": "#/responses/Organization" + canSeeOrg := models.HasOrgVisible([]*models.User{ctx.Org}, ctx.User) + if !canSeeOrg { + ctx.NotFound("HasOrgVisible", nil) + return + } ctx.JSON(200, convert.ToOrganization(ctx.Org.Organization)) } diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go index 044b1e9c1..a80420dc7 100644 --- a/routers/api/v1/repo/repo.go +++ b/routers/api/v1/repo/repo.go @@ -257,6 +257,12 @@ func CreateOrgRepo(ctx *context.APIContext, opt api.CreateRepoOption) { return } + canSeeOrg := models.HasOrgVisible([]*models.User{org}, ctx.User) + if !canSeeOrg { + ctx.NotFound("HasOrgVisible", nil) + return + } + if !ctx.User.IsAdmin { isOwner, err := org.IsOwnedBy(ctx.User.ID) if err != nil {