public/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-28 02:38:44 +09:00
Code Issues Packages Projects Releases Wiki Activity

fix(packages): Add label for private and internal package and fix composor package source permission check (#37610) (#37643)

Browse Source 
Backport #37610 by @lunny

- Add permission checks for Composer package source links

- Add private/internal visibility labels for packages, similar to
repository visibility labels

<img width="969" height="571" alt="image"
src="https://github.com/user-attachments/assets/8a8ec3a0-bfbd-4dd6-b45b-58eda5db1a2d"
/>

- Add a link to change package visibility

<img width="1309" height="208" alt="image"
src="https://github.com/user-attachments/assets/3fa82b23-4c63-4a5e-b3f0-d37a103231ee"
/>

- Update link package descriptions

<img width="1308" height="265" alt="image"
src="https://github.com/user-attachments/assets/2c80b50e-5ffe-4d96-aedd-aa15964c4e05"
/>

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
This commit is contained in:
Giteabot
2026-05-11 10:36:07 -07:00
committed by GitHub
parent fb159eae8f
commit 5eaa0bc603
11 changed files with 158 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
tests/integration/api_packages_composer_test.go
View File

@@ -17,6 +17,7 @@ import (
user_model "code.gitea.io/gitea/models/user"
composer_module "code.gitea.io/gitea/modules/packages/composer"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/test"
"code.gitea.io/gitea/routers/api/packages/composer"
"code.gitea.io/gitea/tests"
@@ -27,6 +28,8 @@ func TestPackageComposer(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
otherUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
privateUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 31})
vendorName := "gitea"
projectName := "composer-package"
@@ -251,5 +254,85 @@ func TestPackageComposer(t *testing.T) {
assert.Equal(t, repo1.HTMLURL(), pkgs[0].Source.URL)
assert.Equal(t, "git", pkgs[0].Source.Type)
assert.Equal(t, packageVersion, pkgs[0].Source.Reference)
// Private repository links remain visible to callers who can access the repository.
repo2 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
err = packages.SetRepositoryLink(t.Context(), userPkgs[0].ID, repo2.ID)
assert.NoError(t, err)
req = NewRequest(t, "GET", fmt.Sprintf("%s/p2/%s/%s.json", url, vendorName, projectName)).
AddBasicAuth(user.Name)
resp = MakeRequest(t, req, http.StatusOK)
result = composer.PackageMetadataResponse{}
DecodeJSON(t, resp, &result)
pkgs = result.Packages[packageName]
assert.Len(t, pkgs, 1)
assert.Equal(t, repo2.HTMLURL(), pkgs[0].Source.URL)
assert.Equal(t, "git", pkgs[0].Source.Type)
assert.Equal(t, packageVersion, pkgs[0].Source.Reference)
// Callers without repository access still get the package metadata, but not the private source URL.
req = NewRequest(t, "GET", fmt.Sprintf("%s/p2/%s/%s.json", url, vendorName, projectName)).
AddBasicAuth(otherUser.Name)
resp = MakeRequest(t, req, http.StatusOK)
result = composer.PackageMetadataResponse{}
DecodeJSON(t, resp, &result)
pkgs = result.Packages[packageName]
assert.Len(t, pkgs, 1)
assert.Empty(t, pkgs[0].Source.URL)
assert.Empty(t, pkgs[0].Source.Type)
assert.Empty(t, pkgs[0].Source.Reference)
})
t.Run("WebVisibilityBadge", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
listReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages", user.Name)).
AddBasicAuth(user.Name)
listResp := MakeRequest(t, listReq, http.StatusOK)
listDoc := NewHTMLParser(t, listResp.Body)
assert.Equal(t, 0, listDoc.Find(".flex-item-title .ui.basic.label").Length())
viewReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages/composer/%s/%s", user.Name, neturl.PathEscape(packageName), neturl.PathEscape(packageVersion))).
AddBasicAuth(user.Name)
viewResp := MakeRequest(t, viewReq, http.StatusOK)
viewDoc := NewHTMLParser(t, viewResp.Body)
assert.Equal(t, 0, viewDoc.Find(".issue-title-header .ui.basic.label").Length())
privatePackageName := privateUser.Name + "/private-composer-package"
privatePackageVersion := "1.0.0"
privateContent := test.WriteZipArchive(map[string]string{
"composer.json": `{
"name": "` + privatePackageName + `",
"description": "Private Package",
"type": "` + packageType + `",
"license": "` + packageLicense + `",
"authors": [
{
"name": "` + packageAuthor + `"
}
]
}`,
}).Bytes()
privateUploadURL := fmt.Sprintf("%sapi/packages/%s/composer?version=%s", setting.AppURL, privateUser.Name, privatePackageVersion)
uploadReq := NewRequestWithBody(t, "PUT", privateUploadURL, bytes.NewReader(privateContent)).
AddBasicAuth(privateUser.Name)
MakeRequest(t, uploadReq, http.StatusCreated)
privateSession := loginUser(t, privateUser.Name)
privateListReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages", privateUser.Name))
privateListResp := privateSession.MakeRequest(t, privateListReq, http.StatusOK)
privateListDoc := NewHTMLParser(t, privateListResp.Body)
assert.Equal(t, 1, privateListDoc.Find(".flex-item-title .ui.basic.label").Length())
assert.Equal(t, "Private", privateListDoc.Find(".flex-item-title .ui.basic.label").First().Text())
privateViewReq := NewRequest(t, "GET", fmt.Sprintf("/%s/-/packages/composer/%s/%s", privateUser.Name, neturl.PathEscape(privatePackageName), neturl.PathEscape(privatePackageVersion)))
privateViewResp := privateSession.MakeRequest(t, privateViewReq, http.StatusOK)
privateViewDoc := NewHTMLParser(t, privateViewResp.Body)
assert.Equal(t, 1, privateViewDoc.Find(".issue-title-header .ui.basic.label").Length())
assert.Equal(t, "Private", privateViewDoc.Find(".issue-title-header .ui.basic.label").First().Text())
})
}