public/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-28 02:38:44 +09:00
Code Issues Packages Projects Releases Wiki Activity

fix: Add missed token scope checking (#37735)

Browse Source 
Follow #37698
This commit is contained in:
Lunny Xiao
2026-05-17 21:52:08 -07:00
committed by GitHub
parent 2d1eb28083
commit c3d9d07702
2 changed files with 51 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/integration/download_test.go
+43 -3
View File
@@ -17,6 +17,7 @@ import (
type downloadScopeCase struct {
name string
method string
url string
withScope int
publicOnlyOK bool
@@ -88,68 +89,107 @@ func TestDownloadRepoContentTokenScopes(t *testing.T) {
publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository, auth_model.AccessTokenScopePublicOnly)
cases := []downloadScopeCase{
{
name: "PublicArchiveDownload",
method: http.MethodGet,
url: "/user2/repo1/archive/master.tar.gz",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PrivateArchiveDownload",
method: http.MethodGet,
url: "/user2/repo2/archive/master.tar.gz",
withScope: http.StatusOK,
publicOnlyOK: false,
},
{
name: "PublicArchiveInitiate",
method: http.MethodPost,
url: "/user2/repo1/archive/master.tar.gz",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PrivateArchiveInitiate",
method: http.MethodPost,
url: "/user2/repo2/archive/master.tar.gz",
withScope: http.StatusOK,
publicOnlyOK: false,
},
{
name: "PublicRawBlob",
method: http.MethodGet,
url: "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicRawBranch",
method: http.MethodGet,
url: "/user2/repo1/raw/branch/master/README.md",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicRawTag",
method: http.MethodGet,
url: "/user2/repo1/raw/tag/v1.1/README.md",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicRawCommit",
method: http.MethodGet,
url: "/user2/repo1/raw/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d/README.md",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicMediaBlob",
method: http.MethodGet,
url: "/user2/repo1/media/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicMediaBranch",
method: http.MethodGet,
url: "/user2/repo1/media/branch/master/README.md",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicMediaTag",
method: http.MethodGet,
url: "/user2/repo1/media/tag/v1.1/README.md",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PublicMediaCommit",
method: http.MethodGet,
url: "/user2/repo1/media/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d/README.md",
withScope: http.StatusOK,
publicOnlyOK: true,
},
{
name: "PrivateRawBranch",
method: http.MethodGet,
url: "/user2/repo2/raw/branch/master/test.xml",
withScope: http.StatusOK,
publicOnlyOK: false,
},
{
name: "PrivateRawBlob",
method: http.MethodGet,
url: "/user2/repo2/raw/blob/6395b68e1feebb1e4c657b4f9f6ba2676a283c0b",
withScope: http.StatusOK,
publicOnlyOK: false,
},
{
name: "PrivateMediaBranch",
method: http.MethodGet,
url: "/user2/repo2/media/branch/master/test.xml",
withScope: http.StatusOK,
publicOnlyOK: false,
@@ -158,14 +198,14 @@ func TestDownloadRepoContentTokenScopes(t *testing.T) {
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(miscToken), http.StatusForbidden)
MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(ownerReadToken), tc.withScope)
MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(miscToken), http.StatusForbidden)
MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(ownerReadToken), tc.withScope)
publicOnlyStatus := http.StatusForbidden
if tc.publicOnlyOK {
publicOnlyStatus = tc.withScope
}
MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(publicOnlyToken), publicOnlyStatus)
MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(publicOnlyToken), publicOnlyStatus)
})
}
}