Backupppert/Forgejo
0
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-07-01 03:23:53 +02:00
Code Issues Packages Projects Releases Wiki Activity
Forgejo/tests/integration/api_comment_test.go

368 lines
15 KiB
Go
Raw Normal View History

Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
// Copyright 2017 The Gitea Authors. All rights reserved.
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2022-11-27 19:20:29 +01:00
// SPDX-License-Identifier: MIT
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
package integration
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
import (
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
"fmt"
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
"net/http"
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
"net/url"
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
"testing"
[FEAT] allow setting the update date on issues and comments This field adds the possibility to set the update date when modifying an issue through the API. A 'NoAutoDate' in-memory field is added in the Issue struct. If the update_at field is set, NoAutoDate is set to true and the Issue's UpdatedUnix field is filled. That information is passed down to the functions that actually updates the database, which have been modified to not auto update dates if requested. A guard is added to the 'EditIssue' API call, to checks that the udpate_at date is between the issue's creation date and the current date (to avoid 'malicious' changes). It also limits the new feature to project's owners and admins. (cherry picked from commit c524d33402c76bc4cccea2806f289e08a009baae) Add a SetIssueUpdateDate() function in services/issue.go That function is used by some API calls to set the NoAutoDate and UpdatedUnix fields of an Issue if an updated_at date is provided. (cherry picked from commit f061caa6555e0c9e922ee1e73dd2e4337360e9fe) Add an updated_at field to the API calls related to Issue's Labels. The update date is applied to the issue's comment created to inform about the modification of the issue's labels. (cherry picked from commit ea36cf80f58f0ab20c565a8f5d063b90fd741f97) Add an updated_at field to the API call for issue's attachment creation The update date is applied to the issue's comment created to inform about the modification of the issue's content, and is set as the asset creation date. (cherry picked from commit 96150971ca31b97e97e84d5f5eb95a177cc44e2e) Checking Issue changes, with and without providing an updated_at date Those unit tests are added: - TestAPIEditIssueWithAutoDate - TestAPIEditIssueWithNoAutoDate - TestAPIAddIssueLabelsWithAutoDate - TestAPIAddIssueLabelsWithNoAutoDate - TestAPICreateIssueAttachmentWithAutoDate - TestAPICreateIssueAttachmentWithNoAutoDate (cherry picked from commit 4926a5d7a28581003545256632213bf4136b193d) Add an updated_at field to the API call for issue's comment creation The update date is used as the comment creation date, and is applied to the issue as the update creation date. (cherry picked from commit 76c8faecdc6cba48ca4fe07d1a916d1f1a4b37b4) Add an updated_at field to the API call for issue's comment edition The update date is used as the comment update date, and is applied to the issue as an update date. (cherry picked from commit cf787ad7fdb8e6273fdc35d7b5cc164b400207e9) Add an updated_at field to the API call for comment's attachment creation The update date is applied to the comment, and is set as the asset creation date. (cherry picked from commit 1e4ff424d39db7a4256cd9abf9c58b8d3e1b5c14) Checking Comment changes, with and without providing an updated_at date Those unit tests are added: - TestAPICreateCommentWithAutoDate - TestAPICreateCommentWithNoAutoDate - TestAPIEditCommentWithAutoDate - TestAPIEditCommentWithNoAutoDate - TestAPICreateCommentAttachmentWithAutoDate - TestAPICreateCommentAttachmentWithNoAutoDate (cherry picked from commit da932152f1deb3039a399516a51c8b6757059c91) Pettier code to set the update time of comments Now uses sess.AllCols().NoAutoToime().SetExpr("updated_unix", ...) XORM is smart enough to compose one single SQL UPDATE which all columns + updated_unix. (cherry picked from commit 1f6a42808dd739c0c2e49e6b7ae2967f120f43c2) Issue edition: Keep the max of the milestone and issue update dates. When editing an issue via the API, an updated_at date can be provided. If the EditIssue call changes the issue's milestone, the milestone's update date is to be changed accordingly, but only with a greater value. This ensures that a milestone's update date is the max of all issue's update dates. (cherry picked from commit 8f22ea182e6b49e933dc6534040160dd739ff18a) Rewrite the 'AutoDate' tests using subtests Also add a test to check the permissions to set a date, and a test to check update dates on milestones. The tests related to 'AutoDate' are: - TestAPIEditIssueAutoDate - TestAPIAddIssueLabelsAutoDate - TestAPIEditIssueMilestoneAutoDate - TestAPICreateIssueAttachmentAutoDate - TestAPICreateCommentAutoDate - TestAPIEditCommentWithDate - TestAPICreateCommentAttachmentAutoDate (cherry picked from commit 961fd13c551b3e50040acb7c914a00ead92de63f) (cherry picked from commit d52f4eea44692ee773010cb66a69a603663947d5) (cherry picked from commit 3540ea2a43155ca8cf5ab1a4a246babfb829db16) Conflicts: services/issue/issue.go https://codeberg.org/forgejo/forgejo/pulls/1415 (cherry picked from commit 56720ade008c09122d825959171aa5346d645987) Conflicts: routers/api/v1/repo/issue_label.go https://codeberg.org/forgejo/forgejo/pulls/1462 (cherry picked from commit 47c78927d6c7e7a50298fa67efad1e73723a0981) (cherry picked from commit 2030f3b965cde401976821083c3250b404954ecc) (cherry picked from commit f02aeb76981cd688ceaf6613f142a8a725be1437) (cherry picked from commit 2e43e49961c1cd5791744fa4e7994ce929c31837) (cherry picked from commit 3bfb6cc1c085a1ae11885d0eb138d7e977fa1a16) (cherry picked from commit 38918d5f5cb148b8f53d6707fe6bc677c19c7f79) (cherry picked from commit 174f6ac3453c7ba1a88655af5d0fff807eb94dc1) (cherry picked from commit 08a2bed45dc48547c0ab79fe1de2e3c62c823ae2)
2023-05-30 18:42:58 +02:00
"time"
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
2023-01-17 22:46:03 +01:00
auth_model "code.gitea.io/gitea/models/auth"
Add `context.Context` to more methods (#21546) This PR adds a context parameter to a bunch of methods. Some helper `xxxCtx()` methods got replaced with the normal name now. Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-19 09:12:33 +01:00
"code.gitea.io/gitea/models/db"
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
issues_model "code.gitea.io/gitea/models/issues"
Move repository model into models/repo (#17933) * Some refactors related repository model * Move more methods out of repository * Move repository into models/repo * Fix test * Fix test * some improvements * Remove unnecessary function
2021-12-10 02:27:50 +01:00
repo_model "code.gitea.io/gitea/models/repo"
Decouple unit test, remove intermediate `unittestbridge` package (#17662) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-11-16 09:53:21 +01:00
"code.gitea.io/gitea/models/unittest"
Move user related model into models/user (#17781) * Move user related model into models/user * Fix lint for windows * Fix windows lint * Fix windows lint * Move some tests in models * Merge
2021-11-24 10:49:20 +01:00
user_model "code.gitea.io/gitea/models/user"
Move sdk structs to modules/structs (#6905) * move sdk structs to moduels/structs * fix tests * fix fmt * fix swagger * fix vendor
2019-05-11 12:21:34 +02:00
api "code.gitea.io/gitea/modules/structs"
Move `convert` package to services (#22264) Addition to #22256 The `convert` package relies heavily on different models which is [disallowed by our definition of modules](https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#design-guideline). This helps to prevent possible import cycles. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-12-29 03:57:15 +01:00
"code.gitea.io/gitea/services/convert"
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
"code.gitea.io/gitea/tests"
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
"github.com/stretchr/testify/assert"
)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
func TestAPIListRepoComments(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{},
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
unittest.Cond("type = ?", issues_model.CommentTypeComment))
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments", repoOwner.Name, repo.Name))
req := NewRequest(t, "GET", link.String())
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp := MakeRequest(t, req, http.StatusOK)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
var apiComments []*api.Comment
DecodeJSON(t, resp, &apiComments)
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
assert.Len(t, apiComments, 2)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
for _, apiComment := range apiComments {
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
c := &issues_model.Comment{ID: apiComment.ID}
Decouple unit test, remove intermediate `unittestbridge` package (#17662) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-11-16 09:53:21 +01:00
unittest.AssertExistsAndLoadBean(t, c,
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
unittest.Cond("type = ?", issues_model.CommentTypeComment))
unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: c.IssueID, RepoID: repo.ID})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
}
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt
2022-01-20 18:46:10 +01:00
// test before and since filters
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
query := url.Values{}
format with gofumpt (#18184) * gofumpt -w -l . * gofumpt -w -l -extra . * Add linter * manual fix * change make fmt
2022-01-20 18:46:10 +01:00
before := "2000-01-01T00:00:11+00:00" // unix: 946684811
since := "2000-01-01T00:00:12+00:00" // unix: 946684812
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
query.Add("before", before)
link.RawQuery = query.Encode()
req = NewRequest(t, "GET", link.String())
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp = MakeRequest(t, req, http.StatusOK)
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
DecodeJSON(t, resp, &apiComments)
assert.Len(t, apiComments, 1)
assert.EqualValues(t, 2, apiComments[0].ID)
query.Del("before")
query.Add("since", since)
link.RawQuery = query.Encode()
req = NewRequest(t, "GET", link.String())
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp = MakeRequest(t, req, http.StatusOK)
[API] Add "before" query to ListIssueComments and ListRepoIssue… (#9685) * add "before" query to ListIssueComments and ListRepoIssueComments * Add TEST Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com>
2020-01-13 17:02:24 +01:00
DecodeJSON(t, resp, &apiComments)
assert.Len(t, apiComments, 1)
assert.EqualValues(t, 3, apiComments[0].ID)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
}
func TestAPIListIssueComments(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{},
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
unittest.Cond("type = ?", issues_model.CommentTypeComment))
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
Redesign Scoped Access Tokens (#24767) ## Changes - Adds the following high level access scopes, each with `read` and `write` levels: - `activitypub` - `admin` (hidden if user is not a site admin) - `misc` - `notification` - `organization` - `package` - `issue` - `repository` - `user` - Adds new middleware function `tokenRequiresScopes()` in addition to `reqToken()` - `tokenRequiresScopes()` is used for each high-level api section - _if_ a scoped token is present, checks that the required scope is included based on the section and HTTP method - `reqToken()` is used for individual routes - checks that required authentication is present (but does not check scope levels as this will already have been handled by `tokenRequiresScopes()` - Adds migration to convert old scoped access tokens to the new set of scopes - Updates the user interface for scope selection ### User interface example <img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM" src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3"> <img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM" src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c"> ## tokenRequiresScopes Design Decision - `tokenRequiresScopes()` was added to more reliably cover api routes. For an incoming request, this function uses the given scope category (say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say `DELETE`) and verifies that any scoped tokens in use include `delete:organization`. - `reqToken()` is used to enforce auth for individual routes that require it. If a scoped token is not present for a request, `tokenRequiresScopes()` will not return an error ## TODO - [x] Alphabetize scope categories - [x] Change 'public repos only' to a radio button (private vs public). Also expand this to organizations - [X] Disable token creation if no scopes selected. Alternatively, show warning - [x] `reqToken()` is missing from many `POST/DELETE` routes in the api. `tokenRequiresScopes()` only checks that a given token has the correct scope, `reqToken()` must be used to check that a token (or some other auth) is present. - _This should be addressed in this PR_ - [x] The migration should be reviewed very carefully in order to minimize access changes to existing user tokens. - _This should be addressed in this PR_ - [x] Link to api to swagger documentation, clarify what read/write/delete levels correspond to - [x] Review cases where more than one scope is needed as this directly deviates from the api definition. - _This should be addressed in this PR_ - For example: ```go m.Group("/users/{username}/orgs", func() { m.Get("", reqToken(), org.ListUserOrgs) m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context_service.UserAssignmentAPI()) ``` ## Future improvements - [ ] Add required scopes to swagger documentation - [ ] Redesign `reqToken()` to be opt-out rather than opt-in - [ ] Subdivide scopes like `repository` - [ ] Once a token is created, if it has no scopes, we should display text instead of an empty bullet point - [ ] If the 'public repos only' option is selected, should read categories be selected by default Closes #24501 Closes #24799 Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeReadIssue)
Support scoped access tokens (#20908) This PR adds the support for scopes of access tokens, mimicking the design of GitHub OAuth scopes. The changes of the core logic are in `models/auth` that `AccessToken` struct will have a `Scope` field. The normalized (no duplication of scope), comma-separated scope string will be stored in `access_token` table in the database. In `services/auth`, the scope will be stored in context, which will be used by `reqToken` middleware in API calls. Only OAuth2 tokens will have granular token scopes, while others like BasicAuth will default to scope `all`. A large amount of work happens in `routers/api/v1/api.go` and the corresponding `tests/integration` tests, that is adding necessary scopes to each of the API calls as they fit. - [x] Add `Scope` field to `AccessToken` - [x] Add access control to all API endpoints - [x] Update frontend & backend for when creating tokens - [x] Add a database migration for `scope` column (enable 'all' access to past tokens) I'm aiming to complete it before Gitea 1.19 release. Fixes #4300
2023-01-17 22:46:03 +01:00
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
repoOwner.Name, repo.Name, issue.Index, token)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp := MakeRequest(t, req, http.StatusOK)
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
var comments []*api.Comment
DecodeJSON(t, resp, &comments)
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
expectedCount := unittest.GetCount(t, &issues_model.Comment{IssueID: issue.ID},
unittest.Cond("type = ?", issues_model.CommentTypeComment))
Use more specific test methods (#24265) Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Giteabot <teabot@gitea.io>
2023-04-22 23:56:27 +02:00
assert.Len(t, comments, expectedCount)
Don't show non-comments in comments API (#2001)
2017-06-18 11:06:17 +02:00
}
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
func TestAPICreateComment(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
const commentBody = "Comment body"
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
Redesign Scoped Access Tokens (#24767) ## Changes - Adds the following high level access scopes, each with `read` and `write` levels: - `activitypub` - `admin` (hidden if user is not a site admin) - `misc` - `notification` - `organization` - `package` - `issue` - `repository` - `user` - Adds new middleware function `tokenRequiresScopes()` in addition to `reqToken()` - `tokenRequiresScopes()` is used for each high-level api section - _if_ a scoped token is present, checks that the required scope is included based on the section and HTTP method - `reqToken()` is used for individual routes - checks that required authentication is present (but does not check scope levels as this will already have been handled by `tokenRequiresScopes()` - Adds migration to convert old scoped access tokens to the new set of scopes - Updates the user interface for scope selection ### User interface example <img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM" src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3"> <img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM" src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c"> ## tokenRequiresScopes Design Decision - `tokenRequiresScopes()` was added to more reliably cover api routes. For an incoming request, this function uses the given scope category (say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say `DELETE`) and verifies that any scoped tokens in use include `delete:organization`. - `reqToken()` is used to enforce auth for individual routes that require it. If a scoped token is not present for a request, `tokenRequiresScopes()` will not return an error ## TODO - [x] Alphabetize scope categories - [x] Change 'public repos only' to a radio button (private vs public). Also expand this to organizations - [X] Disable token creation if no scopes selected. Alternatively, show warning - [x] `reqToken()` is missing from many `POST/DELETE` routes in the api. `tokenRequiresScopes()` only checks that a given token has the correct scope, `reqToken()` must be used to check that a token (or some other auth) is present. - _This should be addressed in this PR_ - [x] The migration should be reviewed very carefully in order to minimize access changes to existing user tokens. - _This should be addressed in this PR_ - [x] Link to api to swagger documentation, clarify what read/write/delete levels correspond to - [x] Review cases where more than one scope is needed as this directly deviates from the api definition. - _This should be addressed in this PR_ - For example: ```go m.Group("/users/{username}/orgs", func() { m.Get("", reqToken(), org.ListUserOrgs) m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context_service.UserAssignmentAPI()) ``` ## Future improvements - [ ] Add required scopes to swagger documentation - [ ] Redesign `reqToken()` to be opt-out rather than opt-in - [ ] Subdivide scopes like `repository` - [ ] Once a token is created, if it has no scopes, we should display text instead of an empty bullet point - [ ] If the 'public repos only' option is selected, should read categories be selected by default Closes #24501 Closes #24799 Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
Enforce token on api routes [fixed critical security issue #4357] (#4840)
2018-09-10 18:15:52 +02:00
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
repoOwner.Name, repo.Name, issue.Index, token)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
"body": commentBody,
})
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp := MakeRequest(t, req, http.StatusCreated)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
var updatedComment api.Comment
DecodeJSON(t, resp, &updatedComment)
assert.EqualValues(t, commentBody, updatedComment.Body)
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: updatedComment.ID, IssueID: issue.ID, Content: commentBody})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
}
[FEAT] allow setting the update date on issues and comments This field adds the possibility to set the update date when modifying an issue through the API. A 'NoAutoDate' in-memory field is added in the Issue struct. If the update_at field is set, NoAutoDate is set to true and the Issue's UpdatedUnix field is filled. That information is passed down to the functions that actually updates the database, which have been modified to not auto update dates if requested. A guard is added to the 'EditIssue' API call, to checks that the udpate_at date is between the issue's creation date and the current date (to avoid 'malicious' changes). It also limits the new feature to project's owners and admins. (cherry picked from commit c524d33402c76bc4cccea2806f289e08a009baae) Add a SetIssueUpdateDate() function in services/issue.go That function is used by some API calls to set the NoAutoDate and UpdatedUnix fields of an Issue if an updated_at date is provided. (cherry picked from commit f061caa6555e0c9e922ee1e73dd2e4337360e9fe) Add an updated_at field to the API calls related to Issue's Labels. The update date is applied to the issue's comment created to inform about the modification of the issue's labels. (cherry picked from commit ea36cf80f58f0ab20c565a8f5d063b90fd741f97) Add an updated_at field to the API call for issue's attachment creation The update date is applied to the issue's comment created to inform about the modification of the issue's content, and is set as the asset creation date. (cherry picked from commit 96150971ca31b97e97e84d5f5eb95a177cc44e2e) Checking Issue changes, with and without providing an updated_at date Those unit tests are added: - TestAPIEditIssueWithAutoDate - TestAPIEditIssueWithNoAutoDate - TestAPIAddIssueLabelsWithAutoDate - TestAPIAddIssueLabelsWithNoAutoDate - TestAPICreateIssueAttachmentWithAutoDate - TestAPICreateIssueAttachmentWithNoAutoDate (cherry picked from commit 4926a5d7a28581003545256632213bf4136b193d) Add an updated_at field to the API call for issue's comment creation The update date is used as the comment creation date, and is applied to the issue as the update creation date. (cherry picked from commit 76c8faecdc6cba48ca4fe07d1a916d1f1a4b37b4) Add an updated_at field to the API call for issue's comment edition The update date is used as the comment update date, and is applied to the issue as an update date. (cherry picked from commit cf787ad7fdb8e6273fdc35d7b5cc164b400207e9) Add an updated_at field to the API call for comment's attachment creation The update date is applied to the comment, and is set as the asset creation date. (cherry picked from commit 1e4ff424d39db7a4256cd9abf9c58b8d3e1b5c14) Checking Comment changes, with and without providing an updated_at date Those unit tests are added: - TestAPICreateCommentWithAutoDate - TestAPICreateCommentWithNoAutoDate - TestAPIEditCommentWithAutoDate - TestAPIEditCommentWithNoAutoDate - TestAPICreateCommentAttachmentWithAutoDate - TestAPICreateCommentAttachmentWithNoAutoDate (cherry picked from commit da932152f1deb3039a399516a51c8b6757059c91) Pettier code to set the update time of comments Now uses sess.AllCols().NoAutoToime().SetExpr("updated_unix", ...) XORM is smart enough to compose one single SQL UPDATE which all columns + updated_unix. (cherry picked from commit 1f6a42808dd739c0c2e49e6b7ae2967f120f43c2) Issue edition: Keep the max of the milestone and issue update dates. When editing an issue via the API, an updated_at date can be provided. If the EditIssue call changes the issue's milestone, the milestone's update date is to be changed accordingly, but only with a greater value. This ensures that a milestone's update date is the max of all issue's update dates. (cherry picked from commit 8f22ea182e6b49e933dc6534040160dd739ff18a) Rewrite the 'AutoDate' tests using subtests Also add a test to check the permissions to set a date, and a test to check update dates on milestones. The tests related to 'AutoDate' are: - TestAPIEditIssueAutoDate - TestAPIAddIssueLabelsAutoDate - TestAPIEditIssueMilestoneAutoDate - TestAPICreateIssueAttachmentAutoDate - TestAPICreateCommentAutoDate - TestAPIEditCommentWithDate - TestAPICreateCommentAttachmentAutoDate (cherry picked from commit 961fd13c551b3e50040acb7c914a00ead92de63f) (cherry picked from commit d52f4eea44692ee773010cb66a69a603663947d5) (cherry picked from commit 3540ea2a43155ca8cf5ab1a4a246babfb829db16) Conflicts: services/issue/issue.go https://codeberg.org/forgejo/forgejo/pulls/1415 (cherry picked from commit 56720ade008c09122d825959171aa5346d645987) Conflicts: routers/api/v1/repo/issue_label.go https://codeberg.org/forgejo/forgejo/pulls/1462 (cherry picked from commit 47c78927d6c7e7a50298fa67efad1e73723a0981) (cherry picked from commit 2030f3b965cde401976821083c3250b404954ecc) (cherry picked from commit f02aeb76981cd688ceaf6613f142a8a725be1437) (cherry picked from commit 2e43e49961c1cd5791744fa4e7994ce929c31837) (cherry picked from commit 3bfb6cc1c085a1ae11885d0eb138d7e977fa1a16) (cherry picked from commit 38918d5f5cb148b8f53d6707fe6bc677c19c7f79) (cherry picked from commit 174f6ac3453c7ba1a88655af5d0fff807eb94dc1) (cherry picked from commit 08a2bed45dc48547c0ab79fe1de2e3c62c823ae2)
2023-05-30 18:42:58 +02:00
func TestAPICreateCommentAutoDate(t *testing.T) {
defer tests.PrepareTestEnv(t)()
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
repoOwner.Name, repo.Name, issue.Index, token)
const commentBody = "Comment body"
t.Run("WithAutoDate", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
"body": commentBody,
})
resp := MakeRequest(t, req, http.StatusCreated)
var updatedComment api.Comment
DecodeJSON(t, resp, &updatedComment)
// the execution of the API call supposedly lasted less than one minute
updatedSince := time.Since(updatedComment.Updated)
assert.LessOrEqual(t, updatedSince, time.Minute)
commentAfter := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: updatedComment.ID, IssueID: issue.ID, Content: commentBody})
updatedSince = time.Since(commentAfter.UpdatedUnix.AsTime())
assert.LessOrEqual(t, updatedSince, time.Minute)
})
t.Run("WithUpdateDate", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
updatedAt := time.Now().Add(-time.Hour).Truncate(time.Second)
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueCommentOption{
Body: commentBody,
Updated: &updatedAt,
})
resp := MakeRequest(t, req, http.StatusCreated)
var updatedComment api.Comment
DecodeJSON(t, resp, &updatedComment)
// dates will be converted into the same tz, in order to compare them
utcTZ, _ := time.LoadLocation("UTC")
assert.Equal(t, updatedAt.In(utcTZ), updatedComment.Updated.In(utcTZ))
commentAfter := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: updatedComment.ID, IssueID: issue.ID, Content: commentBody})
assert.Equal(t, updatedAt.In(utcTZ), commentAfter.UpdatedUnix.AsTime().In(utcTZ))
})
}
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
func TestAPIGetComment(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 2})
Add `context.Context` to more methods (#21546) This PR adds a context parameter to a bunch of methods. Some helper `xxxCtx()` methods got replaced with the normal name now. Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-19 09:12:33 +01:00
assert.NoError(t, comment.LoadIssue(db.DefaultContext))
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: comment.Issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
Redesign Scoped Access Tokens (#24767) ## Changes - Adds the following high level access scopes, each with `read` and `write` levels: - `activitypub` - `admin` (hidden if user is not a site admin) - `misc` - `notification` - `organization` - `package` - `issue` - `repository` - `user` - Adds new middleware function `tokenRequiresScopes()` in addition to `reqToken()` - `tokenRequiresScopes()` is used for each high-level api section - _if_ a scoped token is present, checks that the required scope is included based on the section and HTTP method - `reqToken()` is used for individual routes - checks that required authentication is present (but does not check scope levels as this will already have been handled by `tokenRequiresScopes()` - Adds migration to convert old scoped access tokens to the new set of scopes - Updates the user interface for scope selection ### User interface example <img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM" src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3"> <img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM" src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c"> ## tokenRequiresScopes Design Decision - `tokenRequiresScopes()` was added to more reliably cover api routes. For an incoming request, this function uses the given scope category (say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say `DELETE`) and verifies that any scoped tokens in use include `delete:organization`. - `reqToken()` is used to enforce auth for individual routes that require it. If a scoped token is not present for a request, `tokenRequiresScopes()` will not return an error ## TODO - [x] Alphabetize scope categories - [x] Change 'public repos only' to a radio button (private vs public). Also expand this to organizations - [X] Disable token creation if no scopes selected. Alternatively, show warning - [x] `reqToken()` is missing from many `POST/DELETE` routes in the api. `tokenRequiresScopes()` only checks that a given token has the correct scope, `reqToken()` must be used to check that a token (or some other auth) is present. - _This should be addressed in this PR_ - [x] The migration should be reviewed very carefully in order to minimize access changes to existing user tokens. - _This should be addressed in this PR_ - [x] Link to api to swagger documentation, clarify what read/write/delete levels correspond to - [x] Review cases where more than one scope is needed as this directly deviates from the api definition. - _This should be addressed in this PR_ - For example: ```go m.Group("/users/{username}/orgs", func() { m.Get("", reqToken(), org.ListUserOrgs) m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context_service.UserAssignmentAPI()) ``` ## Future improvements - [ ] Add required scopes to swagger documentation - [ ] Redesign `reqToken()` to be opt-out rather than opt-in - [ ] Subdivide scopes like `repository` - [ ] Once a token is created, if it has no scopes, we should display text instead of an empty bullet point - [ ] If the 'public repos only' option is selected, should read categories be selected by default Closes #24501 Closes #24799 Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeReadIssue)
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
MakeRequest(t, req, http.StatusOK)
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, token)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp := MakeRequest(t, req, http.StatusOK)
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
var apiComment api.Comment
DecodeJSON(t, resp, &apiComment)
Add `context.Context` to more methods (#21546) This PR adds a context parameter to a bunch of methods. Some helper `xxxCtx()` methods got replaced with the normal name now. Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-11-19 09:12:33 +01:00
assert.NoError(t, comment.LoadPoster(db.DefaultContext))
For API attachments, use API URL (#25639) Fix #25257 --------- Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-10 11:31:19 +02:00
expect := convert.ToAPIComment(db.DefaultContext, repo, comment)
[API] add comments endpoint for single comment (#9494) * add GET /repos/{owner}/{repo}/issues/comments/{id} and complete error list for swagger in other func * add repo check
2020-01-08 08:00:59 +01:00
assert.Equal(t, expect.ID, apiComment.ID)
assert.Equal(t, expect.Poster.FullName, apiComment.Poster.FullName)
assert.Equal(t, expect.Body, apiComment.Body)
assert.Equal(t, expect.Created.Unix(), apiComment.Created.Unix())
}
[GITEA] enable system users for comment.LoadPoster System users (Ghost, ActionsUser, etc) have a negative id and may be the author of a comment, either because it was created by a now deleted user or via an action using a transient token. The GetPossibleUserByID function has special cases related to system users and will not fail if given a negative id. Refs: https://codeberg.org/forgejo/forgejo/issues/1425 (cherry picked from commit 97667e06b384d834a04eaa05e8f91563481709b1) (cherry picked from commit 8ef73a09c9cb08e536aff7df8fc715c8d48c7c4f) (cherry picked from commit fa8a00d26420ef56497203a5c607b3d336feb813) (cherry picked from commit 2ada2074b56f3cd981dbacac0a7b1033ff486ffd) (cherry picked from commit f9a59b940a2ab2c9abac7c346da24b22d15017f1) (cherry picked from commit cd82834043c14a679cc55eba980c27549b2f87e5) (cherry picked from commit 7fb032c2400386d6edba769452e1735f32ac3f78) (cherry picked from commit 64438ff837f411656c0456864bd9be2c47f37311) (cherry picked from commit 8174592b298eb2f3a34ed67a836739cc9c9e5a42) (cherry picked from commit 46d36555f91313fef6c15a74cefe9860650b1b86)
2023-09-12 09:04:46 +02:00
func TestAPIGetSystemUserComment(t *testing.T) {
defer tests.PrepareTestEnv(t)()
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
for _, systemUser := range []*user_model.User{
user_model.NewGhostUser(),
user_model.NewActionsUser(),
} {
body := fmt.Sprintf("Hello %s", systemUser.Name)
comment, err := issues_model.CreateComment(db.DefaultContext, &issues_model.CreateCommentOptions{
Type: issues_model.CommentTypeComment,
Doer: systemUser,
Repo: repo,
Issue: issue,
Content: body,
})
assert.NoError(t, err)
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID)
resp := MakeRequest(t, req, http.StatusOK)
var apiComment api.Comment
DecodeJSON(t, resp, &apiComment)
if assert.NotNil(t, apiComment.Poster) {
if assert.Equal(t, systemUser.ID, apiComment.Poster.ID) {
assert.NoError(t, comment.LoadPoster(db.DefaultContext))
assert.Equal(t, systemUser.Name, apiComment.Poster.UserName)
}
}
assert.Equal(t, body, apiComment.Body)
}
}
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
func TestAPIEditComment(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
const newCommentBody = "This is the new comment body"
Fix comment permissions (#28213) (#28216) backport #28213 This PR will fix some missed checks for private repositories' data on web routes and API routes. (cherry picked from commit bc3d8bff73a5bd307dc825254b51bfedd722f078)
2023-11-26 00:43:23 +01:00
comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 8},
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
unittest.Cond("type = ?", issues_model.CommentTypeComment))
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
Fix comment permissions (#28213) (#28216) backport #28213 This PR will fix some missed checks for private repositories' data on web routes and API routes. (cherry picked from commit bc3d8bff73a5bd307dc825254b51bfedd722f078)
2023-11-26 00:43:23 +01:00
t.Run("UnrelatedCommentID", func(t *testing.T) {
// Using the ID of a comment that does not belong to the repository must fail
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
repoOwner.Name, repo.Name, comment.ID, token)
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
"body": newCommentBody,
})
MakeRequest(t, req, http.StatusNotFound)
})
Redesign Scoped Access Tokens (#24767) ## Changes - Adds the following high level access scopes, each with `read` and `write` levels: - `activitypub` - `admin` (hidden if user is not a site admin) - `misc` - `notification` - `organization` - `package` - `issue` - `repository` - `user` - Adds new middleware function `tokenRequiresScopes()` in addition to `reqToken()` - `tokenRequiresScopes()` is used for each high-level api section - _if_ a scoped token is present, checks that the required scope is included based on the section and HTTP method - `reqToken()` is used for individual routes - checks that required authentication is present (but does not check scope levels as this will already have been handled by `tokenRequiresScopes()` - Adds migration to convert old scoped access tokens to the new set of scopes - Updates the user interface for scope selection ### User interface example <img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM" src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3"> <img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM" src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c"> ## tokenRequiresScopes Design Decision - `tokenRequiresScopes()` was added to more reliably cover api routes. For an incoming request, this function uses the given scope category (say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say `DELETE`) and verifies that any scoped tokens in use include `delete:organization`. - `reqToken()` is used to enforce auth for individual routes that require it. If a scoped token is not present for a request, `tokenRequiresScopes()` will not return an error ## TODO - [x] Alphabetize scope categories - [x] Change 'public repos only' to a radio button (private vs public). Also expand this to organizations - [X] Disable token creation if no scopes selected. Alternatively, show warning - [x] `reqToken()` is missing from many `POST/DELETE` routes in the api. `tokenRequiresScopes()` only checks that a given token has the correct scope, `reqToken()` must be used to check that a token (or some other auth) is present. - _This should be addressed in this PR_ - [x] The migration should be reviewed very carefully in order to minimize access changes to existing user tokens. - _This should be addressed in this PR_ - [x] Link to api to swagger documentation, clarify what read/write/delete levels correspond to - [x] Review cases where more than one scope is needed as this directly deviates from the api definition. - _This should be addressed in this PR_ - For example: ```go m.Group("/users/{username}/orgs", func() { m.Get("", reqToken(), org.ListUserOrgs) m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context_service.UserAssignmentAPI()) ``` ## Future improvements - [ ] Add required scopes to swagger documentation - [ ] Redesign `reqToken()` to be opt-out rather than opt-in - [ ] Subdivide scopes like `repository` - [ ] Once a token is created, if it has no scopes, we should display text instead of an empty bullet point - [ ] If the 'public repos only' option is selected, should read categories be selected by default Closes #24501 Closes #24799 Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
Enforce token on api routes [fixed critical security issue #4357] (#4840)
2018-09-10 18:15:52 +02:00
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
repoOwner.Name, repo.Name, comment.ID, token)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
"body": newCommentBody,
})
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp := MakeRequest(t, req, http.StatusOK)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
var updatedComment api.Comment
DecodeJSON(t, resp, &updatedComment)
assert.EqualValues(t, comment.ID, updatedComment.ID)
assert.EqualValues(t, newCommentBody, updatedComment.Body)
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID, IssueID: issue.ID, Content: newCommentBody})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
}
[FEAT] allow setting the update date on issues and comments This field adds the possibility to set the update date when modifying an issue through the API. A 'NoAutoDate' in-memory field is added in the Issue struct. If the update_at field is set, NoAutoDate is set to true and the Issue's UpdatedUnix field is filled. That information is passed down to the functions that actually updates the database, which have been modified to not auto update dates if requested. A guard is added to the 'EditIssue' API call, to checks that the udpate_at date is between the issue's creation date and the current date (to avoid 'malicious' changes). It also limits the new feature to project's owners and admins. (cherry picked from commit c524d33402c76bc4cccea2806f289e08a009baae) Add a SetIssueUpdateDate() function in services/issue.go That function is used by some API calls to set the NoAutoDate and UpdatedUnix fields of an Issue if an updated_at date is provided. (cherry picked from commit f061caa6555e0c9e922ee1e73dd2e4337360e9fe) Add an updated_at field to the API calls related to Issue's Labels. The update date is applied to the issue's comment created to inform about the modification of the issue's labels. (cherry picked from commit ea36cf80f58f0ab20c565a8f5d063b90fd741f97) Add an updated_at field to the API call for issue's attachment creation The update date is applied to the issue's comment created to inform about the modification of the issue's content, and is set as the asset creation date. (cherry picked from commit 96150971ca31b97e97e84d5f5eb95a177cc44e2e) Checking Issue changes, with and without providing an updated_at date Those unit tests are added: - TestAPIEditIssueWithAutoDate - TestAPIEditIssueWithNoAutoDate - TestAPIAddIssueLabelsWithAutoDate - TestAPIAddIssueLabelsWithNoAutoDate - TestAPICreateIssueAttachmentWithAutoDate - TestAPICreateIssueAttachmentWithNoAutoDate (cherry picked from commit 4926a5d7a28581003545256632213bf4136b193d) Add an updated_at field to the API call for issue's comment creation The update date is used as the comment creation date, and is applied to the issue as the update creation date. (cherry picked from commit 76c8faecdc6cba48ca4fe07d1a916d1f1a4b37b4) Add an updated_at field to the API call for issue's comment edition The update date is used as the comment update date, and is applied to the issue as an update date. (cherry picked from commit cf787ad7fdb8e6273fdc35d7b5cc164b400207e9) Add an updated_at field to the API call for comment's attachment creation The update date is applied to the comment, and is set as the asset creation date. (cherry picked from commit 1e4ff424d39db7a4256cd9abf9c58b8d3e1b5c14) Checking Comment changes, with and without providing an updated_at date Those unit tests are added: - TestAPICreateCommentWithAutoDate - TestAPICreateCommentWithNoAutoDate - TestAPIEditCommentWithAutoDate - TestAPIEditCommentWithNoAutoDate - TestAPICreateCommentAttachmentWithAutoDate - TestAPICreateCommentAttachmentWithNoAutoDate (cherry picked from commit da932152f1deb3039a399516a51c8b6757059c91) Pettier code to set the update time of comments Now uses sess.AllCols().NoAutoToime().SetExpr("updated_unix", ...) XORM is smart enough to compose one single SQL UPDATE which all columns + updated_unix. (cherry picked from commit 1f6a42808dd739c0c2e49e6b7ae2967f120f43c2) Issue edition: Keep the max of the milestone and issue update dates. When editing an issue via the API, an updated_at date can be provided. If the EditIssue call changes the issue's milestone, the milestone's update date is to be changed accordingly, but only with a greater value. This ensures that a milestone's update date is the max of all issue's update dates. (cherry picked from commit 8f22ea182e6b49e933dc6534040160dd739ff18a) Rewrite the 'AutoDate' tests using subtests Also add a test to check the permissions to set a date, and a test to check update dates on milestones. The tests related to 'AutoDate' are: - TestAPIEditIssueAutoDate - TestAPIAddIssueLabelsAutoDate - TestAPIEditIssueMilestoneAutoDate - TestAPICreateIssueAttachmentAutoDate - TestAPICreateCommentAutoDate - TestAPIEditCommentWithDate - TestAPICreateCommentAttachmentAutoDate (cherry picked from commit 961fd13c551b3e50040acb7c914a00ead92de63f) (cherry picked from commit d52f4eea44692ee773010cb66a69a603663947d5) (cherry picked from commit 3540ea2a43155ca8cf5ab1a4a246babfb829db16) Conflicts: services/issue/issue.go https://codeberg.org/forgejo/forgejo/pulls/1415 (cherry picked from commit 56720ade008c09122d825959171aa5346d645987) Conflicts: routers/api/v1/repo/issue_label.go https://codeberg.org/forgejo/forgejo/pulls/1462 (cherry picked from commit 47c78927d6c7e7a50298fa67efad1e73723a0981) (cherry picked from commit 2030f3b965cde401976821083c3250b404954ecc) (cherry picked from commit f02aeb76981cd688ceaf6613f142a8a725be1437) (cherry picked from commit 2e43e49961c1cd5791744fa4e7994ce929c31837) (cherry picked from commit 3bfb6cc1c085a1ae11885d0eb138d7e977fa1a16) (cherry picked from commit 38918d5f5cb148b8f53d6707fe6bc677c19c7f79) (cherry picked from commit 174f6ac3453c7ba1a88655af5d0fff807eb94dc1) (cherry picked from commit 08a2bed45dc48547c0ab79fe1de2e3c62c823ae2)
2023-05-30 18:42:58 +02:00
func TestAPIEditCommentWithDate(t *testing.T) {
defer tests.PrepareTestEnv(t)()
comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{},
unittest.Cond("type = ?", issues_model.CommentTypeComment))
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
repoOwner.Name, repo.Name, comment.ID, token)
const newCommentBody = "This is the new comment body"
t.Run("WithAutoDate", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
"body": newCommentBody,
})
resp := MakeRequest(t, req, http.StatusOK)
var updatedComment api.Comment
DecodeJSON(t, resp, &updatedComment)
// the execution of the API call supposedly lasted less than one minute
updatedSince := time.Since(updatedComment.Updated)
assert.LessOrEqual(t, updatedSince, time.Minute)
commentAfter := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID, IssueID: issue.ID, Content: newCommentBody})
updatedSince = time.Since(commentAfter.UpdatedUnix.AsTime())
assert.LessOrEqual(t, updatedSince, time.Minute)
})
t.Run("WithUpdateDate", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
updatedAt := time.Now().Add(-time.Hour).Truncate(time.Second)
req := NewRequestWithJSON(t, "PATCH", urlStr, &api.EditIssueCommentOption{
Body: newCommentBody,
Updated: &updatedAt,
})
resp := MakeRequest(t, req, http.StatusOK)
var updatedComment api.Comment
DecodeJSON(t, resp, &updatedComment)
// dates will be converted into the same tz, in order to compare them
utcTZ, _ := time.LoadLocation("UTC")
assert.Equal(t, updatedAt.In(utcTZ), updatedComment.Updated.In(utcTZ))
commentAfter := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: comment.ID, IssueID: issue.ID, Content: newCommentBody})
assert.Equal(t, updatedAt.In(utcTZ), commentAfter.UpdatedUnix.AsTime().In(utcTZ))
})
}
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
func TestAPIDeleteComment(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
Fix comment permissions (#28213) (#28216) backport #28213 This PR will fix some missed checks for private repositories' data on web routes and API routes. (cherry picked from commit bc3d8bff73a5bd307dc825254b51bfedd722f078)
2023-11-26 00:43:23 +01:00
comment := unittest.AssertExistsAndLoadBean(t, &issues_model.Comment{ID: 8},
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
unittest.Cond("type = ?", issues_model.CommentTypeComment))
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: comment.IssueID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
Fix comment permissions (#28213) (#28216) backport #28213 This PR will fix some missed checks for private repositories' data on web routes and API routes. (cherry picked from commit bc3d8bff73a5bd307dc825254b51bfedd722f078)
2023-11-26 00:43:23 +01:00
t.Run("UnrelatedCommentID", func(t *testing.T) {
// Using the ID of a comment that does not belong to the repository must fail
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 4})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
repoOwner.Name, repo.Name, comment.ID, token)
MakeRequest(t, req, http.StatusNotFound)
})
Redesign Scoped Access Tokens (#24767) ## Changes - Adds the following high level access scopes, each with `read` and `write` levels: - `activitypub` - `admin` (hidden if user is not a site admin) - `misc` - `notification` - `organization` - `package` - `issue` - `repository` - `user` - Adds new middleware function `tokenRequiresScopes()` in addition to `reqToken()` - `tokenRequiresScopes()` is used for each high-level api section - _if_ a scoped token is present, checks that the required scope is included based on the section and HTTP method - `reqToken()` is used for individual routes - checks that required authentication is present (but does not check scope levels as this will already have been handled by `tokenRequiresScopes()` - Adds migration to convert old scoped access tokens to the new set of scopes - Updates the user interface for scope selection ### User interface example <img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM" src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3"> <img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM" src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c"> ## tokenRequiresScopes Design Decision - `tokenRequiresScopes()` was added to more reliably cover api routes. For an incoming request, this function uses the given scope category (say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say `DELETE`) and verifies that any scoped tokens in use include `delete:organization`. - `reqToken()` is used to enforce auth for individual routes that require it. If a scoped token is not present for a request, `tokenRequiresScopes()` will not return an error ## TODO - [x] Alphabetize scope categories - [x] Change 'public repos only' to a radio button (private vs public). Also expand this to organizations - [X] Disable token creation if no scopes selected. Alternatively, show warning - [x] `reqToken()` is missing from many `POST/DELETE` routes in the api. `tokenRequiresScopes()` only checks that a given token has the correct scope, `reqToken()` must be used to check that a token (or some other auth) is present. - _This should be addressed in this PR_ - [x] The migration should be reviewed very carefully in order to minimize access changes to existing user tokens. - _This should be addressed in this PR_ - [x] Link to api to swagger documentation, clarify what read/write/delete levels correspond to - [x] Review cases where more than one scope is needed as this directly deviates from the api definition. - _This should be addressed in this PR_ - For example: ```go m.Group("/users/{username}/orgs", func() { m.Get("", reqToken(), org.ListUserOrgs) m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context_service.UserAssignmentAPI()) ``` ## Future improvements - [ ] Add required scopes to swagger documentation - [ ] Redesign `reqToken()` to be opt-out rather than opt-in - [ ] Subdivide scopes like `repository` - [ ] Once a token is created, if it has no scopes, we should display text instead of an empty bullet point - [ ] If the 'public repos only' option is selected, should read categories be selected by default Closes #24501 Closes #24799 Co-authored-by: Jonathan Tran <jon@allspice.io> Co-authored-by: Kyle D <kdumontnu@gmail.com> Co-authored-by: silverwind <me@silverwind.io>
2023-06-04 20:57:16 +02:00
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
Enforce token on api routes [fixed critical security issue #4357] (#4840)
2018-09-10 18:15:52 +02:00
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
repoOwner.Name, repo.Name, comment.ID, token)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
MakeRequest(t, req, http.StatusNoContent)
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
unittest.AssertNotExistsBean(t, &issues_model.Comment{ID: comment.ID})
More integration tests for comment API (#2156)
2017-07-14 00:33:26 +02:00
}
Add API to get issue/pull comments and events (timeline) (#17403) * Add API to get issue/pull comments and events (timeline) Adds an API to get both comments and events in one endpoint with all required data. Closes go-gitea/gitea#13250 * Fix swagger * Don't show code comments (use review api instead) * fmt * Fix comment * Time -> TrackedTime * Use var directly * Add logger * Fix lint * Fix test * Add comments * fmt * [test] get issue directly by ID * Update test * Add description for changed refs * Fix build issues + lint * Fix build * Use string enums * Update swagger * Support `page` and `limit` params * fmt + swagger * Use global slices Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-01-01 15:12:25 +01:00
func TestAPIListIssueTimeline(t *testing.T) {
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs
2022-09-02 21:18:23 +02:00
defer tests.PrepareTestEnv(t)()
Add API to get issue/pull comments and events (timeline) (#17403) * Add API to get issue/pull comments and events (timeline) Adds an API to get both comments and events in one endpoint with all required data. Closes go-gitea/gitea#13250 * Fix swagger * Don't show code comments (use review api instead) * fmt * Fix comment * Time -> TrackedTime * Use var directly * Add logger * Fix lint * Fix test * Add comments * fmt * [test] get issue directly by ID * Update test * Add description for changed refs * Fix build issues + lint * Fix build * Use string enums * Update swagger * Support `page` and `limit` params * fmt + swagger * Use global slices Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-01-01 15:12:25 +01:00
// load comment
Refactor AssertExistsAndLoadBean to use generics (#20797) * Refactor AssertExistsAndLoadBean to use generics * Fix tests Co-authored-by: zeripath <art27@cantab.net>
2022-08-16 04:22:25 +02:00
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
Add API to get issue/pull comments and events (timeline) (#17403) * Add API to get issue/pull comments and events (timeline) Adds an API to get both comments and events in one endpoint with all required data. Closes go-gitea/gitea#13250 * Fix swagger * Don't show code comments (use review api instead) * fmt * Fix comment * Time -> TrackedTime * Use var directly * Add logger * Fix lint * Fix test * Add comments * fmt * [test] get issue directly by ID * Update test * Add description for changed refs * Fix build issues + lint * Fix build * Use string enums * Update swagger * Support `page` and `limit` params * fmt + swagger * Use global slices Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-01-01 15:12:25 +01:00
// make request
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline",
repoOwner.Name, repo.Name, issue.Index)
Remove session in api tests (#21984) It's no meaning to request an API route with session.
2022-12-02 04:39:42 +01:00
resp := MakeRequest(t, req, http.StatusOK)
Add API to get issue/pull comments and events (timeline) (#17403) * Add API to get issue/pull comments and events (timeline) Adds an API to get both comments and events in one endpoint with all required data. Closes go-gitea/gitea#13250 * Fix swagger * Don't show code comments (use review api instead) * fmt * Fix comment * Time -> TrackedTime * Use var directly * Add logger * Fix lint * Fix test * Add comments * fmt * [test] get issue directly by ID * Update test * Add description for changed refs * Fix build issues + lint * Fix build * Use string enums * Update swagger * Support `page` and `limit` params * fmt + swagger * Use global slices Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-01-01 15:12:25 +01:00
// check if lens of list returned by API and
// lists extracted directly from DB are the same
var comments []*api.TimelineComment
DecodeJSON(t, resp, &comments)
Move issues related files into models/issues (#19931) * Move access and repo permission to models/perm/access * fix test * fix git test * Move functions sequence * Some improvements per @KN4CK3R and @delvh * Move issues related code to models/issues * Move some issues related sub package * Merge * Fix test * Fix test * Fix test * Fix test * Rename some files
2022-06-13 11:37:59 +02:00
expectedCount := unittest.GetCount(t, &issues_model.Comment{IssueID: issue.ID})
Use more specific test methods (#24265) Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Giteabot <teabot@gitea.io>
2023-04-22 23:56:27 +02:00
assert.Len(t, comments, expectedCount)
Add API to get issue/pull comments and events (timeline) (#17403) * Add API to get issue/pull comments and events (timeline) Adds an API to get both comments and events in one endpoint with all required data. Closes go-gitea/gitea#13250 * Fix swagger * Don't show code comments (use review api instead) * fmt * Fix comment * Time -> TrackedTime * Use var directly * Add logger * Fix lint * Fix test * Add comments * fmt * [test] get issue directly by ID * Update test * Add description for changed refs * Fix build issues + lint * Fix build * Use string enums * Update swagger * Support `page` and `limit` params * fmt + swagger * Use global slices Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-01-01 15:12:25 +01:00
}
Reference in a new issue Copy permalink