sascha
/
gitea
mirror of https://github.com/go-gitea/gitea.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

allow action user have read permission in public repo like other user (#36095) 

related #28187

---------

Signed-off-by: a1012112796 <1012112796@qq.com>
pull/35337/head^2
a1012112796 2025-12-08 02:07:04 +07:00 committed by GitHub
parent b41ccb0627
commit 98ef79d73a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
models/perm/access/repo_permission.go
Unescape Escape View File

@ -276,8 +276,14 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito
if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate { if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate {
// The task repo can access the current repo only if the task repo is private and // The task repo can access the current repo only if the task repo is private and
// the owner of the task repo is a collaborative owner of the current repo. // the owner of the task repo is a collaborative owner of the current repo.
// FIXME allow public repo read access if tokenless pull is enabled
// FIXME should owner's visibility also be considered here? // FIXME should owner's visibility also be considered here?
// check permission like simple user but limit to read-only
perm, err = GetUserRepoPermission(ctx, repo, user_model.NewActionsUser())
if err != nil {
return perm, err
}
perm.AccessMode = min(perm.AccessMode, perm_model.AccessModeRead)
return perm, nil return perm, nil
} }
accessMode = perm_model.AccessModeRead accessMode = perm_model.AccessModeRead

54
tests/integration/api_actions_permission_test.go
Unescape Escape View File

@ -0,0 +1,54 @@
// Copyright 2025 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"net/http"
"testing"
"code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/test"
"code.gitea.io/gitea/tests"
"github.com/stretchr/testify/assert"
)
func testActionUserSignIn(t *testing.T) {
req := NewRequest(t, "GET", "/api/v1/user").
AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
resp := MakeRequest(t, req, http.StatusOK)
var u api.User
DecodeJSON(t, resp, &u)
assert.Equal(t, "gitea-actions", u.UserName)
}
func testActionUserAccessPublicRepo(t *testing.T) {
req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md").
AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
resp := MakeRequest(t, req, http.StatusOK)
assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type"))
defer test.MockVariableValue(&setting.Service.RequireSignInViewStrict, true)()
req = NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md").
AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
resp = MakeRequest(t, req, http.StatusOK)
assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type"))
}
func testActionUserNoAccessOtherPrivateRepo(t *testing.T) {
req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo2/raw/README.md").
AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a")
MakeRequest(t, req, http.StatusNotFound)
}
func TestActionUserAccessPermission(t *testing.T) {
defer tests.PrepareTestEnv(t)()
t.Run("ActionUserSignIn", testActionUserSignIn)
t.Run("ActionUserAccessPublicRepo", testActionUserAccessPublicRepo)
t.Run("ActionUserNoAccessOtherPrivateRepo", testActionUserNoAccessOtherPrivateRepo)
}