Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-02-22 15:25:05 +01:00
Code Issues Activity

Fix track time list permission check

Browse Source
This commit is contained in:
Lunny Xiao 2026-02-17 12:33:43 -08:00
parent 318cb85037
commit 9342bc914f
No known key found for this signature in database
GPG Key ID: C3B7C91B632F738A
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
services/convert/issue.go
View File

@ -226,7 +226,25 @@ func ToStopWatches(ctx context.Context, doer *user_model.User, sws []*issues_mod
// ToTrackedTimeList converts TrackedTimeList to API format
func ToTrackedTimeList(ctx context.Context, doer *user_model.User, tl issues_model.TrackedTimeList) api.TrackedTimeList {
result := make([]*api.TrackedTime, 0, len(tl))
permCache := make(map[int64]access_model.Permission)
for _, t := range tl {
if t.Issue != nil {
if err := t.Issue.LoadRepo(ctx); err != nil {
continue
}
perm, ok := permCache[t.Issue.RepoID]
if !ok {
var err error
perm, err = access_model.GetUserRepoPermission(ctx, t.Issue.Repo, doer)
if err != nil {
continue
}
permCache[t.Issue.RepoID] = perm
}
if !perm.CanReadIssuesOrPulls(t.Issue.IsPull) {
continue
}
}
result = append(result, ToTrackedTime(ctx, doer, t))
}
return result

27
services/convert/issue_test.go
View File

@ -83,3 +83,30 @@ func TestToStopWatchesRespectsPermissions(t *testing.T) {
assert.Len(t, visibleAdmin, 2)
assert.ElementsMatch(t, []string{"repo1", "repo3"}, []string{visibleAdmin[0].RepoName, visibleAdmin[1].RepoName})
}
func TestToTrackedTimeListRespectsPermissions(t *testing.T) {
assert.NoError(t, unittest.PrepareTestDatabase())
ctx := t.Context()
publicIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 1})
privateIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: 3})
regularUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
publicTT := &issues_model.TrackedTime{IssueID: publicIssue.ID, UserID: regularUser.ID, Time: 3600}
privateTT := &issues_model.TrackedTime{IssueID: privateIssue.ID, UserID: regularUser.ID, Time: 1800}
assert.NoError(t, db.Insert(ctx, publicTT))
assert.NoError(t, db.Insert(ctx, privateTT))
trackedTimes := issues_model.TrackedTimeList{publicTT, privateTT}
assert.NoError(t, trackedTimes.LoadAttributes(ctx))
visible := ToTrackedTimeList(ctx, regularUser, trackedTimes)
assert.Len(t, visible, 1)
assert.Equal(t, "repo1", visible[0].Issue.Repo.Name)
visibleAdmin := ToTrackedTimeList(ctx, adminUser, trackedTimes)
assert.Len(t, visibleAdmin, 2)
assert.ElementsMatch(t, []string{"repo1", "repo3"}, []string{visibleAdmin[0].Issue.Repo.Name, visibleAdmin[1].Issue.Repo.Name})
}