[GITEA] test POST /{username}/{reponame}/{type:issues|pulls}/move_pin

Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers

(cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f)
(cherry picked from commit 65b942fa1ee50f9098bebc8948d7924a5a4668fa)
(cherry picked from commit e140c5c983)
(cherry picked from commit 4d108fa1cf07d2ecc7a482010e75f36140657dd4)
(cherry picked from commit 9430badc5c8245b287c6ec2ba9432324c2e95417)
(cherry picked from commit 1e67f4665d6be336c09446c8698830459aad3975)
(cherry picked from commit 992e0d3218bca7f4b0f1471e3d7d64b69c33bad8)
(cherry picked from commit 0e25ca17f39aac88fc20147e54d40ee76bc70cdd)
(cherry picked from commit 3c7d9769faf4287bfe9d7366fea3bfbce48d911c)

Conflicts:
	tests/integration/issue_test.go
	https://codeberg.org/forgejo/forgejo/pulls/2119
(cherry picked from commit f6bdf76a1d45f1f100323d8e1a3749b24cf6d2d4)
(cherry picked from commit a5e527f87262722542097b69de72d96ca68cd2e6)
(cherry picked from commit be3f9a28a12c22c35fd6f95260902704a2e5b7bd)
(cherry picked from commit 836a95eab896aab6b3d9e5831186edce0f4cc7ce)
This commit is contained in:
Loïc Dachary 2023-11-20 16:34:04 +01:00 committed by Earl Warren
parent efbe483057
commit 3f71a0ef02
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -579,6 +579,48 @@ func TestGetIssueInfo(t *testing.T) {
assert.EqualValues(t, issue.ID, apiIssue.ID) assert.EqualValues(t, issue.ID, apiIssue.ID)
} }
func TestIssuePinMove(t *testing.T) {
defer tests.PrepareTestEnv(t)()
session := loginUser(t, "user2")
issueURL, issue := testIssueWithBean(t, "user2", 1, "Title", "Content")
assert.EqualValues(t, 0, issue.PinOrder)
req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/pin", issueURL), map[string]string{
"_csrf": GetCSRF(t, session, issueURL),
})
session.MakeRequest(t, req, http.StatusOK)
issue = unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issue.ID})
position := 1
assert.EqualValues(t, position, issue.PinOrder)
newPosition := 2
// Using the ID of an issue that does not belong to the repository must fail
{
session5 := loginUser(t, "user5")
movePinURL := "/user5/repo4/issues/move_pin?_csrf=" + GetCSRF(t, session5, issueURL)
req = NewRequestWithJSON(t, "POST", movePinURL, map[string]any{
"id": issue.ID,
"position": newPosition,
})
session5.MakeRequest(t, req, http.StatusNotFound)
issue = unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issue.ID})
assert.EqualValues(t, position, issue.PinOrder)
}
movePinURL := issueURL[:strings.LastIndexByte(issueURL, '/')] + "/move_pin?_csrf=" + GetCSRF(t, session, issueURL)
req = NewRequestWithJSON(t, "POST", movePinURL, map[string]any{
"id": issue.ID,
"position": newPosition,
})
session.MakeRequest(t, req, http.StatusNoContent)
issue = unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issue.ID})
assert.EqualValues(t, newPosition, issue.PinOrder)
}
func TestUpdateIssueDeadline(t *testing.T) { func TestUpdateIssueDeadline(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()