From 43d49bd758e618e78cdee68fb90654e43ff8e463 Mon Sep 17 00:00:00 2001 From: a1012112796 <1012112796@qq.com> Date: Fri, 5 Dec 2025 10:05:58 +0800 Subject: [PATCH 1/3] allow action user have read permission in public repo like other user related #28187 Signed-off-by: a1012112796 <1012112796@qq.com> --- models/perm/access/repo_permission.go | 8 ++- .../api_actions_permission_test.go | 51 +++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 tests/integration/api_actions_permission_test.go diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go index 15526cb1e6f1f..d343ae6e35f75 100644 --- a/models/perm/access/repo_permission.go +++ b/models/perm/access/repo_permission.go @@ -276,8 +276,14 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate { // The task repo can access the current repo only if the task repo is private and // the owner of the task repo is a collaborative owner of the current repo. - // FIXME allow public repo read access if tokenless pull is enabled // FIXME should owner's visibility also be considered here? + + // check permission like simple user but limit to read-only + perm, err = GetUserRepoPermission(ctx, repo, user_model.NewActionsUser()) + if err != nil { + return perm, err + } + perm.AccessMode = min(perm.AccessMode, perm_model.AccessModeRead) return perm, nil } accessMode = perm_model.AccessModeRead diff --git a/tests/integration/api_actions_permission_test.go b/tests/integration/api_actions_permission_test.go new file mode 100644 index 0000000000000..4be1e2e81e24c --- /dev/null +++ b/tests/integration/api_actions_permission_test.go @@ -0,0 +1,51 @@ +// Copyright 2025 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package integration + +import ( + "net/http" + "testing" + + "code.gitea.io/gitea/modules/setting" + api "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/test" + "code.gitea.io/gitea/tests" + "github.com/stretchr/testify/assert" +) + +func TestActionUserSignIn(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequest(t, "GET", "/api/v1/user"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + resp := MakeRequest(t, req, http.StatusOK) + + var u api.User + DecodeJSON(t, resp, &u) + assert.Equal(t, "gitea-actions", u.UserName) +} + +func TestActionUserAccessPublicRepo(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + resp := MakeRequest(t, req, http.StatusOK) + assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type")) + + defer test.MockVariableValue(&setting.Service.RequireSignInViewStrict, true)() + + req = NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + resp = MakeRequest(t, req, http.StatusOK) + assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type")) +} + +func TestActionUserNoAccessOtherPrivateRepo(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo2/raw/README.md"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + MakeRequest(t, req, http.StatusNotFound) +} From 33745936bbc8d7ff015872a6aa4f92b9264b56ab Mon Sep 17 00:00:00 2001 From: a1012112796 <1012112796@qq.com> Date: Sat, 6 Dec 2025 10:59:30 +0800 Subject: [PATCH 2/3] fmt --- tests/integration/api_actions_permission_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/integration/api_actions_permission_test.go b/tests/integration/api_actions_permission_test.go index 4be1e2e81e24c..7aca43b2e1c34 100644 --- a/tests/integration/api_actions_permission_test.go +++ b/tests/integration/api_actions_permission_test.go @@ -11,6 +11,7 @@ import ( api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/test" "code.gitea.io/gitea/tests" + "github.com/stretchr/testify/assert" ) From 7442b26a3fb71469c1b06f50710cd5fd0f45f2d8 Mon Sep 17 00:00:00 2001 From: a1012112796 <1012112796@qq.com> Date: Sun, 7 Dec 2025 15:04:47 +0800 Subject: [PATCH 3/3] simple test --- .../api_actions_permission_test.go | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/tests/integration/api_actions_permission_test.go b/tests/integration/api_actions_permission_test.go index 7aca43b2e1c34..072e2635a9660 100644 --- a/tests/integration/api_actions_permission_test.go +++ b/tests/integration/api_actions_permission_test.go @@ -15,9 +15,7 @@ import ( "github.com/stretchr/testify/assert" ) -func TestActionUserSignIn(t *testing.T) { - defer tests.PrepareTestEnv(t)() - +func testActionUserSignIn(t *testing.T) { req := NewRequest(t, "GET", "/api/v1/user"). AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") resp := MakeRequest(t, req, http.StatusOK) @@ -27,9 +25,7 @@ func TestActionUserSignIn(t *testing.T) { assert.Equal(t, "gitea-actions", u.UserName) } -func TestActionUserAccessPublicRepo(t *testing.T) { - defer tests.PrepareTestEnv(t)() - +func testActionUserAccessPublicRepo(t *testing.T) { req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md"). AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") resp := MakeRequest(t, req, http.StatusOK) @@ -43,10 +39,16 @@ func TestActionUserAccessPublicRepo(t *testing.T) { assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type")) } -func TestActionUserNoAccessOtherPrivateRepo(t *testing.T) { - defer tests.PrepareTestEnv(t)() - +func testActionUserNoAccessOtherPrivateRepo(t *testing.T) { req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo2/raw/README.md"). AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") MakeRequest(t, req, http.StatusNotFound) } + +func TestActionUserAccessPermission(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + t.Run("ActionUserSignIn", testActionUserSignIn) + t.Run("ActionUserAccessPublicRepo", testActionUserAccessPublicRepo) + t.Run("ActionUserNoAccessOtherPrivateRepo", testActionUserNoAccessOtherPrivateRepo) +}