fix: require code permissions for branch feed

- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.

(cherry picked from commit 3e3ef76808)

routers/web/web.go

@@ -1562,8 +1562,10 @@ func registerRoutes(m *web.Route) {
 			m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick)
 		}, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader)
 
-		m.Get("/rss/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("rss"))
-		m.Get("/atom/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("atom"))
+		m.Group("", func() {
+			m.Get("/rss/branch/*", feed.RenderBranchFeed("rss"))
+			m.Get("/atom/branch/*", feed.RenderBranchFeed("atom"))
+		}, repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), reqRepoCodeReader, feedEnabled)
 
 		m.Group("/src", func() {
 			m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home)

tests/integration/api_feed_user_test.go

@@ -109,4 +109,24 @@ func TestFeed(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("View permission", func(t *testing.T) {
+		t.Run("Anomynous", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("No code permission", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user8")
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			session.MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("With code permission", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user9")
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			session.MakeRequest(t, req, http.StatusOK)
+		})
+	})
 }

tests/integration/fixtures/TestFeed/team.yml

@@ -0,0 +1,21 @@
+-
+  id: 1001
+  org_id: 3
+  lower_name: no_code
+  name: no_code
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: false
+
+-
+  id: 1002
+  org_id: 3
+  lower_name: read_code
+  name: no_code
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: false

tests/integration/fixtures/TestFeed/team_repo.yml

@@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  repo_id: 3
+
+-
+  id: 1002
+  org_id: 3
+  team_id: 1002
+  repo_id: 3

tests/integration/fixtures/TestFeed/team_unit.yml

@@ -0,0 +1,83 @@
+-
+  id: 1001
+  team_id: 1001
+  type: 1
+  access_mode: 0
+
+-
+  id: 1002
+  team_id: 1001
+  type: 2
+  access_mode: 1
+
+-
+  id: 1003
+  team_id: 1001
+  type: 3
+  access_mode: 1
+
+-
+  id: 1004
+  team_id: 1001
+  type: 4
+  access_mode: 1
+
+-
+  id: 1005
+  team_id: 1001
+  type: 5
+  access_mode: 1
+
+-
+  id: 1006
+  team_id: 1001
+  type: 6
+  access_mode: 1
+
+-
+  id: 1007
+  team_id: 1001
+  type: 7
+  access_mode: 1
+
+-
+  id: 1008
+  team_id: 1002
+  type: 1
+  access_mode: 1
+
+-
+  id: 1009
+  team_id: 1002
+  type: 2
+  access_mode: 1
+
+-
+  id: 1010
+  team_id: 1002
+  type: 3
+  access_mode: 1
+
+-
+  id: 1011
+  team_id: 1002
+  type: 4
+  access_mode: 1
+
+-
+  id: 1012
+  team_id: 1002
+  type: 5
+  access_mode: 1
+
+-
+  id: 1013
+  team_id: 1002
+  type: 6
+  access_mode: 1
+
+-
+  id: 1014
+  team_id: 1002
+  type: 7
+  access_mode: 1

tests/integration/fixtures/TestFeed/team_user.yml

@@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  uid: 8
+
+-
+  id: 1002
+  org_id: 3
+  team_id: 1002
+  uid: 9