[GITEA] test POST /{username}/{reponame}/{type:issues|pulls}/move_pin
Refs: https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers (cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f) (cherry picked from commit65b942fa1e
) (cherry picked from commite140c5c983
) (cherry picked from commit4d108fa1cf
) (cherry picked from commit9430badc5c
) (cherry picked from commit1e67f4665d
)
This commit is contained in:
parent
d54d5952f2
commit
992e0d3218
|
@ -607,3 +607,45 @@ func TestUpdateIssueDeadline(t *testing.T) {
|
||||||
|
|
||||||
assert.EqualValues(t, "2022-04-06", apiIssue.Deadline.Format("2006-01-02"))
|
assert.EqualValues(t, "2022-04-06", apiIssue.Deadline.Format("2006-01-02"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestIssuePinMove(t *testing.T) {
|
||||||
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
session := loginUser(t, "user2")
|
||||||
|
issueURL, issue := testIssueWithBean(t, "user2", 1, "Title", "Content")
|
||||||
|
assert.EqualValues(t, 0, issue.PinOrder)
|
||||||
|
|
||||||
|
req := NewRequestWithValues(t, "POST", fmt.Sprintf("%s/pin", issueURL), map[string]string{
|
||||||
|
"_csrf": GetCSRF(t, session, issueURL),
|
||||||
|
})
|
||||||
|
session.MakeRequest(t, req, http.StatusOK)
|
||||||
|
issue = unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issue.ID})
|
||||||
|
|
||||||
|
position := 1
|
||||||
|
assert.EqualValues(t, position, issue.PinOrder)
|
||||||
|
|
||||||
|
newPosition := 2
|
||||||
|
|
||||||
|
// Using the ID of an issue that does not belong to the repository must fail
|
||||||
|
{
|
||||||
|
session5 := loginUser(t, "user5")
|
||||||
|
movePinURL := "/user5/repo4/issues/move_pin?_csrf=" + GetCSRF(t, session5, issueURL)
|
||||||
|
req = NewRequestWithJSON(t, "POST", movePinURL, map[string]any{
|
||||||
|
"id": issue.ID,
|
||||||
|
"position": newPosition,
|
||||||
|
})
|
||||||
|
session5.MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
|
||||||
|
issue = unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issue.ID})
|
||||||
|
assert.EqualValues(t, position, issue.PinOrder)
|
||||||
|
}
|
||||||
|
|
||||||
|
movePinURL := issueURL[:strings.LastIndexByte(issueURL, '/')] + "/move_pin?_csrf=" + GetCSRF(t, session, issueURL)
|
||||||
|
req = NewRequestWithJSON(t, "POST", movePinURL, map[string]any{
|
||||||
|
"id": issue.ID,
|
||||||
|
"position": newPosition,
|
||||||
|
})
|
||||||
|
session.MakeRequest(t, req, http.StatusNoContent)
|
||||||
|
|
||||||
|
issue = unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: issue.ID})
|
||||||
|
assert.EqualValues(t, newPosition, issue.PinOrder)
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue