diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go index 62237e2be3..da748942f6 100644 --- a/integrations/api_repo_test.go +++ b/integrations/api_repo_test.go @@ -212,21 +212,46 @@ func TestAPIViewRepo(t *testing.T) { func TestAPIOrgRepos(t *testing.T) { prepareTestEnv(t) user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User) + user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 1}).(*models.User) + user3 := models.AssertExistsAndLoadBean(t, &models.User{ID: 5}).(*models.User) // User3 is an Org. Check their repos. sourceOrg := models.AssertExistsAndLoadBean(t, &models.User{ID: 3}).(*models.User) - // Login as User2. - session := loginUser(t, user.Name) - token := getTokenForLoggedInUser(t, session) - req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name) - resp := session.MakeRequest(t, req, http.StatusOK) - var apiRepos []*api.Repository - DecodeJSON(t, resp, &apiRepos) - expectedLen := models.GetCount(t, models.Repository{OwnerID: sourceOrg.ID}, - models.Cond("is_private = ?", false)) - assert.Len(t, apiRepos, expectedLen) - for _, repo := range apiRepos { - assert.False(t, repo.Private) + expectedResults := map[*models.User]struct { + count int + includesPrivate bool + }{ + nil: {count: 1}, + user: {count: 2, includesPrivate: true}, + user2: {count: 3, includesPrivate: true}, + user3: {count: 1}, + } + + for userToLogin, expected := range expectedResults { + var session *TestSession + var testName string + var token string + if userToLogin != nil && userToLogin.ID > 0 { + testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID) + session = loginUser(t, userToLogin.Name) + token = getTokenForLoggedInUser(t, session) + } else { + testName = "AnonymousUser" + session = emptyTestSession(t) + } + t.Run(testName, func(t *testing.T) { + req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name) + resp := session.MakeRequest(t, req, http.StatusOK) + + var apiRepos []*api.Repository + DecodeJSON(t, resp, &apiRepos) + assert.Len(t, apiRepos, expected.count) + for _, repo := range apiRepos { + if !expected.includesPrivate { + assert.False(t, repo.Private) + } + } + }) } } diff --git a/routers/api/v1/user/repo.go b/routers/api/v1/user/repo.go index 38fe76cad4..5dccfac960 100644 --- a/routers/api/v1/user/repo.go +++ b/routers/api/v1/user/repo.go @@ -11,14 +11,13 @@ import ( ) // listUserRepos - List the repositories owned by the given user. -func listUserRepos(ctx *context.APIContext, u *models.User) { - showPrivateRepos := ctx.IsSigned && (ctx.User.ID == u.ID || ctx.User.IsAdmin) - repos, err := models.GetUserRepositories(u.ID, showPrivateRepos, 1, u.NumRepos, "") +func listUserRepos(ctx *context.APIContext, u *models.User, private bool) { + repos, err := models.GetUserRepositories(u.ID, private, 1, u.NumRepos, "") if err != nil { ctx.Error(500, "GetUserRepositories", err) return } - apiRepos := make([]*api.Repository, len(repos)) + apiRepos := make([]*api.Repository, 0, len(repos)) var ctxUserID int64 if ctx.User != nil { ctxUserID = ctx.User.ID @@ -29,7 +28,9 @@ func listUserRepos(ctx *context.APIContext, u *models.User) { ctx.Error(500, "AccessLevel", err) return } - apiRepos[i] = repos[i].APIFormat(access) + if ctx.IsSigned && ctx.User.IsAdmin || access >= models.AccessModeRead { + apiRepos = append(apiRepos, repos[i].APIFormat(access)) + } } ctx.JSON(200, &apiRepos) } @@ -54,7 +55,8 @@ func ListUserRepos(ctx *context.APIContext) { if ctx.Written() { return } - listUserRepos(ctx, user) + private := ctx.IsSigned && (ctx.User.ID == user.ID || ctx.User.IsAdmin) + listUserRepos(ctx, user, private) } // ListMyRepos - list the repositories you own or have access to. @@ -106,5 +108,5 @@ func ListOrgRepos(ctx *context.APIContext) { // responses: // "200": // "$ref": "#/responses/RepositoryList" - listUserRepos(ctx, ctx.Org.Organization) + listUserRepos(ctx, ctx.Org.Organization, ctx.IsSigned) }