mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-25 18:03:04 -04:00
a4642af51a
Some checks are pending
/ release (push) Waiting to run
testing-integration / test-unit (push) Waiting to run
testing-integration / test-sqlite (push) Waiting to run
testing-integration / test-mariadb (v10.6) (push) Waiting to run
testing-integration / test-mariadb (v11.8) (push) Waiting to run
testing / backend-checks (push) Waiting to run
testing / frontend-checks (push) Waiting to run
testing / test-unit (push) Blocked by required conditions
testing / test-e2e (push) Blocked by required conditions
testing / test-remote-cacher (redis) (push) Blocked by required conditions
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
testing / test-remote-cacher (redict) (push) Blocked by required conditions
testing / test-mysql (push) Blocked by required conditions
testing / test-pgsql (push) Blocked by required conditions
testing / test-sqlite (push) Blocked by required conditions
testing / security-check (push) Blocked by required conditions
Replace the anti-CSRF token with a [cross origin protection by Go](https://go.dev/doc/go1.25#nethttppkgnethttp) that uses a stateless way of verifying if a request was cross origin or not. This allows is to remove al lot of code and replace it with a few lines of code and we no longer have to hand roll this protection. The new protection uses indicators by the browser itself that indicate if the request is cross-origin, thus we no longer have to take care of ensuring the generated CSRF token is passed back to the server any request by the the browser will have send this indicator. Resolves forgejo/forgejo#3538 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9830 Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org> Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
61 lines
2.7 KiB
Go
61 lines
2.7 KiB
Go
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
|
|
"forgejo.org/modules/translation"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
// This test makes sure that organization members are able to navigate between `/<orgname>` and `/org/<orgname>/<section>` freely.
|
|
// The `/org/<orgname>/<section>` page is only accessible to the members of the organization. It doesn't have
|
|
// a special logic to show the button or not.
|
|
// The `/<orgname>` page utilizes the `IsOrganizationMember` function to show the button for navigation to
|
|
// the organization dashboard. That function is covered by a test and is supposed to be true for the
|
|
// owners/admins/members of the organization.
|
|
func TestOrgNavigationDashboard(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
locale := translation.NewLocale("en-US")
|
|
|
|
// Login as the future organization admin and create an organization
|
|
session1 := loginUser(t, "user2")
|
|
session1.MakeRequest(t, NewRequestWithValues(t, "POST", "/org/create", map[string]string{
|
|
"org_name": "org_navigation_test",
|
|
"visibility": "0",
|
|
"repo_admin_change_team_access": "on",
|
|
}), http.StatusSeeOther)
|
|
|
|
// Check if the "Open dashboard" button is available to the org admin (member)
|
|
resp := session1.MakeRequest(t, NewRequest(t, "GET", "/org_navigation_test"), http.StatusOK)
|
|
doc := NewHTMLParser(t, resp.Body)
|
|
doc.AssertElement(t, "#org-info a[href='/org/org_navigation_test/dashboard']", true)
|
|
|
|
// Verify the "New repository" and "New migration" buttons
|
|
links := doc.Find(".organization.profile .grid .column .center")
|
|
assert.Equal(t, locale.TrString("new_repo.link"), strings.TrimSpace(links.Find("a[href^='/repo/create?org=']").Text()))
|
|
assert.Equal(t, locale.TrString("new_migrate.link"), strings.TrimSpace(links.Find("a[href^='/repo/migrate?org=']").Text()))
|
|
|
|
// Check if the "View <orgname>" button is available on dashboard for the org admin (member)
|
|
resp = session1.MakeRequest(t, NewRequest(t, "GET", "/org/org_navigation_test/dashboard"), http.StatusOK)
|
|
doc = NewHTMLParser(t, resp.Body)
|
|
doc.AssertElement(t, ".dashboard .secondary-nav a[href='/org_navigation_test']", true)
|
|
|
|
// Login a non-member user
|
|
session2 := loginUser(t, "user4")
|
|
|
|
// Check if the "Open dashboard" button is available to non-member
|
|
resp = session2.MakeRequest(t, NewRequest(t, "GET", "/org_navigation_test"), http.StatusOK)
|
|
doc = NewHTMLParser(t, resp.Body)
|
|
doc.AssertElement(t, "#org-info a[href='/org/org_navigation_test/dashboard']", false)
|
|
|
|
// There's no need to test "View <orgname>" button on dashboard as non-member
|
|
// because this page is not supposed to be visitable for this user
|
|
}
|