From 43d49bd758e618e78cdee68fb90654e43ff8e463 Mon Sep 17 00:00:00 2001 From: a1012112796 <1012112796@qq.com> Date: Fri, 5 Dec 2025 10:05:58 +0800 Subject: [PATCH 1/2] allow action user have read permission in public repo like other user related #28187 Signed-off-by: a1012112796 <1012112796@qq.com> --- models/perm/access/repo_permission.go | 8 ++- .../api_actions_permission_test.go | 51 +++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 tests/integration/api_actions_permission_test.go diff --git a/models/perm/access/repo_permission.go b/models/perm/access/repo_permission.go index 15526cb1e6f1f..d343ae6e35f75 100644 --- a/models/perm/access/repo_permission.go +++ b/models/perm/access/repo_permission.go @@ -276,8 +276,14 @@ func GetActionsUserRepoPermission(ctx context.Context, repo *repo_model.Reposito if !actionsCfg.IsCollaborativeOwner(taskRepo.OwnerID) || !taskRepo.IsPrivate { // The task repo can access the current repo only if the task repo is private and // the owner of the task repo is a collaborative owner of the current repo. - // FIXME allow public repo read access if tokenless pull is enabled // FIXME should owner's visibility also be considered here? + + // check permission like simple user but limit to read-only + perm, err = GetUserRepoPermission(ctx, repo, user_model.NewActionsUser()) + if err != nil { + return perm, err + } + perm.AccessMode = min(perm.AccessMode, perm_model.AccessModeRead) return perm, nil } accessMode = perm_model.AccessModeRead diff --git a/tests/integration/api_actions_permission_test.go b/tests/integration/api_actions_permission_test.go new file mode 100644 index 0000000000000..4be1e2e81e24c --- /dev/null +++ b/tests/integration/api_actions_permission_test.go @@ -0,0 +1,51 @@ +// Copyright 2025 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package integration + +import ( + "net/http" + "testing" + + "code.gitea.io/gitea/modules/setting" + api "code.gitea.io/gitea/modules/structs" + "code.gitea.io/gitea/modules/test" + "code.gitea.io/gitea/tests" + "github.com/stretchr/testify/assert" +) + +func TestActionUserSignIn(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequest(t, "GET", "/api/v1/user"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + resp := MakeRequest(t, req, http.StatusOK) + + var u api.User + DecodeJSON(t, resp, &u) + assert.Equal(t, "gitea-actions", u.UserName) +} + +func TestActionUserAccessPublicRepo(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + resp := MakeRequest(t, req, http.StatusOK) + assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type")) + + defer test.MockVariableValue(&setting.Service.RequireSignInViewStrict, true)() + + req = NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/raw/README.md"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + resp = MakeRequest(t, req, http.StatusOK) + assert.Equal(t, "file", resp.Header().Get("x-gitea-object-type")) +} + +func TestActionUserNoAccessOtherPrivateRepo(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo2/raw/README.md"). + AddTokenAuth("8061e833a55f6fc0157c98b883e91fcfeeb1a71a") + MakeRequest(t, req, http.StatusNotFound) +} From 33745936bbc8d7ff015872a6aa4f92b9264b56ab Mon Sep 17 00:00:00 2001 From: a1012112796 <1012112796@qq.com> Date: Sat, 6 Dec 2025 10:59:30 +0800 Subject: [PATCH 2/2] fmt --- tests/integration/api_actions_permission_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/integration/api_actions_permission_test.go b/tests/integration/api_actions_permission_test.go index 4be1e2e81e24c..7aca43b2e1c34 100644 --- a/tests/integration/api_actions_permission_test.go +++ b/tests/integration/api_actions_permission_test.go @@ -11,6 +11,7 @@ import ( api "code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/test" "code.gitea.io/gitea/tests" + "github.com/stretchr/testify/assert" )