[MODERATION] QoL improvements (squash)

- Ensure that organisations cannot be blocked. It currently has no
effect, as all blocked operations cannot be executed from an
organisation standpoint.
- Refactored the API route to make use of the `UserAssignmentAPI`
middleware.
- Make more use of `t.Run` so that the test code is more clear about
which block of code belongs to which test case.
- Added more integration testing (to ensure the organisations cannot be
blocked and some authorization/permission checks).
This commit is contained in:
Gusted 2023-08-07 16:00:55 +02:00 committed by Gusted
parent 2bdcb83fb2
commit e9d638d075
8 changed files with 266 additions and 56 deletions

View file

@ -902,8 +902,10 @@ func Routes() *web.Route {
m.Group("", func() { m.Group("", func() {
m.Get("/list_blocked", user.ListBlockedUsers) m.Get("/list_blocked", user.ListBlockedUsers)
m.Group("", func() {
m.Put("/block/{username}", user.BlockUser) m.Put("/block/{username}", user.BlockUser)
m.Put("/unblock/{username}", user.UnblockUser) m.Put("/unblock/{username}", user.UnblockUser)
}, context_service.UserAssignmentAPI())
}) })
m.Group("/avatar", func() { m.Group("/avatar", func() {
@ -1336,9 +1338,11 @@ func Routes() *web.Route {
m.Get("/activities/feeds", org.ListOrgActivityFeeds) m.Get("/activities/feeds", org.ListOrgActivityFeeds)
m.Group("", func() { m.Group("", func() {
m.Get("/list_blocked", reqToken(), reqOrgOwnership(), org.ListBlockedUsers) m.Get("/list_blocked", org.ListBlockedUsers)
m.Put("/block/{username}", reqToken(), reqOrgOwnership(), org.BlockUser) m.Group("", func() {
m.Put("/unblock/{username}", reqToken(), reqOrgOwnership(), org.UnblockUser) m.Put("/block/{username}", org.BlockUser)
m.Put("/unblock/{username}", org.UnblockUser)
}, context_service.UserAssignmentAPI())
}, reqToken(), reqOrgOwnership()) }, reqToken(), reqOrgOwnership())
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(true)) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(true))
m.Group("/teams/{teamid}", func() { m.Group("/teams/{teamid}", func() {

View file

@ -5,6 +5,7 @@
package org package org
import ( import (
"fmt"
"net/http" "net/http"
activities_model "code.gitea.io/gitea/models/activities" activities_model "code.gitea.io/gitea/models/activities"
@ -499,13 +500,15 @@ func BlockUser(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "422":
// "$ref": "#/responses/validationError"
user := user.GetUserByParams(ctx) if ctx.ContextUser.IsOrganization() {
if ctx.Written() { ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", ctx.ContextUser.Name))
return return
} }
utils.BlockUser(ctx, ctx.Org.Organization.AsUser(), user) utils.BlockUser(ctx, ctx.Org.Organization.AsUser(), ctx.ContextUser)
} }
// UnblockUser unblocks a user from the organization. // UnblockUser unblocks a user from the organization.
@ -531,11 +534,13 @@ func UnblockUser(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "422":
// "$ref": "#/responses/validationError"
user := user.GetUserByParams(ctx) if ctx.ContextUser.IsOrganization() {
if ctx.Written() { ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", ctx.ContextUser.Name))
return return
} }
utils.UnblockUser(ctx, ctx.Org.Organization.AsUser(), user) utils.UnblockUser(ctx, ctx.Org.Organization.AsUser(), ctx.ContextUser)
} }

View file

@ -5,6 +5,7 @@
package user package user
import ( import (
"fmt"
"net/http" "net/http"
activities_model "code.gitea.io/gitea/models/activities" activities_model "code.gitea.io/gitea/models/activities"
@ -244,13 +245,15 @@ func BlockUser(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "422":
// "$ref": "#/responses/validationError"
user := GetUserByParams(ctx) if ctx.ContextUser.IsOrganization() {
if ctx.Written() { ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", ctx.ContextUser.Name))
return return
} }
utils.BlockUser(ctx, ctx.Doer, user) utils.BlockUser(ctx, ctx.Doer, ctx.ContextUser)
} }
// UnblockUser unblocks a user from the doer. // UnblockUser unblocks a user from the doer.
@ -271,11 +274,13 @@ func UnblockUser(ctx *context.APIContext) {
// "$ref": "#/responses/empty" // "$ref": "#/responses/empty"
// "404": // "404":
// "$ref": "#/responses/notFound" // "$ref": "#/responses/notFound"
// "422":
// "$ref": "#/responses/validationError"
user := GetUserByParams(ctx) if ctx.ContextUser.IsOrganization() {
if ctx.Written() { ctx.Error(http.StatusUnprocessableEntity, "", fmt.Errorf("%s is an organization not a user", ctx.ContextUser.Name))
return return
} }
utils.UnblockUser(ctx, ctx.Doer, user) utils.UnblockUser(ctx, ctx.Doer, ctx.ContextUser)
} }

View file

@ -4,6 +4,7 @@
package setting package setting
import ( import (
"fmt"
"net/http" "net/http"
"strings" "strings"
@ -41,6 +42,11 @@ func BlockedUsersBlock(ctx *context.Context) {
return return
} }
if u.IsOrganization() {
ctx.ServerError("IsOrganization", fmt.Errorf("%s is an organization not a user", u.Name))
return
}
if err := user_service.BlockUser(ctx, ctx.Org.Organization.ID, u.ID); err != nil { if err := user_service.BlockUser(ctx, ctx.Org.Organization.ID, u.ID); err != nil {
ctx.ServerError("BlockUser", err) ctx.ServerError("BlockUser", err)
return return
@ -52,8 +58,19 @@ func BlockedUsersBlock(ctx *context.Context) {
// BlockedUsersUnblock unblocks a particular user from the organization. // BlockedUsersUnblock unblocks a particular user from the organization.
func BlockedUsersUnblock(ctx *context.Context) { func BlockedUsersUnblock(ctx *context.Context) {
if err := user_model.UnblockUser(ctx, ctx.Org.Organization.ID, ctx.FormInt64("user_id")); err != nil { u, err := user_model.GetUserByID(ctx, ctx.FormInt64("user_id"))
ctx.ServerError("BlockUser", err) if err != nil {
ctx.ServerError("GetUserByID", err)
return
}
if u.IsOrganization() {
ctx.ServerError("IsOrganization", fmt.Errorf("%s is an organization not a user", u.Name))
return
}
if err := user_model.UnblockUser(ctx, ctx.Org.Organization.ID, u.ID); err != nil {
ctx.ServerError("UnblockUser", err)
return return
} }

View file

@ -287,7 +287,15 @@ func prepareUserProfileTabData(ctx *context.Context, showPrivate bool, profileGi
func Action(ctx *context.Context) { func Action(ctx *context.Context) {
var err error var err error
var redirectViaJSON bool var redirectViaJSON bool
switch ctx.FormString("action") { action := ctx.FormString("action")
if ctx.ContextUser.IsOrganization() && (action == "block" || action == "unblock") {
log.Error("Cannot perform this action on an organization %q", ctx.FormString("action"))
ctx.JSONError(fmt.Sprintf("Action %q failed", ctx.FormString("action")))
return
}
switch action {
case "follow": case "follow":
err = user_model.FollowUser(ctx, ctx.Doer.ID, ctx.ContextUser.ID) err = user_model.FollowUser(ctx, ctx.Doer.ID, ctx.ContextUser.ID)
case "unfollow": case "unfollow":

View file

@ -1687,6 +1687,9 @@
}, },
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
},
"422": {
"$ref": "#/responses/validationError"
} }
} }
} }
@ -2589,6 +2592,9 @@
}, },
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
},
"422": {
"$ref": "#/responses/validationError"
} }
} }
} }
@ -14100,6 +14106,9 @@
}, },
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
},
"422": {
"$ref": "#/responses/validationError"
} }
} }
} }
@ -15210,6 +15219,9 @@
}, },
"404": { "404": {
"$ref": "#/responses/notFound" "$ref": "#/responses/notFound"
},
"422": {
"$ref": "#/responses/validationError"
} }
} }
} }

View file

@ -58,6 +58,26 @@ func TestAPIUserBlock(t *testing.T) {
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 4, BlockID: 2}) unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 4, BlockID: 2})
}) })
t.Run("Organization as target", func(t *testing.T) {
org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 26, Type: user_model.UserTypeOrganization})
t.Run("Block", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/block/%s?token=%s", org.Name, token))
MakeRequest(t, req, http.StatusUnprocessableEntity)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 4, BlockID: org.ID})
})
t.Run("Unblock", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/unblock/%s?token=%s", org.Name, token))
MakeRequest(t, req, http.StatusUnprocessableEntity)
})
})
} }
func TestAPIOrgBlock(t *testing.T) { func TestAPIOrgBlock(t *testing.T) {
@ -99,6 +119,73 @@ func TestAPIOrgBlock(t *testing.T) {
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 6, BlockID: 2}) unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 6, BlockID: 2})
}) })
t.Run("Organization as target", func(t *testing.T) {
targetOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 26, Type: user_model.UserTypeOrganization})
t.Run("Block", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/orgs/%s/block/%s?token=%s", org, targetOrg.Name, token))
MakeRequest(t, req, http.StatusUnprocessableEntity)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 4, BlockID: targetOrg.ID})
})
t.Run("Unblock", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/orgs/%s/unblock/%s?token=%s", org, targetOrg.Name, token))
MakeRequest(t, req, http.StatusUnprocessableEntity)
})
})
t.Run("Read scope token", func(t *testing.T) {
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
t.Run("Write action", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/orgs/%s/block/user2?token=%s", org, token))
MakeRequest(t, req, http.StatusForbidden)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 6, BlockID: 2})
})
t.Run("Read action", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/orgs/%s/list_blocked?token=%s", org, token))
MakeRequest(t, req, http.StatusOK)
})
})
t.Run("Not as owner", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
org := "user3"
user := "user4" // Part of org team with write perms.
session := loginUser(t, user)
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
t.Run("Block user", func(t *testing.T) {
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/orgs/%s/block/user2?token=%s", org, token))
MakeRequest(t, req, http.StatusForbidden)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{UserID: 3, BlockID: 2})
})
t.Run("Unblock user", func(t *testing.T) {
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/orgs/%s/unblock/user2?token=%s", org, token))
MakeRequest(t, req, http.StatusForbidden)
})
t.Run("List blocked users", func(t *testing.T) {
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/orgs/%s/list_blocked?token=%s", org, token))
MakeRequest(t, req, http.StatusForbidden)
})
})
} }
// TestAPIBlock_AddCollaborator ensures that the doer and blocked user cannot // TestAPIBlock_AddCollaborator ensures that the doer and blocked user cannot

View file

@ -50,10 +50,16 @@ func TestBlockUser(t *testing.T) {
doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 8}) doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 8})
blockedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) blockedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
session := loginUser(t, doer.Name)
t.Run("Block", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
BlockUser(t, doer, blockedUser) BlockUser(t, doer, blockedUser)
})
// Unblock user. // Unblock user.
session := loginUser(t, doer.Name) t.Run("Unblock", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "POST", "/"+blockedUser.Name, map[string]string{ req := NewRequestWithValues(t, "POST", "/"+blockedUser.Name, map[string]string{
"_csrf": GetCSRF(t, session, "/"+blockedUser.Name), "_csrf": GetCSRF(t, session, "/"+blockedUser.Name),
"action": "unblock", "action": "unblock",
@ -63,6 +69,32 @@ func TestBlockUser(t *testing.T) {
loc := resp.Header().Get("Location") loc := resp.Header().Get("Location")
assert.EqualValues(t, "/"+blockedUser.Name, loc) assert.EqualValues(t, "/"+blockedUser.Name, loc)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: doer.ID}) unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: doer.ID})
})
t.Run("Organization as target", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
targetOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
t.Run("Block", func(t *testing.T) {
req := NewRequestWithValues(t, "POST", "/"+targetOrg.Name, map[string]string{
"_csrf": GetCSRF(t, session, "/"+targetOrg.Name),
"action": "block",
})
resp := session.MakeRequest(t, req, http.StatusBadRequest)
assert.Contains(t, resp.Body.String(), "Action \\\"block\\\" failed")
})
t.Run("Unblock", func(t *testing.T) {
req := NewRequestWithValues(t, "POST", "/"+targetOrg.Name, map[string]string{
"_csrf": GetCSRF(t, session, "/"+targetOrg.Name),
"action": "unblock",
})
resp := session.MakeRequest(t, req, http.StatusBadRequest)
assert.Contains(t, resp.Body.String(), "Action \\\"unblock\\\" failed")
})
})
} }
func TestBlockIssueCreation(t *testing.T) { func TestBlockIssueCreation(t *testing.T) {
@ -167,24 +199,31 @@ func TestBlockFollow(t *testing.T) {
BlockUser(t, doer, blockedUser) BlockUser(t, doer, blockedUser)
// Doer cannot follow blocked user. // Doer cannot follow blocked user.
t.Run("Doer follow blocked user", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
session := loginUser(t, doer.Name) session := loginUser(t, doer.Name)
req := NewRequestWithValues(t, "POST", "/"+blockedUser.Name, map[string]string{ req := NewRequestWithValues(t, "POST", "/"+blockedUser.Name, map[string]string{
"_csrf": GetCSRF(t, session, "/"+blockedUser.Name), "_csrf": GetCSRF(t, session, "/"+blockedUser.Name),
"action": "follow", "action": "follow",
}) })
session.MakeRequest(t, req, http.StatusSeeOther) session.MakeRequest(t, req, http.StatusSeeOther)
unittest.AssertNotExistsBean(t, &user_model.Follow{UserID: doer.ID, FollowID: blockedUser.ID}) unittest.AssertNotExistsBean(t, &user_model.Follow{UserID: doer.ID, FollowID: blockedUser.ID})
})
// Blocked user cannot follow doer. // Blocked user cannot follow doer.
session = loginUser(t, blockedUser.Name) t.Run("Blocked user follow doer", func(t *testing.T) {
req = NewRequestWithValues(t, "POST", "/"+doer.Name, map[string]string{ defer tests.PrintCurrentTest(t)()
session := loginUser(t, blockedUser.Name)
req := NewRequestWithValues(t, "POST", "/"+doer.Name, map[string]string{
"_csrf": GetCSRF(t, session, "/"+doer.Name), "_csrf": GetCSRF(t, session, "/"+doer.Name),
"action": "follow", "action": "follow",
}) })
session.MakeRequest(t, req, http.StatusSeeOther) session.MakeRequest(t, req, http.StatusSeeOther)
unittest.AssertNotExistsBean(t, &user_model.Follow{UserID: blockedUser.ID, FollowID: doer.ID}) unittest.AssertNotExistsBean(t, &user_model.Follow{UserID: blockedUser.ID, FollowID: doer.ID})
})
} }
// TestBlockUserFromOrganization ensures that an organisation can block and unblock an user. // TestBlockUserFromOrganization ensures that an organisation can block and unblock an user.
@ -195,21 +234,54 @@ func TestBlockUserFromOrganization(t *testing.T) {
blockedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) blockedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17, Type: user_model.UserTypeOrganization}) org := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 17, Type: user_model.UserTypeOrganization})
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: org.ID}) unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: org.ID})
session := loginUser(t, doer.Name) session := loginUser(t, doer.Name)
t.Run("Block user", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/block", map[string]string{ req := NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/block", map[string]string{
"_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"), "_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"),
"uname": blockedUser.Name, "uname": blockedUser.Name,
}) })
session.MakeRequest(t, req, http.StatusSeeOther) session.MakeRequest(t, req, http.StatusSeeOther)
assert.True(t, unittest.BeanExists(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: org.ID})) assert.True(t, unittest.BeanExists(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: org.ID}))
})
req = NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/unblock", map[string]string{ t.Run("Unblock user", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/unblock", map[string]string{
"_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"), "_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"),
"user_id": strconv.FormatInt(blockedUser.ID, 10), "user_id": strconv.FormatInt(blockedUser.ID, 10),
}) })
session.MakeRequest(t, req, http.StatusSeeOther) session.MakeRequest(t, req, http.StatusSeeOther)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: org.ID}) unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: org.ID})
})
t.Run("Organization as target", func(t *testing.T) {
targetOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 3, Type: user_model.UserTypeOrganization})
t.Run("Block", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/block", map[string]string{
"_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"),
"uname": targetOrg.Name,
})
session.MakeRequest(t, req, http.StatusInternalServerError)
unittest.AssertNotExistsBean(t, &user_model.BlockedUser{BlockID: blockedUser.ID, UserID: targetOrg.ID})
})
t.Run("Unblock", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
req := NewRequestWithValues(t, "POST", org.OrganisationLink()+"/settings/blocked_users/unblock", map[string]string{
"_csrf": GetCSRF(t, session, org.OrganisationLink()+"/settings/blocked_users"),
"user_id": strconv.FormatInt(targetOrg.ID, 10),
})
session.MakeRequest(t, req, http.StatusInternalServerError)
})
})
} }
// TestBlockAddCollaborator ensures that the doer and blocked user cannot add each each other as collaborators. // TestBlockAddCollaborator ensures that the doer and blocked user cannot add each each other as collaborators.