inactive accounts cannot activate a repository

2019-07-29 13:58:32 -07:00 · 2019-07-29 13:58:32 -07:00 · 27bc816a01
commit 27bc816a01
parent c78f55cc2f
5 changed files with 65 additions and 8 deletions
--- a/go.mod
+++ b/go.mod
@ -17,9 +17,9 @@ require (
 	github.com/docker/go-connections v0.3.0
 	github.com/docker/go-units v0.3.3
 	github.com/drone/drone-go v1.0.5
-	github.com/drone/drone-runtime v1.0.6
+	github.com/drone/drone-runtime v1.0.7
 	github.com/drone/drone-ui v0.0.0-20190530175131-92ba3df1e0a9
-	github.com/drone/drone-yaml v1.2.2-0.20190719012529-c50000a465ee
+	github.com/drone/drone-yaml v1.2.2
 	github.com/drone/envsubst v1.0.1
 	github.com/drone/go-license v1.0.2
 	github.com/drone/go-login v1.0.4-0.20190311170324-2a4df4f242a2
--- a/go.sum
+++ b/go.sum
@ -52,6 +52,9 @@ github.com/drone/drone-runtime v1.0.5 h1:fEdUvKd5+l8BQaPXntjUtSIVLvGWo3Blgb/zrXL
 github.com/drone/drone-runtime v1.0.5/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs=
 github.com/drone/drone-runtime v1.0.6 h1:7aPvPCZI2uqt3IEmx/BZg+ml10+I5lE74lZ17Y7xy40=
 github.com/drone/drone-runtime v1.0.6/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs=
+github.com/drone/drone-runtime v1.0.7-0.20190729202838-87c84080f4a1/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs=
+github.com/drone/drone-runtime v1.0.7 h1:qviHrNmEdT3aYfQW3NYOuClHw2IU6CECSOfrXe8QLvY=
+github.com/drone/drone-runtime v1.0.7/go.mod h1:+osgwGADc/nyl40J0fdsf8Z09bgcBZXvXXnLOY48zYs=
 github.com/drone/drone-ui v0.0.0-20190318170755-1ca48466a158 h1:u80WYtaGkKWVmxj1BMX9SukAqTxILzGFIKvY5as9zAc=
 github.com/drone/drone-ui v0.0.0-20190318170755-1ca48466a158/go.mod h1:NBtVWW7NNJpD9+huMD/5TAE1db2nrEh0i35/9Rf1MPI=
 github.com/drone/drone-ui v0.0.0-20190318215801-d6c3d11a1c3f h1:yMdZ/2BZFKrfMbWlc0cNH2TCXdC8MsSR0pnu3Dq4UH4=
@ -93,6 +96,8 @@ github.com/drone/drone-yaml v1.2.2-0.20190719011530-e8b24d482cda h1:vPXJLgkyScZ0
 github.com/drone/drone-yaml v1.2.2-0.20190719011530-e8b24d482cda/go.mod h1:l/ehbHx9TGs4jgzhRnP5d+M9tmRsAmWyBHWAFEOXrk4=
 github.com/drone/drone-yaml v1.2.2-0.20190719012529-c50000a465ee h1:/zyEkv56+T6JxLkYgYYwZAMLKBgEnHA3fwZXiVI9nuE=
 github.com/drone/drone-yaml v1.2.2-0.20190719012529-c50000a465ee/go.mod h1:l/ehbHx9TGs4jgzhRnP5d+M9tmRsAmWyBHWAFEOXrk4=
+github.com/drone/drone-yaml v1.2.2 h1:Srf8OlAHhR7SXX5Ax01dP5tpZENsrEKyg35E2nNkIew=
+github.com/drone/drone-yaml v1.2.2/go.mod h1:QsqliFK8nG04AHFN9tTn9XJomRBQHD4wcejWW1uz/10=
 github.com/drone/envsubst v1.0.1 h1:NOOStingM2sbBwsIUeQkKUz8ShwCUzmqMxWrpXItfPE=
 github.com/drone/envsubst v1.0.1/go.mod h1:bkZbnc/2vh1M12Ecn7EYScpI4YGYU0etwLJICOWi8Z0=
 github.com/drone/go-license v1.0.2 h1:7OwndfYk+Lp/cGHkxe4HUn/Ysrrw3WYH2pnd99yrkok=
--- a/handler/api/acl/acl_test.go
+++ b/handler/api/acl/acl_test.go
@ -10,8 +10,8 @@ import (
 	"net/http/httptest"
 	"testing"

-	"github.com/drone/drone/handler/api/request"
 	"github.com/drone/drone/core"
+	"github.com/drone/drone/handler/api/request"

 	"github.com/sirupsen/logrus"
 )
@ -22,9 +22,17 @@ func init() {

 var (
 	mockUser = &core.User{
-		ID:    1,
-		Login: "octocat",
-		Admin: false,
+		ID:     1,
+		Login:  "octocat",
+		Admin:  false,
+		Active: true,
+	}
+
+	mockUserInactive = &core.User{
+		ID:     1,
+		Login:  "octocat",
+		Admin:  false,
+		Active: false,
 	}

 	mockRepo = &core.Repository{
--- a/handler/api/acl/check.go
+++ b/handler/api/acl/check.go
@ -123,6 +123,9 @@ func CheckAccess(read, write, admin bool) func(http.Handler) http.Handler {
 			)

 			switch {
+			case user.Active == false:
+				render.Forbidden(w, errors.ErrForbidden)
+				log.Debugln("api: active account required")
 			case read == true && perm.Read == false:
 				render.NotFound(w, errors.ErrNotFound)
 				log.Debugln("api: read access required")
--- a/handler/api/acl/check_test.go
+++ b/handler/api/acl/check_test.go
@ -12,9 +12,9 @@ import (
 	"testing"
 	"time"

+	"github.com/drone/drone/core"
 	"github.com/drone/drone/handler/api/errors"
 	"github.com/drone/drone/handler/api/request"
-	"github.com/drone/drone/core"
 	"github.com/google/go-cmp/cmp"

 	"github.com/go-chi/chi"
@ -380,6 +380,47 @@ func TestCheckWriteAccess(t *testing.T) {
 	}
 }

+// this test verifies the the next handler in the middleware
+// chain is not processed if the user has write access BUT
+// has been inactivated (e.g. blocked).
+func TestCheckWriteAccess_InactiveUser(t *testing.T) {
+	controller := gomock.NewController(t)
+	defer controller.Finish()
+
+	writeAccess := &core.Perm{
+		Synced: time.Now().Unix(),
+		Read:   true,
+		Write:  true,
+		Admin:  false,
+	}
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest("GET", "/api/repos/octocat/hello-world", nil)
+	r = r.WithContext(
+		request.WithPerm(
+			request.WithUser(
+				request.WithRepo(noContext, mockRepo),
+				mockUserInactive,
+			),
+			writeAccess,
+		),
+	)
+
+	router := chi.NewRouter()
+	router.Route("/api/repos/{owner}/{name}", func(router chi.Router) {
+		router.Use(CheckWriteAccess())
+		router.Get("/", func(w http.ResponseWriter, r *http.Request) {
+			t.Error("should not invoke hanlder")
+		})
+	})
+
+	router.ServeHTTP(w, r)
+
+	if got, want := w.Code, http.StatusForbidden; got != want {
+		t.Errorf("Want status code %d, got %d", want, got)
+	}
+}
+
 // this test verifies that a 404 not found error is written to
 // the response if the user lacks write access to the repository.
 //
@ -526,7 +567,7 @@ func TestCheckAdminAccess_SystemAdmin(t *testing.T) {
 	controller := gomock.NewController(t)
 	defer controller.Finish()

-	user := &core.User{ID: 1, Admin: true}
+	user := &core.User{ID: 1, Admin: true, Active: true}

 	w := httptest.NewRecorder()
 	r := httptest.NewRequest("GET", "/api/repos/octocat/hello-world", nil)