fix(api): allow collaborators to read their own permissions (#6856)

- Instead of checking the login name (which is not set in most cases and really the wrong thing to do here just like it is case sensitive) simply check that the requested user has the same ID as the doer. - Resolves forgejo/forgejo#6837 - Add integration test. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6856 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-02-08 15:09:08 +00:00 · 2025-02-08 15:09:08 +00:00 · 751a3da979
commit 751a3da979
parent ed855e1492
2 changed files with 23 additions and 5 deletions
--- a/tests/integration/api_repo_collaborator_test.go
+++ b/tests/integration/api_repo_collaborator_test.go
@ -52,6 +52,20 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
 			DecodeJSON(t, resp, &repoPermission)

 			assert.Equal(t, "read", repoPermission.Permission)
+
+			t.Run("CollaboratorCanReadTheirPermission", func(t *testing.T) {
+				session := loginUser(t, user4.Name)
+				token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
+
+				req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission", repo2Owner.Name, repo2.Name, user4.Name).
+					AddTokenAuth(token)
+				resp := MakeRequest(t, req, http.StatusOK)
+
+				var repoPermission api.RepoCollaboratorPermission
+				DecodeJSON(t, resp, &repoPermission)
+
+				assert.Equal(t, "read", repoPermission.Permission)
+			})
 		})

 		t.Run("CollaboratorWithWriteAccess", func(t *testing.T) {