test(fixtures): add child project for reparent escalation tests
Adds project 43 as a child of project 10 so tests can exercise the "inherited Write via parent" path exploited by GHSA-2vq4-854f-5c72. User 1 has Write on project 10 via users_projects id=4 and therefore inherits Write on this child via the permission CTE.
This commit is contained in:
parent
8db4ba8a26
commit
a3059ba470
|
|
@ -382,3 +382,14 @@
|
|||
position: 42
|
||||
updated: 2018-12-02 15:13:12
|
||||
created: 2018-12-01 15:13:12
|
||||
# Child of project 10 used by the reparent privilege-escalation regression tests.
|
||||
# User 1 has Write on project 10 (users_projects id=4) and therefore inherits
|
||||
# Write on this child via the permission CTE. Do not reuse for unrelated tests.
|
||||
-
|
||||
id: 43
|
||||
title: Reparent Escalation Test Child
|
||||
owner_id: 6
|
||||
parent_project_id: 10
|
||||
position: 4300
|
||||
updated: 2018-12-02 15:13:12
|
||||
created: 2018-12-01 15:13:12
|
||||
|
|
|
|||
|
|
@ -491,7 +491,8 @@ func TestProject_ReadAll(t *testing.T) {
|
|||
defer s.Close()
|
||||
projects, _, err := getAllProjectsForUser(s, 6, &projectOptions{})
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, projects, 27)
|
||||
// +1 for the reparent-escalation fixture child (project 43, owner=6).
|
||||
assert.Len(t, projects, 28)
|
||||
})
|
||||
t.Run("all projects for user", func(t *testing.T) {
|
||||
db.LoadAndAssertFixtures(t)
|
||||
|
|
@ -504,12 +505,14 @@ func TestProject_ReadAll(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
assert.Equal(t, reflect.Slice, reflect.TypeOf(projects3).Kind())
|
||||
ls := projects3.([]*Project)
|
||||
assert.Len(t, ls, 27)
|
||||
// +1 for the reparent-escalation fixture child (project 43) that
|
||||
// user 1 inherits Write on via project 10.
|
||||
assert.Len(t, ls, 28)
|
||||
assert.Equal(t, int64(3), ls[0].ID) // Project 3 has a position of 1 and should be sorted first
|
||||
assert.Equal(t, int64(1), ls[1].ID)
|
||||
assert.Equal(t, int64(6), ls[2].ID)
|
||||
assert.Equal(t, int64(-1), ls[25].ID)
|
||||
assert.Equal(t, int64(-2), ls[26].ID)
|
||||
assert.Equal(t, int64(-1), ls[26].ID)
|
||||
assert.Equal(t, int64(-2), ls[27].ID)
|
||||
})
|
||||
t.Run("projects for nonexistent user", func(t *testing.T) {
|
||||
db.LoadAndAssertFixtures(t)
|
||||
|
|
@ -543,9 +546,17 @@ func TestProject_ReadAll(t *testing.T) {
|
|||
assert.Contains(t, projectIDs, int64(10))
|
||||
assert.Contains(t, projectIDs, int64(-1))
|
||||
} else {
|
||||
require.Len(t, ls, 2)
|
||||
assert.Equal(t, int64(10), ls[0].ID)
|
||||
assert.Equal(t, int64(-1), ls[1].ID)
|
||||
// Expect project 10 (the search target), project 43 (its child —
|
||||
// reparent-escalation fixture, pulled in as a descendant so tree
|
||||
// navigation stays intact) and the favorites pseudo project -1.
|
||||
require.Len(t, ls, 3)
|
||||
projectIDs := make([]int64, len(ls))
|
||||
for i, p := range ls {
|
||||
projectIDs[i] = p.ID
|
||||
}
|
||||
assert.Contains(t, projectIDs, int64(10))
|
||||
assert.Contains(t, projectIDs, int64(43))
|
||||
assert.Contains(t, projectIDs, int64(-1))
|
||||
}
|
||||
})
|
||||
t.Run("search returns filters as well", func(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue