diff --git a/pkg/db/fixtures/projects.yml b/pkg/db/fixtures/projects.yml index 29c745d71..86d2cba24 100644 --- a/pkg/db/fixtures/projects.yml +++ b/pkg/db/fixtures/projects.yml @@ -382,3 +382,14 @@ position: 42 updated: 2018-12-02 15:13:12 created: 2018-12-01 15:13:12 +# Child of project 10 used by the reparent privilege-escalation regression tests. +# User 1 has Write on project 10 (users_projects id=4) and therefore inherits +# Write on this child via the permission CTE. Do not reuse for unrelated tests. +- + id: 43 + title: Reparent Escalation Test Child + owner_id: 6 + parent_project_id: 10 + position: 4300 + updated: 2018-12-02 15:13:12 + created: 2018-12-01 15:13:12 diff --git a/pkg/models/project_test.go b/pkg/models/project_test.go index 5a8ef1347..a045391ff 100644 --- a/pkg/models/project_test.go +++ b/pkg/models/project_test.go @@ -491,7 +491,8 @@ func TestProject_ReadAll(t *testing.T) { defer s.Close() projects, _, err := getAllProjectsForUser(s, 6, &projectOptions{}) require.NoError(t, err) - assert.Len(t, projects, 27) + // +1 for the reparent-escalation fixture child (project 43, owner=6). + assert.Len(t, projects, 28) }) t.Run("all projects for user", func(t *testing.T) { db.LoadAndAssertFixtures(t) @@ -504,12 +505,14 @@ func TestProject_ReadAll(t *testing.T) { require.NoError(t, err) assert.Equal(t, reflect.Slice, reflect.TypeOf(projects3).Kind()) ls := projects3.([]*Project) - assert.Len(t, ls, 27) + // +1 for the reparent-escalation fixture child (project 43) that + // user 1 inherits Write on via project 10. + assert.Len(t, ls, 28) assert.Equal(t, int64(3), ls[0].ID) // Project 3 has a position of 1 and should be sorted first assert.Equal(t, int64(1), ls[1].ID) assert.Equal(t, int64(6), ls[2].ID) - assert.Equal(t, int64(-1), ls[25].ID) - assert.Equal(t, int64(-2), ls[26].ID) + assert.Equal(t, int64(-1), ls[26].ID) + assert.Equal(t, int64(-2), ls[27].ID) }) t.Run("projects for nonexistent user", func(t *testing.T) { db.LoadAndAssertFixtures(t) @@ -543,9 +546,17 @@ func TestProject_ReadAll(t *testing.T) { assert.Contains(t, projectIDs, int64(10)) assert.Contains(t, projectIDs, int64(-1)) } else { - require.Len(t, ls, 2) - assert.Equal(t, int64(10), ls[0].ID) - assert.Equal(t, int64(-1), ls[1].ID) + // Expect project 10 (the search target), project 43 (its child — + // reparent-escalation fixture, pulled in as a descendant so tree + // navigation stays intact) and the favorites pseudo project -1. + require.Len(t, ls, 3) + projectIDs := make([]int64, len(ls)) + for i, p := range ls { + projectIDs[i] = p.ID + } + assert.Contains(t, projectIDs, int64(10)) + assert.Contains(t, projectIDs, int64(43)) + assert.Contains(t, projectIDs, int64(-1)) } }) t.Run("search returns filters as well", func(t *testing.T) {