fix: collaborator can edit wiki with write access (#8234)

fixes: #8119, replaces #8135 Bug likely introduced in 5eeccecafc ### Tests - I added test coverage for Go changes in the `tests/integration` directory if it involves interactions with a live Forgejo server. ### Documentation - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [x] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8234 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr> (cherry picked from commit 913eaffb8a)
2025-07-19 01:29:40 +02:00 · 2025-06-19 18:35:09 +02:00 · 2025-06-19 18:35:09 +02:00 · 379c2684fa
commit 379c2684fa
parent 0dc2bed2dd
1 changed files with 101 additions and 0 deletions
--- a/tests/integration/repo_wiki_test.go
+++ b/tests/integration/repo_wiki_test.go
@ -216,3 +216,104 @@ func TestWikiPermissions(t *testing.T) {
 		})
 	})
 }
+
+func canEditWiki(t *testing.T, username, url string, canEdit bool) {
+	t.Helper()
+	// t.Parallel()
+
+	req := NewRequest(t, "GET", url)
+
+	var resp *httptest.ResponseRecorder
+	if username != "" {
+		session := loginUser(t, username)
+		resp = session.MakeRequest(t, req, http.StatusOK)
+	} else {
+		resp = MakeRequest(t, req, http.StatusOK)
+	}
+	doc := NewHTMLParser(t, resp.Body)
+	res := doc.Find(`a[href^="` + url + `"]`).Map(func(_ int, el *goquery.Selection) string {
+		return el.AttrOr("href", "")
+	})
+	found := false
+	for _, href := range res {
+		if strings.HasSuffix(href, "?action=_new") {
+			if !canEdit {
+				t.Errorf("unexpected edit link: %s", href)
+			}
+			found = true
+			break
+		}
+	}
+	if canEdit {
+		assert.True(t, found, "could not find ?action=_new link among %v", res)
+	}
+}
+
+func TestWikiPermissions(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	t.Run("default settings", func(t *testing.T) {
+		t.Run("anonymous", func(t *testing.T) {
+			canEditWiki(t, "", "/user5/repo4/wiki", false)
+		})
+		t.Run("owner", func(t *testing.T) {
+			canEditWiki(t, "user5", "/user5/repo4/wiki", true)
+		})
+		t.Run("collaborator", func(t *testing.T) {
+			canEditWiki(t, "user4", "/user5/repo4/wiki", true)
+			canEditWiki(t, "user29", "/user5/repo4/wiki", true)
+		})
+		t.Run("other user", func(t *testing.T) {
+			canEditWiki(t, "user2", "/user5/repo4/wiki", false)
+		})
+	})
+
+	t.Run("saved unchanged settings", func(t *testing.T) {
+		session := loginUser(t, "user5")
+		csrf := GetCSRF(t, session, "/user5/repo4/settings/units")
+		req := NewRequestWithValues(t, "POST", "/user5/repo4/settings/units", map[string]string{
+			"_csrf":       csrf,
+			"enable_wiki": "on",
+		})
+		session.MakeRequest(t, req, http.StatusSeeOther)
+
+		t.Run("anonymous", func(t *testing.T) {
+			canEditWiki(t, "", "/user5/repo4/wiki", false)
+		})
+		t.Run("owner", func(t *testing.T) {
+			canEditWiki(t, "user5", "/user5/repo4/wiki", true)
+		})
+		t.Run("collaborator", func(t *testing.T) {
+			canEditWiki(t, "user4", "/user5/repo4/wiki", true)
+			canEditWiki(t, "user29", "/user5/repo4/wiki", true)
+		})
+		t.Run("other user", func(t *testing.T) {
+			canEditWiki(t, "user2", "/user5/repo4/wiki", false)
+		})
+	})
+
+	t.Run("globally writable", func(t *testing.T) {
+		session := loginUser(t, "user5")
+		csrf := GetCSRF(t, session, "/user5/repo4/settings/units")
+		req := NewRequestWithValues(t, "POST", "/user5/repo4/settings/units", map[string]string{
+			"_csrf":                   csrf,
+			"enable_wiki":             "on",
+			"globally_writeable_wiki": "on",
+		})
+		session.MakeRequest(t, req, http.StatusSeeOther)
+
+		t.Run("anonymous", func(t *testing.T) {
+			canEditWiki(t, "", "/user5/repo4/wiki", false)
+		})
+		t.Run("owner", func(t *testing.T) {
+			canEditWiki(t, "user5", "/user5/repo4/wiki", true)
+		})
+		t.Run("collaborator", func(t *testing.T) {
+			canEditWiki(t, "user4", "/user5/repo4/wiki", true)
+			canEditWiki(t, "user29", "/user5/repo4/wiki", true)
+		})
+		t.Run("other user", func(t *testing.T) {
+			canEditWiki(t, "user2", "/user5/repo4/wiki", true)
+		})
+	})
+}