fix: PR not blocked by review request for a whitelisted team (#8511)

Fixes #8491. Previous behavior always updated the newly created review to set the `official` flag to false. This logic is now removed. The most likely reason that this logic existed was that team reviews were being marked as official based upon `doer`, rather than the target team, which seems undesirable. The expected behavior was retained by removing the check for `IsOfficialReviewer(..., doer)`, ensuring that when making a review request for a team, it doesn't matter *who* makes the request. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8511 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2025-07-18 17:19:41 +02:00 · 2025-07-15 23:21:42 +02:00 · 2025-07-15 23:21:42 +02:00 · e47fa23729
commit e47fa23729
parent e186b5c039
5 changed files with 134 additions and 10 deletions
--- a/models/fixtures/TestAddTeamReviewRequest/issue.yml
+++ b/models/fixtures/TestAddTeamReviewRequest/issue.yml
@ -0,0 +1,16 @@
 -
  id: 23
  repo_id: 2
  index: 3
  poster_id: 2
  original_author_id: 0
  name: protected branch pull
  content: pull request to a protected branch
  milestone_id: 0
  priority: 0
  is_pull: true
  is_closed: false
  num_comments: 0
  created_unix: 1707270422
  updated_unix: 1707270422
  is_locked: false
--- a/models/fixtures/TestAddTeamReviewRequest/protected_branch.yml
+++ b/models/fixtures/TestAddTeamReviewRequest/protected_branch.yml
@ -0,0 +1,28 @@
 - id: 1
  repo_id: 2
  branch_name: protected-main
  can_push: false
  enable_whitelist: true
  whitelist_user_i_ds: [1]
  whitelist_team_i_ds: []
  enable_merge_whitelist: true
  whitelist_deploy_keys: false
  merge_whitelist_user_i_ds: [1]
  merge_whitelist_team_i_ds: []
  enable_status_check: false
  status_check_contexts: []
  enable_approvals_whitelist: true
  approvals_whitelist_user_i_ds: []
  approvals_whitelist_team_i_ds: [1]
  required_approvals: 1
  block_on_rejected_reviews: true
  block_on_official_review_requests: true
  block_on_outdated_branch: true
  dismiss_stale_approvals: true
  ignore_stale_approvals: false
  require_signed_commits: false
  protected_file_patterns: ""
  unprotected_file_patterns: ""
  apply_to_admins: true
  created_unix: 1752513073
  updated_unix: 1752513073
--- a/models/fixtures/TestAddTeamReviewRequest/pull_request.yml
+++ b/models/fixtures/TestAddTeamReviewRequest/pull_request.yml
@ -0,0 +1,12 @@
 -
  id: 11
  type: 0 # gitea pull request
  status: 2 # mergeable
  issue_id: 23
  index: 3
  head_repo_id: 2
  base_repo_id: 2
  head_branch: feature/protected-branch-pr
  base_branch: protected-main
  merge_base: 4a357436d925b5c974181ff12a994538ddc5a269
  has_merged: false
--- a/models/issues/review.go
+++ b/models/issues/review.go
@ -781,10 +781,6 @@ func AddTeamReviewRequest(ctx context.Context, issue *Issue, reviewer *organizat
 	official, err := IsOfficialReviewerTeam(ctx, issue, reviewer)
 	if err != nil {
 		return nil, fmt.Errorf("isOfficialReviewerTeam(): %w", err)
 	} else if !official {
 		if official, err = IsOfficialReviewer(ctx, issue, doer); err != nil {
 			return nil, fmt.Errorf("isOfficialReviewer(): %w", err)
 		}
 	}
 	if review, err = CreateReview(ctx, CreateReviewOptions{
@ -797,12 +793,6 @@ func AddTeamReviewRequest(ctx context.Context, issue *Issue, reviewer *organizat
 		return nil, err
 	}
 	if official {
 		if _, err := db.Exec(ctx, "UPDATE `review` SET official=? WHERE issue_id=? AND reviewer_team_id=?", false, issue.ID, reviewer.ID); err != nil {
 			return nil, err
 		}
 	}
 	comment, err := CreateComment(ctx, &CreateCommentOptions{
 		Type:            CommentTypeReviewRequest,
 		Doer:            doer,
--- a/models/issues/review_test.go
+++ b/models/issues/review_test.go
@ -8,6 +8,7 @@ import (
 	"forgejo.org/models/db"
 	issues_model "forgejo.org/models/issues"
 	organization_model "forgejo.org/models/organization"
 	repo_model "forgejo.org/models/repo"
 	"forgejo.org/models/unittest"
 	user_model "forgejo.org/models/user"
@ -319,3 +320,80 @@ func TestAddReviewRequest(t *testing.T) {
 	require.Error(t, err)
 	assert.True(t, issues_model.IsErrReviewRequestOnClosedPR(err))
 }
 func TestAddTeamReviewRequest(t *testing.T) {
 	defer unittest.OverrideFixtures("models/fixtures/TestAddTeamReviewRequest")()
 	require.NoError(t, unittest.PrepareTestDatabase())
 	setupForProtectedBranch := func() (*issues_model.Issue, *user_model.User) {
 		// From override models/fixtures/TestAddTeamReviewRequest/issue.yml; issue #23 is a PR into a protected branch
 		issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 23})
 		require.NoError(t, issue.LoadRepo(db.DefaultContext))
 		doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
 		return issue, doer
 	}
 	t.Run("Protected branch, not official team", func(t *testing.T) {
 		issue, doer := setupForProtectedBranch()
 		// Team 2 is not part of the whitelist for this protected branch
 		team := unittest.AssertExistsAndLoadBean(t, &organization_model.Team{ID: 2})
 		comment, err := issues_model.AddTeamReviewRequest(db.DefaultContext, issue, team, doer)
 		require.NoError(t, err)
 		require.NotNil(t, comment)
 		review, err := issues_model.GetTeamReviewerByIssueIDAndTeamID(db.DefaultContext, issue.ID, team.ID)
 		require.NoError(t, err)
 		require.NotNil(t, review)
 		assert.Equal(t, issues_model.ReviewTypeRequest, review.Type)
 		assert.Equal(t, team.ID, review.ReviewerTeamID)
 		// This review request should not be marked official because it is not a request for a team in the branch
 		// protection rule's whitelist...
 		assert.False(t, review.Official)
 	})
 	t.Run("Protected branch, official team", func(t *testing.T) {
 		issue, doer := setupForProtectedBranch()
 		// Team 1 is part of the whitelist for this protected branch
 		team := unittest.AssertExistsAndLoadBean(t, &organization_model.Team{ID: 1})
 		comment, err := issues_model.AddTeamReviewRequest(db.DefaultContext, issue, team, doer)
 		require.NoError(t, err)
 		require.NotNil(t, comment)
 		review, err := issues_model.GetTeamReviewerByIssueIDAndTeamID(db.DefaultContext, issue.ID, team.ID)
 		require.NoError(t, err)
 		require.NotNil(t, review)
 		assert.Equal(t, issues_model.ReviewTypeRequest, review.Type)
 		assert.Equal(t, team.ID, review.ReviewerTeamID)
 		// Expected to be considered official because team 1 is in the review whitelist for this protected branch
 		assert.True(t, review.Official)
 	})
 	t.Run("Unprotected branch, official team", func(t *testing.T) {
 		// Working on a PR into a branch that is not protected, issue #2
 		issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
 		require.NoError(t, issue.LoadRepo(db.DefaultContext))
 		doer := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 		// team is a team that has write perms against the repo
 		team := unittest.AssertExistsAndLoadBean(t, &organization_model.Team{ID: 1})
 		comment, err := issues_model.AddTeamReviewRequest(db.DefaultContext, issue, team, doer)
 		require.NoError(t, err)
 		require.NotNil(t, comment)
 		review, err := issues_model.GetTeamReviewerByIssueIDAndTeamID(db.DefaultContext, issue.ID, team.ID)
 		require.NoError(t, err)
 		require.NotNil(t, review)
 		assert.Equal(t, issues_model.ReviewTypeRequest, review.Type)
 		assert.Equal(t, team.ID, review.ReviewerTeamID)
 		// Will not be marked as official because PR #2 there's no branch protection rule that enables whitelist
 		// approvals (verifying logic in `IsOfficialReviewerTeam` indirectly)
 		assert.False(t, review.Official)
 		// Adding the same team review request again should be a noop
 		comment, err = issues_model.AddTeamReviewRequest(db.DefaultContext, issue, team, doer)
 		require.NoError(t, err)
 		require.Nil(t, comment)
 	})
 }