Make sure to filter starred repos to those visible to the user

Fixes #1793
2016-08-31 14:07:05 -04:00 · 2016-08-31 14:07:05 -04:00 · 1b7b3ea41d
commit 1b7b3ea41d
parent b4939a3cd0
2 changed files with 31 additions and 7 deletions
--- a/endpoints/api/repository.py
+++ b/endpoints/api/repository.py
@ -20,7 +20,7 @@ from endpoints.api.billing import lookup_allowed_private_repos, get_namespace_pl
 from endpoints.api.subscribe import check_repository_usage

 from auth.permissions import (ModifyRepositoryPermission, AdministerRepositoryPermission,
-                              CreateRepositoryPermission)
+                              CreateRepositoryPermission, ReadRepositoryPermission)
 from auth.auth_context import get_authenticated_user
 from auth import scopes
 from util.names import REPOSITORY_NAME_REGEX
@ -158,8 +158,12 @@ class RepositoryList(ApiResource):
        # No repositories should be returned, as there is no user.
        abort(400)

-      # Return the full list of repos starred by the current user.
-      repos = list(model.repository.get_user_starred_repositories(user))
+      # Return the full list of repos starred by the current user that are still visible to them.
+      def can_view_repo(repo):
+        return ReadRepositoryPermission(repo.namespace_user.username, repo.name).can()
+
+      unfiltered_repos = model.repository.get_user_starred_repositories(user)
+      repos = [repo for repo in unfiltered_repos if can_view_repo(repo)]
    elif parsed_args['namespace']:
      # Repositories filtered by namespace do not need pagination (their results are fairly small),
      # so we just do the lookup directly.
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -1565,12 +1565,33 @@ class TestListRepos(ApiTestCase):
    self.assertEquals(name, json['repositories'][0]['name'])

  def assertRepositoryNotVisible(self, namespace, name):
-    json = self.getJsonResponse(RepositoryList,
-                                params=dict(namespace=namespace,
-                                            public=False))
+    json = self.getJsonResponse(RepositoryList, params=dict(namespace=namespace, public=False))
    for repo in json['repositories']:
      self.assertNotEquals(name, repo['name'])

+    json = self.getJsonResponse(RepositoryList, params=dict(starred=True))
+    for repo in json['repositories']:
+      self.assertNotEquals(name, repo['name'])
+
+  def test_listrepos_starred_filtered(self):
+    admin_user = model.user.get_user(ADMIN_ACCESS_USER)
+    reader_user = model.user.get_user(READ_ACCESS_USER)
+
+    # Create a new organization.
+    new_org = model.organization.create_organization('neworg', 'neworg@devtable.com', admin_user)
+    admin_team = model.team.create_team('admin', new_org, 'admin')
+
+    # Add a repository to the organization.
+    repo = model.repository.create_repository('neworg', 'somerepo', admin_user)
+
+    with self.add_to_team_temporarily(reader_user, admin_team):
+      # Star the repository for the user.
+      model.repository.star_repository(reader_user, repo)
+
+    # Verify that the user cannot see the repo, since they are no longer allowed to do so.
+    self.login(READ_ACCESS_USER)
+    self.assertRepositoryNotVisible('neworg', 'somerepo')
+
  @contextmanager
  def add_to_team_temporarily(self, user, team):
    model.team.add_user_to_team(user, team)
@ -1579,7 +1600,6 @@ class TestListRepos(ApiTestCase):
                                     ADMIN_ACCESS_USER)

  def test_listrepos_org_filtered(self):
-    # Admin user
    admin_user = model.user.get_user(ADMIN_ACCESS_USER)
    reader_user = model.user.get_user(READ_ACCESS_USER)