tests: star security tests

endpoints/api/user.py

@@ -700,7 +700,6 @@ class StarredRepositoryList(ApiResource):
     }
   }
 
-  @require_scope(scopes.READ_REPO)
   @nickname('listStarredRepos')
   @parse_args
   @query_param('page', 'Offset page number. (int)', type=int)
@@ -750,12 +749,11 @@ class StarredRepositoryList(ApiResource):
         'repository': repository,
       }, 201
 
-    raise NotFound()
-
 @resource('/v1/user/starred/<repopath:repository>')
 @path_param('repository', 'The full path of the repository. e.g. namespace/name')
 class StarredRepository(RepositoryParamResource):
   """ Operations for managing a specific starred repository. """
+
   @nickname('deleteStar')
   @require_user_admin
   def delete(self, namespace, repository):
@@ -769,5 +767,3 @@ class StarredRepository(RepositoryParamResource):
       #log_action('unstar_repository', user.username, namespace,
       #           {'repo': repository, 'namespace': namespace})
       return 'Deleted', 204
-
-    raise NotFound()

test/test_api_security.py

@@ -26,7 +26,7 @@ from endpoints.api.repoemail import RepositoryAuthorizedEmail
 from endpoints.api.repositorynotification import RepositoryNotification, RepositoryNotificationList
 from endpoints.api.user import (PrivateRepositories, ConvertToOrganization, Recovery, Signout,
                                 Signin, User, UserAuthorizationList, UserAuthorization, UserNotification,
-                                VerifyUser, DetachExternal)
+                                VerifyUser, DetachExternal, StarredRepositoryList, StarredRepository)
 from endpoints.api.repotoken import RepositoryToken, RepositoryTokenList
 from endpoints.api.prototype import PermissionPrototype, PermissionPrototypeList
 from endpoints.api.logs import UserLogs, OrgLogs, RepositoryLogs
@@ -132,6 +132,58 @@ class TestFindRepositories(ApiTestCase):
 
 
 
+class TestUserStarredRepositoryList(ApiTestCase):
+  def setUp(self):
+    ApiTestCase.setUp(self)
+    self._set_url(StarredRepositoryList)
+
+  def test_get_anonymous(self):
+    self._run_test('GET', 401, None, None)
+
+  def test_get_freshuser(self):
+    self._run_test('GET', 200, 'freshuser', None)
+
+  def test_get_reader(self):
+    self._run_test('GET', 200, 'reader', None)
+
+  def test_get_devtable(self):
+    self._run_test('GET', 200, 'devtable', None)
+
+  def test_post_anonymous(self):
+    self._run_test('POST', 401, None, {u'namespace': 'public',
+                                       u'repository': 'publicrepo'})
+
+  def test_post_freshuser(self):
+    self._run_test('POST', 201, 'freshuser', {u'namespace': 'public',
+                                              u'repository': 'publicrepo'})
+
+  def test_post_reader(self):
+    self._run_test('POST', 201, 'reader', {u'namespace': 'public',
+                                           u'repository': 'publicrepo'})
+
+  def test_post_devtable(self):
+    self._run_test('POST', 201, 'devtable', {u'namespace': 'public',
+                                             u'repository': 'publicrepo'})
+
+
+class TestUserStarredRepository(ApiTestCase):
+  def setUp(self):
+    ApiTestCase.setUp(self)
+    self._set_url(StarredRepository, repository="public/publicrepo")
+
+  def test_delete_anonymous(self):
+    self._run_test('DELETE', 401, None, None)
+
+  def test_delete_freshuser(self):
+    self._run_test('DELETE', 400, 'freshuser', None)
+
+  def test_delete_reader(self):
+    self._run_test('DELETE', 400, 'reader', None)
+
+  def test_delete_devtable(self):
+    self._run_test('DELETE', 400, 'devtable', None)
+
+
 class TestUserNotification(ApiTestCase):
   def setUp(self):
     ApiTestCase.setUp(self)