Skip to content

fix: checkUserPushPermission push failure on name #1110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

fix: checkUserPushPermission push failure on name #1110

wants to merge 9 commits into from
+300 −119

Conversation

andypols
Copy link
Contributor

Summary

This PR builds on #1109 to address a bug in checkUserPushPermission. The bug caused permission checks to fail when the repository could not be found by name. It also incorrectly assumed that repository names are globally unique, which prevented users from forking the same repository into different projects/organisations within the same git-proxy platform.

This fix is split into a separate PR to keep the scope focused and to unblock the security team, who are currently running penetration tests using GitLab.

Fix

This PR:

Notes

  • A potential future improvement would be to load the repository at the start of the action chain and pass it through to each step, avoiding repeated lookups.

  • The isUserPushAllowed function is no longer used in the main code path, but cannot yet be removed because its tests in testDb.test implicitly set up state that other tests depend on. Specifically, each test in testDb.test writes to a file-based database, and subsequent tests rely on that data — making them fragile due to implicit ordering. Removing this function breaks unrelated tests. Refactoring these tests to be isolated and self-contained would be required before safely removing isUserPushAllowed, but that is out of scope for this PR.

@netlify Netlify
Copy link

netlify bot commented Jul 17, 2025
edited
Loading

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
🔨 Latest commit ffcf17b
🔍 Latest deploy log https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/687cb9240023f60008e1b122

@github-actions github-actions bot added the fix label Jul 17, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 17, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.33%. Comparing base (34827ca) to head (ffcf17b).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1110      +/-   ##
==========================================
- Coverage   77.40%   75.33%   -2.07%     
==========================================
  Files          56       58       +2     
  Lines        2288     2368      +80     
  Branches      258      271      +13     
==========================================
+ Hits         1771     1784      +13     
- Misses        487      554      +67     
  Partials       30       30

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

kriswest
kriswest reviewed Jul 18, 2025
View reviewed changes
Copy link
Contributor

@kriswest kriswest left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again I think this PR is a partial solution to the issues addressed in #1043 - it'll resolve a problem in the proxy but not the API or UI. I think it also needs to be adjusted to use repo URLs that include .git (as per comments on #1109) - #1043 validates its presence in the UI form, but should perhaps also do so through the API... That said I'm ntt enitrely sure if its required in the git protocol or just a convention.

The tests for the DB client code (which mock the underlying mongo/neDB libs) are worth having as they test smaller units. I'd prefer to have those going in on top of #1043 (as I've been maintaining it it for quite a while).

I agree that the DB tests could be/should be refactored to not carry over state - worse the cypress tests rely on state from the mocha tests which also needed fixing.

@kriswest kriswest mentioned this pull request Jul 18, 2025
Open
jescalada
jescalada approved these changes Jul 20, 2025
View reviewed changes
Copy link
Contributor

@jescalada jescalada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, just missing the recent changes from #1109. 🚀

@jescalada jescalada mentioned this pull request Jul 20, 2025
Open
@jescalada
Copy link
Contributor

Will merge this after #1109 if @kriswest is okay with maintaining his PRs for just a bit longer...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kriswest kriswest kriswest left review comments

@jescalada jescalada jescalada approved these changes

Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andypols @jescalada @kriswest