fix test

wxiaoguang · wxiaoguang · commit 08a0caaacd74 · 2025-10-22T09:11:17.000+08:00
diff --git a/models/user/user.go b/models/user/user.go
@@ -249,8 +249,13 @@ func (u *User) MaxCreationLimit() int {
 }
 
 // CanCreateRepoIn checks whether the doer(u) can create a repository in the owner
-// NOTE: functions calling this assume a failure due to repository count limit; it ONLY checks the repo number LIMIT, if new checks are added, those functions should be revised
+// NOTE: functions calling this assume a failure due to repository count limit, or the owner is not a real user.
+// It ONLY checks the repo number LIMIT or whether owner user is real. If new checks are added, those functions should be revised.
+// TODO: the callers can only return ErrReachLimitOfRepo, need to fine tune to support other error types in the future.
 func (u *User) CanCreateRepoIn(owner *User) bool {
+	if u.ID <= 0 {
+		return false // fake user like Ghost or Actions user
+	}
 	if u.IsAdmin {
 		return true
 	}
diff --git a/routers/api/v1/repo/repo.go b/routers/api/v1/repo/repo.go
@@ -28,6 +28,7 @@ import (
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/validation"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
@@ -270,6 +271,8 @@ func CreateUserRepo(ctx *context.APIContext, owner *user_model.User, opt api.Cre
 			db.IsErrNamePatternNotAllowed(err) ||
 			label.IsErrTemplateLoad(err) {
 			ctx.APIError(http.StatusUnprocessableEntity, err)
+		} else if errors.Is(err, util.ErrPermissionDenied) {
+			ctx.APIError(http.StatusForbidden, err)
 		} else {
 			ctx.APIErrorInternal(err)
 		}
diff --git a/services/lfs/server.go b/services/lfs/server.go
@@ -556,7 +556,7 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 		return perm.CanAccess(accessMode, unit.TypeCode)
 	}
 
-	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
+	// it works for both anonymous request and signed-in user, then perm.CanAccess will do the permission check
 	perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
 	if err != nil {
 		log.Error("Unable to GetUserRepoPermission for user %-v in repo %-v Error: %v", ctx.Doer, repository, err)
@@ -571,6 +571,8 @@ func authenticate(ctx *context.Context, repository *repo_model.Repository, autho
 	}
 
 	// now, either sign-in is required or the ctx.Doer cannot access, check the LFS token
+	// however, "ctx.Doer exists but cannot access then check LFS token" should not really happen:
+	// * why a request can be sent with both valid user session and valid LFS token then use LFS token to access?
 	user, err := parseToken(ctx, authorization, repository, accessMode)
 	if err != nil {
 		// Most of these are Warn level - the true internal server errors are logged in parseToken already
diff --git a/tests/integration/actions_job_token_test.go b/tests/integration/actions_job_token_test.go
@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
 	"code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -53,9 +54,7 @@ func testActionsJobTokenAccess(u *url.URL, isFork bool) func(t *testing.T) {
 			require.Equal(t, "user5", r.Owner.UserName)
 		}))
 
-		if isFork {
-			context.ExpectedCode = 403
-		}
+		context.ExpectedCode = util.Iif(isFork, http.StatusForbidden, http.StatusCreated)
 		t.Run("API Create File", doAPICreateFile(context, "test.txt", &structs.CreateFileOptions{
 			FileOptions: structs.FileOptions{
 				NewBranchName: "new-branch",
@@ -64,10 +63,10 @@ func testActionsJobTokenAccess(u *url.URL, isFork bool) func(t *testing.T) {
 			ContentBase64: base64.StdEncoding.EncodeToString([]byte(`This is a test file created using job token.`)),
 		}))
 
-		context.ExpectedCode = 500
+		context.ExpectedCode = http.StatusForbidden
 		t.Run("Fail to Create Repository", doAPICreateRepository(context, true))
 
-		context.ExpectedCode = 403
+		context.ExpectedCode = http.StatusForbidden
 		t.Run("Fail to Delete Repository", doAPIDeleteRepository(context))
 
 		t.Run("Fail to Create Organization", doAPICreateOrganization(context, &structs.CreateOrgOption{

Original file line number	Diff line number	Diff line change
`@@ -249,8 +249,13 @@ func (u *User) MaxCreationLimit() int {`
`249`	`249`	`}`
`250`	`250`
`251`	`251`	`// CanCreateRepoIn checks whether the doer(u) can create a repository in the owner`
`252`		`-// NOTE: functions calling this assume a failure due to repository count limit; it ONLY checks the repo number LIMIT, if new checks are added, those functions should be revised`
	`252`	`+// NOTE: functions calling this assume a failure due to repository count limit, or the owner is not a real user.`
	`253`	`+// It ONLY checks the repo number LIMIT or whether owner user is real. If new checks are added, those functions should be revised.`
	`254`	`+// TODO: the callers can only return ErrReachLimitOfRepo, need to fine tune to support other error types in the future.`
`253`	`255`	`func (u User) CanCreateRepoIn(owner User) bool {`
	`256`	`+ if u.ID <= 0 {`
	`257`	`+ return false // fake user like Ghost or Actions user`
	`258`	`+ }`
`254`	`259`	`if u.IsAdmin {`
`255`	`260`	`return true`
`256`	`261`	`}`