Project

General

Profile

Actions
Copy link

Patch #43682

open

Add API authorization tests for private/public project access control

Added by 陽一 宇田 about 5 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

This patch adds integration tests to verify API authorization behavior for issue creation and updates on private and public projects.

Background

Currently, there are no explicit tests covering API access control for:
  • Non-members accessing private projects
  • Non-members and anonymous users accessing public projects with different permission configurations

Tests Added (9 tests)

Private Project Tests

  • Non-member should not be able to create issues on private projects
  • Non-member should not be able to update issues on private projects
  • Admin should be able to create/update issues on private projects even as non-member

Public Project Tests

  • Non-member can create issues when Non member role has :add_issues permission
  • Non-member cannot update issues when Non member role lacks :edit_issues permission (default behavior)
  • Anonymous cannot create issues by default (lacks :add_issues permission)
  • Anonymous cannot update issues by default (lacks :edit_issues permission)
  • When user only has :add_issue_notes permission, attribute changes should be ignored (only notes can be added)

Notes

These tests document the expected default behavior where:
  • Non member role has :add_issues but NOT :edit_issues
  • Anonymous role has only :view_issues

All tests pass on current trunk.

Files

api_authorization_tests.patch (7.52 KB) api_authorization_tests.patch 陽一 宇田, 2026-01-17 16:07

No data to display

Actions
Copy link

Also available in: Atom PDF