Oleks
8ae6245c19
Adds the missing REST surface that mirrors the existing repo-scope project
API onto user and organization namespaces, so projects at /{owner}/-/projects/
become programmatically manageable (linking issues, listing column membership,
moving cards between columns) without browser-session auth.
Routes registered under /api/v1/users/{username}/projects/... and
/api/v1/orgs/{org}/projects/..., gated by AccessTokenScopeCategoryIssue.
User-scope writes require owner==doer or site admin; org-scope writes
require org membership. Handlers copy the repo-scope shape rather than
refactoring the existing repo handlers, keeping shipping code untouched.
Integration tests cover CRUD, columns, issue add/remove/move, listing per
column, and the permission matrix (owner/non-member/admin) for both scopes.
498 lines
20 KiB
Go
498 lines
20 KiB
Go
// Copyright 2026 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"testing"
|
|
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
|
issues_model "code.gitea.io/gitea/models/issues"
|
|
project_model "code.gitea.io/gitea/models/project"
|
|
"code.gitea.io/gitea/models/unittest"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
api "code.gitea.io/gitea/modules/structs"
|
|
projects_service "code.gitea.io/gitea/services/projects"
|
|
"code.gitea.io/gitea/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestAPIUserProjects(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
t.Run("ListProjects", testAPIUserListProjects)
|
|
t.Run("GetProject", testAPIUserGetProject)
|
|
t.Run("CreateProject", testAPIUserCreateProject)
|
|
t.Run("UpdateProject", testAPIUserUpdateProject)
|
|
t.Run("ChangeProjectStatus", testAPIUserChangeProjectStatus)
|
|
t.Run("DeleteProject", testAPIUserDeleteProject)
|
|
t.Run("ListProjectColumns", testAPIUserListProjectColumns)
|
|
t.Run("CreateProjectColumn", testAPIUserCreateProjectColumn)
|
|
t.Run("UpdateProjectColumn", testAPIUserUpdateProjectColumn)
|
|
t.Run("DeleteProjectColumn", testAPIUserDeleteProjectColumn)
|
|
t.Run("AddIssueToProjectColumn", testAPIUserAddIssueToProjectColumn)
|
|
t.Run("RemoveIssueFromProjectColumn", testAPIUserRemoveIssueFromProjectColumn)
|
|
t.Run("ListProjectColumnIssues", testAPIUserListProjectColumnIssues)
|
|
t.Run("MoveProjectIssue", testAPIUserMoveProjectIssue)
|
|
t.Run("Permissions", testAPIUserProjectPermissions)
|
|
}
|
|
|
|
func makeUserProject(t *testing.T, owner *user_model.User) *project_model.Project {
|
|
t.Helper()
|
|
p := &project_model.Project{
|
|
OwnerID: owner.ID,
|
|
Title: "Test User Project",
|
|
Description: "created by test helper",
|
|
CreatorID: owner.ID,
|
|
Type: project_model.TypeIndividual,
|
|
TemplateType: project_model.TemplateTypeNone,
|
|
}
|
|
err := project_model.NewProject(t.Context(), p)
|
|
assert.NoError(t, err)
|
|
return p
|
|
}
|
|
|
|
func testAPIUserListProjects(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
req := NewRequestf(t, "GET", "/api/v1/users/%s/projects", owner.Name).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var projects []*api.Project
|
|
DecodeJSON(t, resp, &projects)
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/users/%s/projects?state=open", owner.Name).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &projects)
|
|
for _, p := range projects {
|
|
assert.Equal(t, api.StateOpen, p.State)
|
|
}
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/users/%s/projects?state=all", owner.Name).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
}
|
|
|
|
func testAPIUserGetProject(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
req := NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d", owner.Name, p.ID).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var got api.Project
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, p.ID, got.ID)
|
|
assert.Equal(t, p.Title, got.Title)
|
|
assert.Equal(t, "individual", got.Type)
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/users/%s/projects/99999", owner.Name).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserCreateProject(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects", owner.Name), &api.CreateProjectOption{
|
|
Title: "Created via API",
|
|
Description: "desc",
|
|
}).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusCreated)
|
|
|
|
var got api.Project
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, "Created via API", got.Title)
|
|
assert.Equal(t, "individual", got.Type)
|
|
|
|
// unauthenticated
|
|
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects", owner.Name), &api.CreateProjectOption{Title: "x"})
|
|
MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
// empty title
|
|
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects", owner.Name), &api.CreateProjectOption{Title: ""}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusUnprocessableEntity)
|
|
}
|
|
|
|
func testAPIUserUpdateProject(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
newTitle := "Updated Title"
|
|
newDesc := "Updated desc"
|
|
req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
Title: &newTitle,
|
|
Description: &newDesc,
|
|
}).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
var got api.Project
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, newTitle, got.Title)
|
|
assert.Equal(t, newDesc, got.Description)
|
|
}
|
|
|
|
func testAPIUserChangeProjectStatus(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
closed := api.StateClosed
|
|
req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
State: &closed,
|
|
}).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var got api.Project
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, api.StateClosed, got.State)
|
|
assert.NotNil(t, got.ClosedAt)
|
|
|
|
open := api.StateOpen
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
State: &open,
|
|
}).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, api.StateOpen, got.State)
|
|
|
|
bogus := api.StateType("reopen")
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
State: &bogus,
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusUnprocessableEntity)
|
|
}
|
|
|
|
func testAPIUserDeleteProject(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
req := NewRequestf(t, "DELETE", "/api/v1/users/%s/projects/%d", owner.Name, p.ID).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
|
|
req = NewRequestf(t, "DELETE", "/api/v1/users/%s/projects/%d", owner.Name, p.ID).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserListProjectColumns(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
for i := 1; i <= 3; i++ {
|
|
col := &project_model.Column{
|
|
Title: fmt.Sprintf("Col%d", i),
|
|
ProjectID: p.ID,
|
|
CreatorID: owner.ID,
|
|
}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), col))
|
|
}
|
|
|
|
req := NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d/columns", owner.Name, p.ID).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var cols []*api.ProjectColumn
|
|
DecodeJSON(t, resp, &cols)
|
|
assert.Len(t, cols, 3)
|
|
assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d/columns?page=1&limit=2", owner.Name, p.ID).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &cols)
|
|
assert.Len(t, cols, 2)
|
|
assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
|
|
|
|
req = NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d/columns?page=2&limit=2", owner.Name, p.ID).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &cols)
|
|
assert.Len(t, cols, 1)
|
|
assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
|
|
}
|
|
|
|
func testAPIUserCreateProjectColumn(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects/%d/columns", owner.Name, p.ID), &api.CreateProjectColumnOption{
|
|
Title: "New Column",
|
|
Color: "#FF5733",
|
|
}).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusCreated)
|
|
var col api.ProjectColumn
|
|
DecodeJSON(t, resp, &col)
|
|
assert.Equal(t, "New Column", col.Title)
|
|
assert.Equal(t, "#FF5733", col.Color)
|
|
assert.Equal(t, p.ID, col.ProjectID)
|
|
|
|
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects/%d/columns", owner.Name, p.ID), &api.CreateProjectColumnOption{
|
|
Title: "Simple Column",
|
|
}).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusCreated)
|
|
DecodeJSON(t, resp, &col)
|
|
assert.Equal(t, "Simple Column", col.Title)
|
|
|
|
// empty title
|
|
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects/%d/columns", owner.Name, p.ID), &api.CreateProjectColumnOption{
|
|
Title: "",
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusUnprocessableEntity)
|
|
|
|
// non-existent project
|
|
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/users/%s/projects/99999/columns", owner.Name), &api.CreateProjectColumnOption{
|
|
Title: "Orphan",
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserUpdateProjectColumn(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
col := &project_model.Column{
|
|
Title: "Original",
|
|
ProjectID: p.ID,
|
|
CreatorID: owner.ID,
|
|
Color: "#000000",
|
|
}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), col))
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
newTitle := "Updated Column"
|
|
req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d", owner.Name, p.ID, col.ID), &api.EditProjectColumnOption{
|
|
Title: &newTitle,
|
|
}).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var got api.ProjectColumn
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, newTitle, got.Title)
|
|
|
|
newColor := "#FF0000"
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d", owner.Name, p.ID, col.ID), &api.EditProjectColumnOption{
|
|
Color: &newColor,
|
|
}).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
DecodeJSON(t, resp, &got)
|
|
assert.Equal(t, newColor, got.Color)
|
|
|
|
// non-existent column
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/99999", owner.Name, p.ID), &api.EditProjectColumnOption{
|
|
Title: &newTitle,
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserDeleteProjectColumn(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
col := &project_model.Column{
|
|
Title: "ToDelete",
|
|
ProjectID: p.ID,
|
|
CreatorID: owner.ID,
|
|
}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), col))
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
req := NewRequestf(t, "DELETE", "/api/v1/users/%s/projects/%d/columns/%d", owner.Name, p.ID, col.ID).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
|
|
req = NewRequestf(t, "DELETE", "/api/v1/users/%s/projects/%d/columns/%d", owner.Name, p.ID, col.ID).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserAddIssueToProjectColumn(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
|
|
p := makeUserProject(t, owner)
|
|
|
|
col1 := &project_model.Column{Title: "Column 1", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), col1))
|
|
col2 := &project_model.Column{Title: "Column 2", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), col2))
|
|
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
// add to col1
|
|
req := NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d/issues/%d", owner.Name, p.ID, col1.ID, issue.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
pi := unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{ProjectID: p.ID, IssueID: issue.ID})
|
|
assert.Equal(t, col1.ID, pi.ProjectColumnID)
|
|
|
|
// move to col2 via POST
|
|
req = NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d/issues/%d", owner.Name, p.ID, col2.ID, issue.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
pi = unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{ProjectID: p.ID, IssueID: issue.ID})
|
|
assert.Equal(t, col2.ID, pi.ProjectColumnID)
|
|
|
|
// idempotent: add to same column again
|
|
req = NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d/issues/%d", owner.Name, p.ID, col2.ID, issue.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusCreated)
|
|
|
|
// non-existent issue
|
|
req = NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d/issues/99999", owner.Name, p.ID, col1.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
|
|
// non-existent column
|
|
req = NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/99999/issues/%d", owner.Name, p.ID, issue.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserRemoveIssueFromProjectColumn(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
|
|
p := makeUserProject(t, owner)
|
|
|
|
col := &project_model.Column{Title: "Col", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), col))
|
|
otherCol := &project_model.Column{Title: "Other", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), otherCol))
|
|
|
|
assert.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issue, owner, []int64{p.ID}))
|
|
assert.NoError(t, projects_service.MoveIssuesOnProjectColumn(t.Context(), owner, col, map[int64]int64{0: issue.ID}))
|
|
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
// removing via the wrong column must 404 and not detach the issue
|
|
req := NewRequestWithJSON(t, "DELETE",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d/issues/%d", owner.Name, p.ID, otherCol.ID, issue.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{ProjectID: p.ID, IssueID: issue.ID})
|
|
|
|
// correct column fully detaches the issue from the project
|
|
req = NewRequestWithJSON(t, "DELETE",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/columns/%d/issues/%d", owner.Name, p.ID, col.ID, issue.ID), nil,
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
unittest.AssertNotExistsBean(t, &project_model.ProjectIssue{ProjectID: p.ID, IssueID: issue.ID})
|
|
}
|
|
|
|
func testAPIUserListProjectColumnIssues(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
issueA := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
|
|
issueB := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
|
|
p := makeUserProject(t, owner)
|
|
|
|
colA := &project_model.Column{Title: "ColA", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), colA))
|
|
colB := &project_model.Column{Title: "ColB", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), colB))
|
|
|
|
assert.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issueA, owner, []int64{p.ID}))
|
|
assert.NoError(t, projects_service.MoveIssuesOnProjectColumn(t.Context(), owner, colA, map[int64]int64{0: issueA.ID}))
|
|
assert.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issueB, owner, []int64{p.ID}))
|
|
assert.NoError(t, projects_service.MoveIssuesOnProjectColumn(t.Context(), owner, colB, map[int64]int64{0: issueB.ID}))
|
|
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
|
|
|
|
// colA contains only issueA
|
|
req := NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d/columns/%d/issues", owner.Name, p.ID, colA.ID).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
var gotA []api.Issue
|
|
DecodeJSON(t, resp, &gotA)
|
|
assert.Len(t, gotA, 1)
|
|
assert.Equal(t, issueA.ID, gotA[0].ID)
|
|
|
|
// colB contains only issueB
|
|
req = NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d/columns/%d/issues", owner.Name, p.ID, colB.ID).AddTokenAuth(token)
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
var gotB []api.Issue
|
|
DecodeJSON(t, resp, &gotB)
|
|
assert.Len(t, gotB, 1)
|
|
assert.Equal(t, issueB.ID, gotB[0].ID)
|
|
}
|
|
|
|
func testAPIUserMoveProjectIssue(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
|
|
p := makeUserProject(t, owner)
|
|
|
|
colA := &project_model.Column{Title: "A", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), colA))
|
|
colB := &project_model.Column{Title: "B", ProjectID: p.ID, CreatorID: owner.ID}
|
|
assert.NoError(t, project_model.NewColumn(t.Context(), colB))
|
|
|
|
assert.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issue, owner, []int64{p.ID}))
|
|
assert.NoError(t, projects_service.MoveIssuesOnProjectColumn(t.Context(), owner, colA, map[int64]int64{0: issue.ID}))
|
|
|
|
token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
// move to colB
|
|
req := NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/issues/%d/move", owner.Name, p.ID, issue.ID),
|
|
&api.MoveProjectIssueOption{ColumnID: colB.ID},
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
|
|
pi := unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{ProjectID: p.ID, IssueID: issue.ID})
|
|
assert.Equal(t, colB.ID, pi.ProjectColumnID)
|
|
|
|
// non-existent target column -> 422
|
|
req = NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/issues/%d/move", owner.Name, p.ID, issue.ID),
|
|
&api.MoveProjectIssueOption{ColumnID: 99999},
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusUnprocessableEntity)
|
|
|
|
// issue not in project -> 404
|
|
otherIssue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 4})
|
|
req = NewRequestWithJSON(t, "POST",
|
|
fmt.Sprintf("/api/v1/users/%s/projects/%d/issues/%d/move", owner.Name, p.ID, otherIssue.ID),
|
|
&api.MoveProjectIssueOption{ColumnID: colA.ID},
|
|
).AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
}
|
|
|
|
func testAPIUserProjectPermissions(t *testing.T) {
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
|
other := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user5"})
|
|
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
|
|
|
p := makeUserProject(t, owner)
|
|
ownerToken := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
otherToken := getUserToken(t, other.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
adminToken := getUserToken(t, admin.Name, auth_model.AccessTokenScopeWriteIssue)
|
|
|
|
// anon can read
|
|
req := NewRequestf(t, "GET", "/api/v1/users/%s/projects/%d", owner.Name, p.ID)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
|
|
// owner can write
|
|
newTitle := "By Owner"
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
Title: &newTitle,
|
|
}).AddTokenAuth(ownerToken)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
|
|
// other user cannot write
|
|
newTitle = "By Other"
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
Title: &newTitle,
|
|
}).AddTokenAuth(otherToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
|
|
// other user cannot delete
|
|
req = NewRequestf(t, "DELETE", "/api/v1/users/%s/projects/%d", owner.Name, p.ID).AddTokenAuth(otherToken)
|
|
MakeRequest(t, req, http.StatusForbidden)
|
|
|
|
// admin can write
|
|
newTitle = "By Admin"
|
|
req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/users/%s/projects/%d", owner.Name, p.ID), &api.EditProjectOption{
|
|
Title: &newTitle,
|
|
}).AddTokenAuth(adminToken)
|
|
MakeRequest(t, req, http.StatusOK)
|
|
}
|