fix: require code permissions for branch feed

- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.

routers/web/web.go

@@ -1562,8 +1562,10 @@ func registerRoutes(m *web.Route) {
 			m.Get("/cherry-pick/{sha:([a-f0-9]{4,64})$}", repo.SetEditorconfigIfExists, repo.CherryPick)
 		}, repo.MustBeNotEmpty, context.RepoRef(), reqRepoCodeReader)
 
-		m.Get("/rss/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("rss"))
-		m.Get("/atom/branch/*", repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), feedEnabled, feed.RenderBranchFeed("atom"))
+		m.Group("", func() {
+			m.Get("/rss/branch/*", feed.RenderBranchFeed("rss"))
+			m.Get("/atom/branch/*", feed.RenderBranchFeed("atom"))
+		}, repo.MustBeNotEmpty, context.RepoRefByType(context.RepoRefBranch), reqRepoCodeReader, feedEnabled)
 
 		m.Group("/src", func() {
 			m.Get("/branch/*", context.RepoRefByType(context.RepoRefBranch), repo.Home)

tests/integration/api_feed_user_test.go

@@ -109,4 +109,24 @@ func TestFeed(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("View permission", func(t *testing.T) {
+		t.Run("Anomynous", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("No code permission", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user8")
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			session.MakeRequest(t, req, http.StatusNotFound)
+		})
+		t.Run("With code permission", func(t *testing.T) {
+			defer tests.PrintCurrentTest(t)()
+			session := loginUser(t, "user9")
+			req := NewRequest(t, "GET", "/org3/repo3/rss/branch/master")
+			session.MakeRequest(t, req, http.StatusOK)
+		})
+	})
 }

tests/integration/fixtures/TestFeed/team.yml

@@ -0,0 +1,21 @@
+-
+  id: 1001
+  org_id: 3
+  lower_name: no_code
+  name: no_code
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: false
+
+-
+  id: 1002
+  org_id: 3
+  lower_name: read_code
+  name: no_code
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
+  includes_all_repositories: false
+  can_create_org_repo: false

tests/integration/fixtures/TestFeed/team_repo.yml

@@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  repo_id: 3
+
+-
+  id: 1002
+  org_id: 3
+  team_id: 1002
+  repo_id: 3

tests/integration/fixtures/TestFeed/team_unit.yml

@@ -0,0 +1,83 @@
+-
+  id: 1001
+  team_id: 1001
+  type: 1
+  access_mode: 0
+
+-
+  id: 1002
+  team_id: 1001
+  type: 2
+  access_mode: 1
+
+-
+  id: 1003
+  team_id: 1001
+  type: 3
+  access_mode: 1
+
+-
+  id: 1004
+  team_id: 1001
+  type: 4
+  access_mode: 1
+
+-
+  id: 1005
+  team_id: 1001
+  type: 5
+  access_mode: 1
+
+-
+  id: 1006
+  team_id: 1001
+  type: 6
+  access_mode: 1
+
+-
+  id: 1007
+  team_id: 1001
+  type: 7
+  access_mode: 1
+
+-
+  id: 1008
+  team_id: 1002
+  type: 1
+  access_mode: 1
+
+-
+  id: 1009
+  team_id: 1002
+  type: 2
+  access_mode: 1
+
+-
+  id: 1010
+  team_id: 1002
+  type: 3
+  access_mode: 1
+
+-
+  id: 1011
+  team_id: 1002
+  type: 4
+  access_mode: 1
+
+-
+  id: 1012
+  team_id: 1002
+  type: 5
+  access_mode: 1
+
+-
+  id: 1013
+  team_id: 1002
+  type: 6
+  access_mode: 1
+
+-
+  id: 1014
+  team_id: 1002
+  type: 7
+  access_mode: 1

tests/integration/fixtures/TestFeed/team_user.yml

@@ -0,0 +1,11 @@
+-
+  id: 1001
+  org_id: 3
+  team_id: 1001
+  uid: 8
+
+-
+  id: 1002
+  org_id: 3
+  team_id: 1002
+  uid: 9