// Copyright 2017 The Gitea Authors. All rights reserved. // Copyright 2024 The Forgejo Authors. All rights reserved. // SPDX-License-Identifier: MIT package integration import ( "net/http" "testing" auth_model "forgejo.org/models/auth" "forgejo.org/models/db" "forgejo.org/models/unittest" user_model "forgejo.org/models/user" "forgejo.org/modules/setting" "forgejo.org/modules/test" "forgejo.org/modules/translation" "forgejo.org/tests" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func TestSettingShowUserEmailExplore(t *testing.T) { defer tests.PrepareTestEnv(t)() showUserEmail := setting.UI.ShowUserEmail setting.UI.ShowUserEmail = true session := loginUser(t, "user2") req := NewRequest(t, "GET", "/explore/users?sort=alphabetically") resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find(".explore.users").Text(), "user34@example.com", ) setting.UI.ShowUserEmail = false req = NewRequest(t, "GET", "/explore/users?sort=alphabetically") resp = session.MakeRequest(t, req, http.StatusOK) htmlDoc = NewHTMLParser(t, resp.Body) assert.NotContains(t, htmlDoc.doc.Find(".explore.users").Text(), "user34@example.com", ) setting.UI.ShowUserEmail = showUserEmail } func TestSettingShowUserEmailProfile(t *testing.T) { defer tests.PrepareTestEnv(t)() showUserEmail := setting.UI.ShowUserEmail // user1: keep_email_private = false, user2: keep_email_private = true setting.UI.ShowUserEmail = true // user1 can see own visible email session := loginUser(t, "user1") req := NewRequest(t, "GET", "/user1") resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find(".user.profile").Text(), "user1@example.com") // user1 can not see user2's hidden email req = NewRequest(t, "GET", "/user2") resp = session.MakeRequest(t, req, http.StatusOK) htmlDoc = NewHTMLParser(t, resp.Body) // Should only contain if the user visits their own profile page assert.NotContains(t, htmlDoc.doc.Find(".user.profile").Text(), "user2@example.com") // user2 can see user1's visible email session = loginUser(t, "user2") req = NewRequest(t, "GET", "/user1") resp = session.MakeRequest(t, req, http.StatusOK) htmlDoc = NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find(".user.profile").Text(), "user1@example.com") // user2 cannot see own hidden email session = loginUser(t, "user2") req = NewRequest(t, "GET", "/user2") resp = session.MakeRequest(t, req, http.StatusOK) htmlDoc = NewHTMLParser(t, resp.Body) assert.NotContains(t, htmlDoc.doc.Find(".user.profile").Text(), "user2@example.com") setting.UI.ShowUserEmail = false // user1 cannot see own (now hidden) email session = loginUser(t, "user1") req = NewRequest(t, "GET", "/user1") resp = session.MakeRequest(t, req, http.StatusOK) htmlDoc = NewHTMLParser(t, resp.Body) assert.NotContains(t, htmlDoc.doc.Find(".user.profile").Text(), "user1@example.com") setting.UI.ShowUserEmail = showUserEmail } func TestSettingLandingPage(t *testing.T) { defer tests.PrepareTestEnv(t)() defer test.MockProtect(&setting.LandingPageURL)() setting.LandingPageURL = setting.LandingPageHome req := NewRequest(t, "GET", "/") MakeRequest(t, req, http.StatusOK) setting.LandingPageURL = setting.LandingPageExplore req = NewRequest(t, "GET", "/") resp := MakeRequest(t, req, http.StatusSeeOther) assert.Equal(t, "/explore", resp.Header().Get("Location")) setting.LandingPageURL = setting.LandingPageOrganizations req = NewRequest(t, "GET", "/") resp = MakeRequest(t, req, http.StatusSeeOther) assert.Equal(t, "/explore/organizations", resp.Header().Get("Location")) setting.LandingPageURL = setting.LandingPageLogin req = NewRequest(t, "GET", "/") resp = MakeRequest(t, req, http.StatusSeeOther) assert.Equal(t, "/user/login", resp.Header().Get("Location")) } func TestSettingSecurityAuthSource(t *testing.T) { defer tests.PrepareTestEnv(t)() user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) active := addAuthSource(t, authSourcePayloadGitLabCustom("gitlab-active")) activeExternalLoginUser := &user_model.ExternalLoginUser{ ExternalID: "12345", UserID: user.ID, LoginSourceID: active.ID, } err := user_model.LinkExternalToUser(db.DefaultContext, user, activeExternalLoginUser) require.NoError(t, err) inactive := addAuthSource(t, authSourcePayloadGitLabCustom("gitlab-inactive")) inactiveExternalLoginUser := &user_model.ExternalLoginUser{ ExternalID: "5678", UserID: user.ID, LoginSourceID: inactive.ID, } err = user_model.LinkExternalToUser(db.DefaultContext, user, inactiveExternalLoginUser) require.NoError(t, err) // mark the authSource as inactive inactive.IsActive = false err = auth_model.UpdateSource(db.DefaultContext, inactive) require.NoError(t, err) session := loginUser(t, "user1") req := NewRequest(t, "GET", "user/settings/security") resp := session.MakeRequest(t, req, http.StatusOK) assert.Contains(t, resp.Body.String(), `gitlab-active`) assert.Contains(t, resp.Body.String(), `gitlab-inactive`) } func TestSettingSecurityTwoFactorRequirement(t *testing.T) { defer tests.PrepareTestEnv(t)() locale := translation.NewLocale("en-US") runTest := func(t *testing.T, user *user_model.User, forceTOTP, showReroll, showUnroll bool) { t.Helper() defer unittest.AssertSuccessfulDelete(t, &auth_model.TwoFactor{UID: user.ID}) useTOTP := forceTOTP || user.MustHaveTwoFactor() session := loginUserMaybeTOTP(t, user, useTOTP) resp := session.MakeRequest(t, NewRequest(t, "GET", "user/settings/security"), http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) htmlDoc.AssertSelection(t, htmlDoc.FindByText("a", locale.TrString("settings.twofa_reenroll")), showReroll) htmlDoc.AssertElement(t, "#disable-form", showUnroll) htmlDoc.AssertSelection(t, htmlDoc.FindByText("p", locale.TrString("settings.twofa_unroll_unavailable")), showReroll && !showUnroll) req := NewRequestWithValues(t, "POST", "user/settings/security/two_factor/disable", map[string]string{ "_csrf": htmlDoc.GetCSRF(), }) if user.MustHaveTwoFactor() { session.MakeRequest(t, req, http.StatusNotFound) } else { resp := session.MakeRequest(t, req, http.StatusSeeOther) assert.Equal(t, "/user/settings/security", resp.Header().Get("Location")) } } adminUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) normalUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) restrictedUser := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 29}) t.Run("NoneTwoFactorRequirement", func(t *testing.T) { t.Run("no 2fa", func(t *testing.T) { runTest(t, adminUser, false, false, false) runTest(t, normalUser, false, false, false) runTest(t, restrictedUser, false, false, false) }) t.Run("enabled 2fa", func(t *testing.T) { runTest(t, adminUser, true, true, true) runTest(t, normalUser, true, true, true) runTest(t, restrictedUser, true, true, true) }) }) t.Run("AllTwoFactorRequirement", func(t *testing.T) { defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AllTwoFactorRequirement)() runTest(t, adminUser, false, true, false) runTest(t, normalUser, false, true, false) runTest(t, restrictedUser, false, true, false) }) t.Run("AdminTwoFactorRequirement", func(t *testing.T) { defer test.MockVariableValue(&setting.GlobalTwoFactorRequirement, setting.AdminTwoFactorRequirement)() t.Run("no 2fa", func(t *testing.T) { runTest(t, adminUser, false, true, false) runTest(t, normalUser, false, false, false) runTest(t, restrictedUser, false, false, false) }) t.Run("enabled 2fa", func(t *testing.T) { runTest(t, adminUser, true, true, false) runTest(t, normalUser, true, true, true) runTest(t, restrictedUser, true, true, true) }) }) } func TestUserAvatarSizeNotice(t *testing.T) { defer tests.PrepareTestEnv(t)() session := loginUser(t, "user1") req := NewRequest(t, "GET", "/user/settings") resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find("form div:has(input#new-avatar) .help").Text(), "Custom avatar may not exceed 1 MiB in size or be larger than 4096x4096 pixels") } func TestRepoAvatarSizeNotice(t *testing.T) { defer tests.PrepareTestEnv(t)() session := loginUser(t, "user2") req := NewRequest(t, "GET", "/user2/repo1/settings") resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find("form div:has(input[name=\"avatar\"]) .help").Text(), "Custom avatar may not exceed 1 MiB in size or be larger than 4096x4096 pixels") } func TestOrgAvatarSizeNotice(t *testing.T) { defer tests.PrepareTestEnv(t)() session := loginUser(t, "user2") req := NewRequest(t, "GET", "/org/org3/settings") resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find("form div:has(input[name=\"avatar\"]) .help").Text(), "Custom avatar may not exceed 1 MiB in size or be larger than 4096x4096 pixels") } func TestAdminAvatarSizeNotice(t *testing.T) { defer tests.PrepareTestEnv(t)() session := loginUser(t, "user1") req := NewRequest(t, "GET", "/admin/users/2/edit") resp := session.MakeRequest(t, req, http.StatusOK) htmlDoc := NewHTMLParser(t, resp.Body) assert.Contains(t, htmlDoc.doc.Find("form div:has(input[name=\"avatar\"]) .help").Text(), "Custom avatar may not exceed 1 MiB in size or be larger than 4096x4096 pixels") }