fix: close gitea_review_pr ungated bypass (#15)
This commit is contained in:
+54
-25
@@ -321,38 +321,67 @@ class TestReviewPR(unittest.TestCase):
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
def test_review_pr_and_merge(self, _auth, mock_api):
|
||||
# GET PR response (fetch head SHA)
|
||||
def test_legacy_review_pr_merge_fails_closed(self, _auth, mock_api):
|
||||
result = gitea_review_pr(
|
||||
pr_number=1,
|
||||
event="APPROVE",
|
||||
body="Looks good",
|
||||
merge=True
|
||||
)
|
||||
self.assertFalse(result["success"])
|
||||
self.assertIn("no longer supported", result["message"])
|
||||
self.assertEqual(mock_api.call_count, 0)
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("mcp_server.get_profile")
|
||||
def test_legacy_review_pr_uses_gates(self, mock_get_profile, _auth, mock_api):
|
||||
# Mock profile to lack approve capability (fails gate)
|
||||
mock_get_profile.return_value = {
|
||||
"profile_name": "gitea-readonly",
|
||||
"allowed_operations": ["read"],
|
||||
"forbidden_operations": [],
|
||||
"base_url": None,
|
||||
}
|
||||
# mock_api responses for auth_user and pr_author
|
||||
mock_api.side_effect = [
|
||||
{"head": {"sha": "sha-val-123"}}, # GET PR pulls/1
|
||||
{}, # POST review
|
||||
{}, # POST merge
|
||||
{"login": "reviewer1"}, # /api/v1/user
|
||||
{"state": "open", "head": {"sha": "abc1234"}, "mergeable": True, "user": {"login": "author1"}}, # /pulls/1
|
||||
]
|
||||
result = gitea_review_pr(
|
||||
pr_number=1,
|
||||
event="APPROVE",
|
||||
body="Looks good",
|
||||
merge=True,
|
||||
merge_method="squash"
|
||||
merge=False
|
||||
)
|
||||
self.assertTrue(result["success"])
|
||||
self.assertIn("Successfully submitted review", result["message"])
|
||||
self.assertIn("Successfully merged", result["message"])
|
||||
|
||||
# Check call counts and arguments
|
||||
self.assertEqual(mock_api.call_count, 3)
|
||||
|
||||
# Verify GET PR
|
||||
self.assertEqual(mock_api.call_args_list[0][0][0], "GET")
|
||||
|
||||
# Verify POST review
|
||||
self.assertEqual(mock_api.call_args_list[1][0][0], "POST")
|
||||
self.assertEqual(mock_api.call_args_list[1][0][3]["event"], "APPROVE")
|
||||
self.assertEqual(mock_api.call_args_list[1][0][3]["commit_id"], "sha-val-123")
|
||||
|
||||
# Verify POST merge
|
||||
self.assertEqual(mock_api.call_args_list[2][0][0], "POST")
|
||||
self.assertEqual(mock_api.call_args_list[2][0][3]["Do"], "squash")
|
||||
self.assertFalse(result["success"])
|
||||
self.assertIn("Review submission failed eligibility gates", result["message"])
|
||||
self.assertIn("not allowed to approve", result["message"])
|
||||
|
||||
@patch("mcp_server.api_request")
|
||||
@patch("mcp_server.get_auth_header", return_value=FAKE_AUTH)
|
||||
@patch("mcp_server.get_profile")
|
||||
def test_legacy_review_pr_self_approval_blocked(self, mock_get_profile, _auth, mock_api):
|
||||
mock_get_profile.return_value = {
|
||||
"profile_name": "gitea-reviewer",
|
||||
"allowed_operations": ["read", "approve"],
|
||||
"forbidden_operations": [],
|
||||
"base_url": None,
|
||||
}
|
||||
# mock_api responses for auth_user and pr_author
|
||||
mock_api.side_effect = [
|
||||
{"login": "jcwalker3"}, # /api/v1/user
|
||||
{"state": "open", "head": {"sha": "abc1234"}, "mergeable": True, "user": {"login": "jcwalker3"}}, # /pulls/1
|
||||
]
|
||||
result = gitea_review_pr(
|
||||
pr_number=1,
|
||||
event="APPROVE",
|
||||
body="Self approve",
|
||||
merge=False
|
||||
)
|
||||
self.assertFalse(result["success"])
|
||||
self.assertIn("Review submission failed eligibility gates", result["message"])
|
||||
self.assertIn("authenticated user is PR author", result["message"])
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user