@@ -228,7 +228,7 @@ func TestOkToTestComment(t *testing.T) {
228228 runevent : info.Event {
229229 Organization : "owner" ,
230230 Repository : "repo" ,
231- Sender : "nonowner " ,
231+ Sender : "notowner " ,
232232 EventType : "issue_comment" ,
233233 Event : issueCommentPayload ,
234234 },
@@ -298,7 +298,7 @@ func TestOkToTestComment(t *testing.T) {
298298 runevent : info.Event {
299299 Organization : "owner" ,
300300 Repository : "repo" ,
301- Sender : "nonowner " ,
301+ Sender : "notowner " ,
302302 EventType : "issue_comment" ,
303303 Event : issueCommentPayload ,
304304 },
@@ -326,8 +326,9 @@ func TestOkToTestComment(t *testing.T) {
326326 func (rw http.ResponseWriter , _ * http.Request ) {
327327 fmt .Fprint (rw , tt .commentsReply )
328328 })
329- mux .HandleFunc ("/repos/owner/collaborators" , func (rw http.ResponseWriter , _ * http.Request ) {
330- fmt .Fprint (rw , "[]" )
329+ mux .HandleFunc (fmt .Sprintf ("/repos/%s/%s/collaborators/%s/permission" , tt .runevent .Organization ,
330+ tt .runevent .Repository , tt .runevent .Sender ), func (rw http.ResponseWriter , _ * http.Request ) {
331+ fmt .Fprint (rw , `{"permission": "none"}` )
331332 })
332333 ctx , _ := rtesting .SetupFakeContext (t )
333334 gprovider := Provider {
@@ -354,7 +355,9 @@ func TestOkToTestComment(t *testing.T) {
354355func TestAclCheckAll (t * testing.T ) {
355356 type allowedRules struct {
356357 ownerFile bool
358+ read bool
357359 collabo bool
360+ admin bool
358361 }
359362 tests := []struct {
360363 name string
@@ -364,7 +367,7 @@ func TestAclCheckAll(t *testing.T) {
364367 allowed bool
365368 }{
366369 {
367- name : "allowed_from_org/ sender allowed_from_org in collabo " ,
370+ name : "allowed when sender has repository write collaborator permission " ,
368371 runevent : info.Event {
369372 Organization : "collabo" ,
370373 Repository : "repo" ,
@@ -375,7 +378,18 @@ func TestAclCheckAll(t *testing.T) {
375378 wantErr : false ,
376379 },
377380 {
378- name : "allowed_from_org/sender allowed_from_org from owner file" ,
381+ name : "allowed when sender has repository admin permission" ,
382+ runevent : info.Event {
383+ Organization : "collabo" ,
384+ Repository : "repo" ,
385+ Sender : "login_allowed" ,
386+ },
387+ allowedRules : allowedRules {admin : true },
388+ allowed : true ,
389+ wantErr : false ,
390+ },
391+ {
392+ name : "allowed when sender is approver in OWNERS file" ,
379393 runevent : info.Event {
380394 Organization : "collabo" ,
381395 Repository : "repo" ,
@@ -388,7 +402,7 @@ func TestAclCheckAll(t *testing.T) {
388402 wantErr : false ,
389403 },
390404 {
391- name : "disallowed/ sender not allowed_from_org in collabo " ,
405+ name : "disallowed when sender has no collaborator or OWNERS approval " ,
392406 runevent : info.Event {
393407 Organization : "denied" ,
394408 Repository : "denied" ,
@@ -397,6 +411,17 @@ func TestAclCheckAll(t *testing.T) {
397411 allowed : false ,
398412 wantErr : false ,
399413 },
414+ {
415+ name : "allowed when sender has repository read permission" ,
416+ runevent : info.Event {
417+ Organization : "denied" ,
418+ Repository : "denied" ,
419+ Sender : "notallowed" ,
420+ },
421+ allowedRules : allowedRules {read : true },
422+ allowed : false ,
423+ wantErr : false ,
424+ },
400425 }
401426 for _ , tt := range tests {
402427 t .Run (tt .name , func (t * testing.T ) {
@@ -411,12 +436,20 @@ func TestAclCheckAll(t *testing.T) {
411436 Logger : logger ,
412437 }
413438
414- if tt .allowedRules .collabo {
415- mux .HandleFunc (fmt .Sprintf ("/repos/%s/%s/collaborators/%s" , tt .runevent .Organization ,
416- tt .runevent .Repository , tt .runevent .Sender ), func (rw http.ResponseWriter , _ * http.Request ) {
417- rw .WriteHeader (http .StatusNoContent )
418- })
419- }
439+ mux .HandleFunc (fmt .Sprintf ("/repos/%s/%s/collaborators/%s/permission" , tt .runevent .Organization ,
440+ tt .runevent .Repository , tt .runevent .Sender ), func (rw http.ResponseWriter , _ * http.Request ) {
441+ rw .WriteHeader (http .StatusOK )
442+ permission := "none"
443+ switch {
444+ case tt .allowedRules .admin :
445+ permission = "admin"
446+ case tt .allowedRules .collabo :
447+ permission = "write"
448+ case tt .allowedRules .read :
449+ permission = "read"
450+ }
451+ fmt .Fprintf (rw , `{"permission": "%s"}` , permission )
452+ })
420453 if tt .allowedRules .ownerFile {
421454 url := fmt .Sprintf ("/repos/%s/%s/contents/OWNERS" , tt .runevent .Organization , tt .runevent .Repository )
422455 mux .HandleFunc (url , func (rw http.ResponseWriter , r * http.Request ) {
0 commit comments