go-gitea · lunny · Apr 6, 2023 · Apr 3, 2023 · Apr 3, 2023 · Apr 4, 2023
diff --git a/models/fixtures/org_user.yml b/models/fixtures/org_user.yml
@@ -75,3 +75,9 @@
   uid: 31
   org_id: 19
   is_public: true
+
+-
+  id: 14
+  uid: 5
+  org_id: 23
+  is_public: false
diff --git a/models/fixtures/team.yml b/models/fixtures/team.yml
@@ -172,4 +172,15 @@
   num_repos: 0
   num_members: 0
   includes_all_repositories: false
+  can_create_org_repo: true
+
+-
+  id: 17
+  org_id: 23
+  lower_name: team14writeauth
+  name: team14WriteAuth
+  authorize: 2 # write
+  num_repos: 0
+  num_members: 1
+  includes_all_repositories: false
   can_create_org_repo: true
diff --git a/models/fixtures/team_unit.yml b/models/fixtures/team_unit.yml
@@ -268,3 +268,9 @@
   team_id: 9
   type: 1 # code
   access_mode: 1
+
+-
+  id: 46
+  team_id: 17
+  type: 9 # package
+  access_mode: 0
diff --git a/models/fixtures/team_user.yml b/models/fixtures/team_user.yml
@@ -99,3 +99,9 @@
   org_id: 3
   team_id: 14
   uid: 2
+
+-
+  id: 18
+  org_id: 23
+  team_id: 17
+  uid: 5
diff --git a/tests/integration/api_packages_test.go b/tests/integration/api_packages_test.go
@@ -157,6 +157,7 @@ func TestPackageAccess(t *testing.T) {
 	admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
 	inactive := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 9})
+	privatedOrg := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 23})
 
 	uploadPackage := func(doer, owner *user_model.User, expectedStatus int) {
 		url := fmt.Sprintf("/api/packages/%s/generic/test-package/1.0/file.bin", owner.Name)
@@ -170,6 +171,15 @@ func TestPackageAccess(t *testing.T) {
 	uploadPackage(inactive, user, http.StatusUnauthorized)
 	uploadPackage(admin, inactive, http.StatusCreated)
 	uploadPackage(admin, user, http.StatusCreated)
+
+	// team.authorize is write, but team_unit.access_mode is none
+	// so the user can not upload packages or get package list
+	uploadPackage(user, privatedOrg, http.StatusUnauthorized)
+
+	session := loginUser(t, user.Name)
+	tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
+	req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/packages/%s?token=%s", privatedOrg.Name, tokenReadPackage))
+	MakeRequest(t, req, http.StatusForbidden)
 }
 
 func TestPackageQuota(t *testing.T) {