mirror of https://github.com/go-gitea/gitea.git
Fix access token issue on some public endpoints (#24194)
- [x] Identify endpoints that should be public - [x] Update integration tests Fix #24159
This commit is contained in:
parent
949ba4894b
commit
cb19772d6a
|
@ -1200,12 +1200,12 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)
|
m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)
|
||||||
}, context_service.UserAssignmentAPI())
|
}, context_service.UserAssignmentAPI())
|
||||||
m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
|
m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
|
||||||
m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)
|
m.Get("/orgs", org.GetAll)
|
||||||
m.Group("/orgs/{org}", func() {
|
m.Group("/orgs/{org}", func() {
|
||||||
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).
|
m.Combo("").Get(org.Get).
|
||||||
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
|
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
|
||||||
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)
|
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)
|
||||||
m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).
|
m.Combo("/repos").Get(user.ListOrgRepos).
|
||||||
Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
|
Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
|
||||||
m.Group("/members", func() {
|
m.Group("/members", func() {
|
||||||
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)
|
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)
|
||||||
|
@ -1213,8 +1213,8 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)
|
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)
|
||||||
})
|
})
|
||||||
m.Group("/public_members", func() {
|
m.Group("/public_members", func() {
|
||||||
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)
|
m.Get("", org.ListPublicMembers)
|
||||||
m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).
|
m.Combo("/{username}").Get(org.IsPublicMember).
|
||||||
Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).
|
Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).
|
||||||
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)
|
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)
|
||||||
})
|
})
|
||||||
|
@ -1224,7 +1224,7 @@ func Routes(ctx gocontext.Context) *web.Route {
|
||||||
m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)
|
m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)
|
||||||
}, reqOrgMembership())
|
}, reqOrgMembership())
|
||||||
m.Group("/labels", func() {
|
m.Group("/labels", func() {
|
||||||
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)
|
m.Get("", org.ListLabels)
|
||||||
m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
|
m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
|
||||||
m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).
|
m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).
|
||||||
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).
|
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).
|
||||||
|
|
|
@ -147,16 +147,14 @@ func TestAPIOrgDeny(t *testing.T) {
|
||||||
setting.Service.RequireSignInView = false
|
setting.Service.RequireSignInView = false
|
||||||
}()
|
}()
|
||||||
|
|
||||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
|
|
||||||
|
|
||||||
orgName := "user1_org"
|
orgName := "user1_org"
|
||||||
req := NewRequestf(t, "GET", "/api/v1/orgs/%s?token=%s", orgName, token)
|
req := NewRequestf(t, "GET", "/api/v1/orgs/%s", orgName)
|
||||||
MakeRequest(t, req, http.StatusNotFound)
|
MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
|
||||||
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token=%s", orgName, token)
|
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", orgName)
|
||||||
MakeRequest(t, req, http.StatusNotFound)
|
MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
|
||||||
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members?token=%s", orgName, token)
|
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", orgName)
|
||||||
MakeRequest(t, req, http.StatusNotFound)
|
MakeRequest(t, req, http.StatusNotFound)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -166,16 +164,24 @@ func TestAPIGetAll(t *testing.T) {
|
||||||
|
|
||||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
|
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
|
||||||
|
|
||||||
|
// accessing with a token will return all orgs
|
||||||
req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
|
req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
|
||||||
resp := MakeRequest(t, req, http.StatusOK)
|
resp := MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
var apiOrgList []*api.Organization
|
var apiOrgList []*api.Organization
|
||||||
DecodeJSON(t, resp, &apiOrgList)
|
|
||||||
|
|
||||||
// accessing with a token will return all orgs
|
DecodeJSON(t, resp, &apiOrgList)
|
||||||
assert.Len(t, apiOrgList, 9)
|
assert.Len(t, apiOrgList, 9)
|
||||||
assert.Equal(t, "org25", apiOrgList[1].FullName)
|
assert.Equal(t, "org25", apiOrgList[1].FullName)
|
||||||
assert.Equal(t, "public", apiOrgList[1].Visibility)
|
assert.Equal(t, "public", apiOrgList[1].Visibility)
|
||||||
|
|
||||||
|
// accessing without a token will return only public orgs
|
||||||
|
req = NewRequestf(t, "GET", "/api/v1/orgs")
|
||||||
|
resp = MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
|
DecodeJSON(t, resp, &apiOrgList)
|
||||||
|
assert.Len(t, apiOrgList, 7)
|
||||||
|
assert.Equal(t, "org25", apiOrgList[0].FullName)
|
||||||
|
assert.Equal(t, "public", apiOrgList[0].Visibility)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestAPIOrgSearchEmptyTeam(t *testing.T) {
|
func TestAPIOrgSearchEmptyTeam(t *testing.T) {
|
||||||
|
|
Loading…
Reference in New Issue