domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Fix token endpoints ignore specified account (#27080)

Browse source 
Fix #26234
close #26323
close #27040

---------

Co-authored-by: silverwind <me@silverwind.io>
This commit is contained in:
CaiCandong 2023-09-18 08:21:15 +08:00 committed by GitHub
parent 8531ca0837
commit f93ee5937b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 52 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

23
tests/integration/api_token_test.go
View file

@ -40,6 +40,29 @@ func TestAPIDeleteMissingToken(t *testing.T) {
MakeRequest(t, req, http.StatusNotFound)
}
// TestAPIGetTokensPermission ensures that only the admin can get tokens from other users
func TestAPIGetTokensPermission(t *testing.T) {
defer tests.PrepareTestEnv(t)()
// admin can get tokens for other users
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
req := NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
req = AddBasicAuthHeader(req, user.Name)
MakeRequest(t, req, http.StatusOK)
// non-admin can get tokens for himself
user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
req = AddBasicAuthHeader(req, user.Name)
MakeRequest(t, req, http.StatusOK)
// non-admin can't get tokens for other users
user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
req = AddBasicAuthHeader(req, user.Name)
MakeRequest(t, req, http.StatusForbidden)
}
type permission struct {
category auth_model.AccessTokenScopeCategory
level auth_model.AccessTokenScopeLevel