Skip to content

Commit

Permalink
Fix access token issue on some public endpoints (#24194)
Browse files Browse the repository at this point in the history
- [x] Identify endpoints that should be public
- [x] Update integration tests

Fix #24159
  • Loading branch information
harryzcy authored Apr 21, 2023
1 parent 949ba48 commit cb19772
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 14 deletions.
12 changes: 6 additions & 6 deletions routers/api/v1/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -1200,21 +1200,21 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)
}, context_service.UserAssignmentAPI())
m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)
m.Get("/orgs", org.GetAll)
m.Group("/orgs/{org}", func() {
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).
m.Combo("").Get(org.Get).
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)
m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).
m.Combo("/repos").Get(user.ListOrgRepos).
Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
m.Group("/members", func() {
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)
m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsMember).
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)
})
m.Group("/public_members", func() {
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)
m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).
m.Get("", org.ListPublicMembers)
m.Combo("/{username}").Get(org.IsPublicMember).
Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)
})
Expand All @@ -1224,7 +1224,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)
}, reqOrgMembership())
m.Group("/labels", func() {
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)
m.Get("", org.ListLabels)
m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).
Expand Down
22 changes: 14 additions & 8 deletions tests/integration/api_org_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,16 +147,14 @@ func TestAPIOrgDeny(t *testing.T) {
setting.Service.RequireSignInView = false
}()

token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)

orgName := "user1_org"
req := NewRequestf(t, "GET", "/api/v1/orgs/%s?token=%s", orgName, token)
req := NewRequestf(t, "GET", "/api/v1/orgs/%s", orgName)
MakeRequest(t, req, http.StatusNotFound)

req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token=%s", orgName, token)
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", orgName)
MakeRequest(t, req, http.StatusNotFound)

req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members?token=%s", orgName, token)
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", orgName)
MakeRequest(t, req, http.StatusNotFound)
})
}
Expand All @@ -166,16 +164,24 @@ func TestAPIGetAll(t *testing.T) {

token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)

// accessing with a token will return all orgs
req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
resp := MakeRequest(t, req, http.StatusOK)

var apiOrgList []*api.Organization
DecodeJSON(t, resp, &apiOrgList)

// accessing with a token will return all orgs
DecodeJSON(t, resp, &apiOrgList)
assert.Len(t, apiOrgList, 9)
assert.Equal(t, "org25", apiOrgList[1].FullName)
assert.Equal(t, "public", apiOrgList[1].Visibility)

// accessing without a token will return only public orgs
req = NewRequestf(t, "GET", "/api/v1/orgs")
resp = MakeRequest(t, req, http.StatusOK)

DecodeJSON(t, resp, &apiOrgList)
assert.Len(t, apiOrgList, 7)
assert.Equal(t, "org25", apiOrgList[0].FullName)
assert.Equal(t, "public", apiOrgList[0].Visibility)
}

func TestAPIOrgSearchEmptyTeam(t *testing.T) {
Expand Down

0 comments on commit cb19772

Please sign in to comment.