Skip to content

Commit cb19772

Browse files
harryzcyharryzcy
authored
Fix access token issue on some public endpoints (#24194)
- [x] Identify endpoints that should be public - [x] Update integration tests Fix #24159
1 parent 949ba48 commit cb19772

File tree

2 files changed

+20
-14
lines changed

2 files changed

+20
-14
lines changed

routers/api/v1/api.go

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1200,21 +1200,21 @@ func Routes(ctx gocontext.Context) *web.Route {
12001200
m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)
12011201
}, context_service.UserAssignmentAPI())
12021202
m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
1203-
m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)
1203+
m.Get("/orgs", org.GetAll)
12041204
m.Group("/orgs/{org}", func() {
1205-
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).
1205+
m.Combo("").Get(org.Get).
12061206
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
12071207
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)
1208-
m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).
1208+
m.Combo("/repos").Get(user.ListOrgRepos).
12091209
Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
12101210
m.Group("/members", func() {
12111211
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)
12121212
m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsMember).
12131213
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)
12141214
})
12151215
m.Group("/public_members", func() {
1216-
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)
1217-
m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).
1216+
m.Get("", org.ListPublicMembers)
1217+
m.Combo("/{username}").Get(org.IsPublicMember).
12181218
Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).
12191219
Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)
12201220
})
@@ -1224,7 +1224,7 @@ func Routes(ctx gocontext.Context) *web.Route {
12241224
m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)
12251225
}, reqOrgMembership())
12261226
m.Group("/labels", func() {
1227-
m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)
1227+
m.Get("", org.ListLabels)
12281228
m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
12291229
m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).
12301230
Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

tests/integration/api_org_test.go

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -147,16 +147,14 @@ func TestAPIOrgDeny(t *testing.T) {
147147
setting.Service.RequireSignInView = false
148148
}()
149149

150-
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
151-
152150
orgName := "user1_org"
153-
req := NewRequestf(t, "GET", "/api/v1/orgs/%s?token=%s", orgName, token)
151+
req := NewRequestf(t, "GET", "/api/v1/orgs/%s", orgName)
154152
MakeRequest(t, req, http.StatusNotFound)
155153

156-
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token=%s", orgName, token)
154+
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", orgName)
157155
MakeRequest(t, req, http.StatusNotFound)
158156

159-
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members?token=%s", orgName, token)
157+
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", orgName)
160158
MakeRequest(t, req, http.StatusNotFound)
161159
})
162160
}
@@ -166,16 +164,24 @@ func TestAPIGetAll(t *testing.T) {
166164

167165
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
168166

167+
// accessing with a token will return all orgs
169168
req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
170169
resp := MakeRequest(t, req, http.StatusOK)
171-
172170
var apiOrgList []*api.Organization
173-
DecodeJSON(t, resp, &apiOrgList)
174171

175-
// accessing with a token will return all orgs
172+
DecodeJSON(t, resp, &apiOrgList)
176173
assert.Len(t, apiOrgList, 9)
177174
assert.Equal(t, "org25", apiOrgList[1].FullName)
178175
assert.Equal(t, "public", apiOrgList[1].Visibility)
176+
177+
// accessing without a token will return only public orgs
178+
req = NewRequestf(t, "GET", "/api/v1/orgs")
179+
resp = MakeRequest(t, req, http.StatusOK)
180+
181+
DecodeJSON(t, resp, &apiOrgList)
182+
assert.Len(t, apiOrgList, 7)
183+
assert.Equal(t, "org25", apiOrgList[0].FullName)
184+
assert.Equal(t, "public", apiOrgList[0].Visibility)
179185
}
180186

181187
func TestAPIOrgSearchEmptyTeam(t *testing.T) {

0 commit comments

Comments
 (0)