Restrict repo scope to remaining repos endpoints

This commit is contained in:
harryzcy 2022-10-30 21:54:55 -04:00
parent d6d6d97520
commit 0a8ab09258
No known key found for this signature in database
GPG key ID: CC2953E050C19686
13 changed files with 49 additions and 49 deletions

View file

@ -1012,44 +1012,43 @@ func Routes(ctx gocontext.Context) *web.Route {
Get(repo.GetPushMirrorByName)
}, reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo))
// TODO: continue here
m.Get("/editorconfig/{filename}", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetEditorconfig)
m.Group("/pulls", func() {
m.Combo("").Get(repo.ListPullRequests).
Post(reqToken(""), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)
Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)
m.Group("/{index}", func() {
m.Combo("").Get(repo.GetPullRequest).
Patch(reqToken(""), bind(api.EditPullRequestOption{}), repo.EditPullRequest)
Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditPullRequestOption{}), repo.EditPullRequest)
m.Get(".{diffType:diff|patch}", repo.DownloadPullDiffOrPatch)
m.Post("/update", reqToken(""), repo.UpdatePullRequest)
m.Post("/update", reqToken(auth_model.AccessTokenScopeRepo), repo.UpdatePullRequest)
m.Get("/commits", repo.GetPullRequestCommits)
m.Get("/files", repo.GetPullRequestFiles)
m.Combo("/merge").Get(repo.IsPullRequestMerged).
Post(reqToken(""), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest).
Delete(reqToken(""), mustNotBeArchived, repo.CancelScheduledAutoMerge)
Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest).
Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CancelScheduledAutoMerge)
m.Group("/reviews", func() {
m.Combo("").
Get(repo.ListPullReviews).
Post(reqToken(""), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)
Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)
m.Group("/{id}", func() {
m.Combo("").
Get(repo.GetPullReview).
Delete(reqToken(""), repo.DeletePullReview).
Post(reqToken(""), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)
Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeletePullReview).
Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)
m.Combo("/comments").
Get(repo.GetPullReviewComments)
m.Post("/dismissals", reqToken(""), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)
m.Post("/undismissals", reqToken(""), repo.UnDismissPullReview)
m.Post("/dismissals", reqToken(auth_model.AccessTokenScopeRepo), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)
m.Post("/undismissals", reqToken(auth_model.AccessTokenScopeRepo), repo.UnDismissPullReview)
})
})
m.Combo("/requested_reviewers").
Delete(reqToken(""), bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).
Post(reqToken(""), bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)
m.Combo("/requested_reviewers", reqToken(auth_model.AccessTokenScopeRepo)).
Delete(bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).
Post(bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)
})
}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())
m.Group("/statuses", func() {
m.Combo("/{sha}").Get(repo.GetCommitStatuses).
Post(reqToken(""), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
}, reqRepoReader(unit.TypeCode))
m.Group("/commits", func() {
m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)
@ -1070,7 +1069,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/tags/{sha}", repo.GetAnnotatedTag)
m.Get("/notes/{sha}", repo.GetNote)
}, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))
m.Post("/diffpatch", reqRepoWriter(unit.TypeCode), reqToken(""), bind(api.ApplyDiffPatchFileOptions{}), repo.ApplyDiffPatch)
m.Post("/diffpatch", reqRepoWriter(unit.TypeCode), reqToken(auth_model.AccessTokenScopeRepo), bind(api.ApplyDiffPatchFileOptions{}), repo.ApplyDiffPatch)
m.Group("/contents", func() {
m.Get("", repo.GetContentsList)
m.Get("/*", repo.GetContents)
@ -1078,15 +1077,15 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Post("", bind(api.CreateFileOptions{}), reqRepoBranchWriter, repo.CreateFile)
m.Put("", bind(api.UpdateFileOptions{}), reqRepoBranchWriter, repo.UpdateFile)
m.Delete("", bind(api.DeleteFileOptions{}), reqRepoBranchWriter, repo.DeleteFile)
}, reqToken(""))
}, reqToken(auth_model.AccessTokenScopeRepo))
}, reqRepoReader(unit.TypeCode))
m.Get("/signing-key.gpg", misc.SigningKey)
m.Group("/topics", func() {
m.Combo("").Get(repo.ListTopics).
Put(reqToken(""), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)
Put(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)
m.Group("/{topic}", func() {
m.Combo("").Put(reqToken(""), repo.AddTopic).
Delete(reqToken(""), repo.DeleteTopic)
m.Combo("").Put(reqToken(auth_model.AccessTokenScopeRepo), repo.AddTopic).
Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTopic)
}, reqAdmin())
}, reqAnyRepoReader())
m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)

View file

@ -28,7 +28,7 @@ func TestAPIPullReview(t *testing.T) {
// test ListPullReviews
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token)
resp := session.MakeRequest(t, req, http.StatusOK)
@ -231,7 +231,7 @@ func TestAPIPullReviewRequest(t *testing.T) {
// Test add Review Request
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.PullReviewRequestOptions{
Reviewers: []string{"user4@example.com", "user8"},
})
@ -251,7 +251,7 @@ func TestAPIPullReviewRequest(t *testing.T) {
// Test Remove Review Request
session2 := loginUser(t, "user4")
token2 := getTokenForLoggedInUser(t, session2)
token2 := getTokenForLoggedInUser(t, session2, "repo")
req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token2), &api.PullReviewRequestOptions{
Reviewers: []string{"user4"},

View file

@ -28,7 +28,7 @@ func TestAPIViewPulls(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
ctx := NewAPITestContext(t, "user2", repo.Name)
ctx := NewAPITestContext(t, "user2", repo.Name, "repo")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&token="+ctx.Token, owner.Name, repo.Name)
resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
@ -74,7 +74,7 @@ func TestAPIMergePullWIP(t *testing.T) {
assert.Contains(t, pr.Issue.Title, setting.Repository.PullRequest.WorkInProgressPrefixes[0])
session := loginUser(t, owner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s", owner.Name, repo.Name, pr.Index, token), &forms.MergePullRequestForm{
MergeMessageField: pr.Issue.Title,
Do: string(repo_model.MergeStyleMerge),
@ -93,7 +93,7 @@ func TestAPICreatePullSuccess(t *testing.T) {
owner11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo11.OwnerID})
session := loginUser(t, owner11.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), &api.CreatePullRequestOption{
Head: fmt.Sprintf("%s:master", owner11.Name),
Base: "master",
@ -113,7 +113,7 @@ func TestAPICreatePullWithFieldsSuccess(t *testing.T) {
owner11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo11.OwnerID})
session := loginUser(t, owner11.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
opts := &api.CreatePullRequestOption{
Head: fmt.Sprintf("%s:master", owner11.Name),
@ -150,7 +150,7 @@ func TestAPICreatePullWithFieldsFailure(t *testing.T) {
owner11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo11.OwnerID})
session := loginUser(t, owner11.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
opts := &api.CreatePullRequestOption{
Head: fmt.Sprintf("%s:master", owner11.Name),
@ -180,7 +180,7 @@ func TestAPIEditPull(t *testing.T) {
owner10 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo10.OwnerID})
session := loginUser(t, owner10.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), &api.CreatePullRequestOption{
Head: "develop",
Base: "master",

View file

@ -151,10 +151,10 @@ func TestAPICreateFile(t *testing.T) {
// Get user2's token
session := loginUser(t, user2.Name)
token2 := getTokenForLoggedInUser(t, session)
token2 := getTokenForLoggedInUser(t, session, "repo")
// Get user4's token
session = loginUser(t, user4.Name)
token4 := getTokenForLoggedInUser(t, session)
token4 := getTokenForLoggedInUser(t, session, "repo")
session = emptyTestSession(t)
// Test creating a file in repo1 which user2 owns, try both with branch and empty branch

View file

@ -49,10 +49,10 @@ func TestAPIDeleteFile(t *testing.T) {
// Get user2's token
session := loginUser(t, user2.Name)
token2 := getTokenForLoggedInUser(t, session)
token2 := getTokenForLoggedInUser(t, session, "repo")
// Get user4's token
session = loginUser(t, user4.Name)
token4 := getTokenForLoggedInUser(t, session)
token4 := getTokenForLoggedInUser(t, session, "repo")
session = emptyTestSession(t)
// Test deleting a file in repo1 which user2 owns, try both with branch and empty branch

View file

@ -117,10 +117,10 @@ func TestAPIUpdateFile(t *testing.T) {
// Get user2's token
session := loginUser(t, user2.Name)
token2 := getTokenForLoggedInUser(t, session)
token2 := getTokenForLoggedInUser(t, session, "repo")
// Get user4's token
session = loginUser(t, user4.Name)
token4 := getTokenForLoggedInUser(t, session)
token4 := getTokenForLoggedInUser(t, session, "repo")
session = emptyTestSession(t)
// Test updating a file in repo1 which user2 owns, try both with branch and empty branch

View file

@ -60,7 +60,7 @@ func TestAPIRepoTopic(t *testing.T) {
repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
// Get user2's token
token2 := getUserToken(t, user2.Name)
token2 := getUserToken(t, user2.Name, "repo")
// Test read topics using login
url := fmt.Sprintf("/api/v1/repos/%s/%s/topics", user2.Name, repo2.Name)
@ -140,7 +140,7 @@ func TestAPIRepoTopic(t *testing.T) {
MakeRequest(t, req, http.StatusNotFound)
// Get user4's token
token4 := getUserToken(t, user4.Name)
token4 := getUserToken(t, user4.Name, "repo")
// Test read topics with write access
url = fmt.Sprintf("/api/v1/repos/%s/%s/topics?token=%s", user3.Name, repo3.Name, token4)

View file

@ -358,7 +358,7 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes
t.Run("CreateBranchProtected", doGitCreateBranch(dstPath, "protected"))
t.Run("PushProtectedBranch", doGitPushTestRepository(dstPath, "origin", "protected"))
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame)
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, "repo")
t.Run("ProtectProtectedBranchNoWhitelist", doProtectBranch(ctx, "protected", "", ""))
t.Run("GenerateCommit", func(t *testing.T) {
_, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "branch-data-file-")
@ -602,7 +602,7 @@ func doAutoPRMerge(baseCtx *APITestContext, dstPath string) func(t *testing.T) {
return func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame)
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, "repo")
t.Run("CheckoutProtected", doGitCheckoutBranch(dstPath, "protected"))
t.Run("PullProtected", doGitPull(dstPath, "origin", "protected"))

View file

@ -94,7 +94,7 @@ func TestGPGGit(t *testing.T) {
t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(
t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {
assert.False(t, response.Verification.Verified)
@ -111,7 +111,7 @@ func TestGPGGit(t *testing.T) {
t.Run("Unsigned-Initial-CRUD-Never", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
t.Run("CreateCRUDFile-Never", crudActionCreateFile(
t, testCtx, user, "parentsigned", "parentsigned-never", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {
assert.False(t, response.Verification.Verified)
@ -124,7 +124,7 @@ func TestGPGGit(t *testing.T) {
t.Run("Unsigned-Initial-CRUD-Always", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
t.Run("CreateCRUDFile-Always", crudActionCreateFile(
t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {
assert.NotNil(t, response.Verification)
@ -161,7 +161,7 @@ func TestGPGGit(t *testing.T) {
t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
t.Run("CreateCRUDFile-Always-ParentSigned", crudActionCreateFile(
t, testCtx, user, "always", "always-parentsigned", "signed-always-parentsigned.txt", func(t *testing.T, response api.FileResponse) {
assert.NotNil(t, response.Verification)

View file

@ -218,7 +218,7 @@ func TestCantMergeConflict(t *testing.T) {
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "base", "README.md", "Hello, World (Edited Twice)\n")
// Use API to create a conflicting pr
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
Head: "conflict",
Base: "base",
@ -326,7 +326,7 @@ func TestCantMergeUnrelated(t *testing.T) {
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "conflict", "README.md", "Hello, World (Edited Once)\n")
// Use API to create a conflicting pr
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
Head: "unrelated",
Base: "base",

View file

@ -63,7 +63,7 @@ func TestPullCreate_CommitStatus(t *testing.T) {
api.CommitStatusWarning: "gitea-exclamation",
}
testCtx := NewAPITestContext(t, "user1", "repo1")
testCtx := NewAPITestContext(t, "user1", "repo1", "repo")
// Update commit status, and check if icon is updated as well
for _, status := range statusList {

View file

@ -39,7 +39,7 @@ func TestAPIPullUpdate(t *testing.T) {
assert.NoError(t, pr.LoadIssue())
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?token="+token, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index)
session.MakeRequest(t, req, http.StatusOK)
@ -67,7 +67,7 @@ func TestAPIPullUpdateByRebase(t *testing.T) {
assert.NoError(t, pr.LoadIssue())
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?style=rebase&token="+token, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index)
session.MakeRequest(t, req, http.StatusOK)

View file

@ -49,7 +49,8 @@ func doTestRepoCommitWithStatus(t *testing.T, state string, classes ...string) {
assert.NotEmpty(t, commitURL)
// Call API to add status for commit
t.Run("CreateStatus", doAPICreateCommitStatus(NewAPITestContext(t, "user2", "repo1"), path.Base(commitURL), api.CommitStatusState(state)))
ctx := NewAPITestContext(t, "user2", "repo1", "repo")
t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CommitStatusState(state)))
req = NewRequest(t, "GET", "/user2/repo1/commits/branch/master")
resp = session.MakeRequest(t, req, http.StatusOK)