Limit repo scope on /api/v1/{user}/{repo}/issues
This commit is contained in:
harryzcy
parent
7a3b165485
commit
62c9f70396
9 changed files with 51 additions and 51 deletions
|
|
@ -900,40 +900,39 @@ func Routes(ctx gocontext.Context) *web.Route {
|
|||
m.Get("/pages", repo.ListWikiPages)
|
||||
}, mustEnableWiki, reqToken(auth_model.AccessTokenScopeRepo))
|
||||
|
||||
// TODO: continue here
|
||||
m.Group("/issues", func() {
|
||||
m.Combo("").Get(repo.ListIssues).
|
||||
Post(reqToken(""), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)
|
||||
Post(mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)
|
||||
m.Group("/comments", func() {
|
||||
m.Get("", repo.ListRepoIssueComments)
|
||||
m.Group("/{id}", func() {
|
||||
m.Combo("").
|
||||
Get(repo.GetIssueComment).
|
||||
Patch(mustNotBeArchived, reqToken(""), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
|
||||
Delete(reqToken(""), repo.DeleteIssueComment)
|
||||
Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
|
||||
Delete(repo.DeleteIssueComment)
|
||||
m.Combo("/reactions").
|
||||
Get(repo.GetIssueCommentReactions).
|
||||
Post(reqToken(""), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).
|
||||
Delete(reqToken(""), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)
|
||||
Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).
|
||||
Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)
|
||||
})
|
||||
})
|
||||
m.Group("/{index}", func() {
|
||||
m.Combo("").Get(repo.GetIssue).
|
||||
Patch(reqToken(""), bind(api.EditIssueOption{}), repo.EditIssue).
|
||||
Delete(reqToken(""), reqAdmin(), repo.DeleteIssue)
|
||||
Patch(bind(api.EditIssueOption{}), repo.EditIssue).
|
||||
Delete(reqAdmin(), repo.DeleteIssue)
|
||||
m.Group("/comments", func() {
|
||||
m.Combo("").Get(repo.ListIssueComments).
|
||||
Post(reqToken(""), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)
|
||||
Post(mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)
|
||||
m.Combo("/{id}", reqToken("")).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).
|
||||
Delete(repo.DeleteIssueCommentDeprecated)
|
||||
})
|
||||
m.Get("/timeline", repo.ListIssueCommentsAndTimeline)
|
||||
m.Group("/labels", func() {
|
||||
m.Combo("").Get(repo.ListIssueLabels).
|
||||
Post(reqToken(""), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).
|
||||
Put(reqToken(""), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).
|
||||
Delete(reqToken(""), repo.ClearIssueLabels)
|
||||
m.Delete("/{id}", reqToken(""), repo.DeleteIssueLabel)
|
||||
Post(bind(api.IssueLabelsOption{}), repo.AddIssueLabels).
|
||||
Put(bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).
|
||||
Delete(repo.ClearIssueLabels)
|
||||
m.Delete("/{id}", repo.DeleteIssueLabel)
|
||||
})
|
||||
m.Group("/times", func() {
|
||||
m.Combo("").
|
||||
|
|
@ -942,24 +941,24 @@ func Routes(ctx gocontext.Context) *web.Route {
|
|||
Delete(repo.ResetIssueTime)
|
||||
m.Delete("/{id}", repo.DeleteTime)
|
||||
}, reqToken(""))
|
||||
m.Combo("/deadline").Post(reqToken(""), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)
|
||||
m.Combo("/deadline").Post(bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)
|
||||
m.Group("/stopwatch", func() {
|
||||
m.Post("/start", reqToken(""), repo.StartIssueStopwatch)
|
||||
m.Post("/stop", reqToken(""), repo.StopIssueStopwatch)
|
||||
m.Delete("/delete", reqToken(""), repo.DeleteIssueStopwatch)
|
||||
m.Post("/start", repo.StartIssueStopwatch)
|
||||
m.Post("/stop", repo.StopIssueStopwatch)
|
||||
m.Delete("/delete", repo.DeleteIssueStopwatch)
|
||||
})
|
||||
m.Group("/subscriptions", func() {
|
||||
m.Get("", repo.GetIssueSubscribers)
|
||||
m.Get("/check", reqToken(""), repo.CheckIssueSubscription)
|
||||
m.Put("/{user}", reqToken(""), repo.AddIssueSubscription)
|
||||
m.Delete("/{user}", reqToken(""), repo.DelIssueSubscription)
|
||||
m.Get("/check", repo.CheckIssueSubscription)
|
||||
m.Put("/{user}", repo.AddIssueSubscription)
|
||||
m.Delete("/{user}", repo.DelIssueSubscription)
|
||||
})
|
||||
m.Combo("/reactions").
|
||||
Get(repo.GetIssueReactions).
|
||||
Post(reqToken(""), bind(api.EditReactionOption{}), repo.PostIssueReaction).
|
||||
Delete(reqToken(""), bind(api.EditReactionOption{}), repo.DeleteIssueReaction)
|
||||
Post(bind(api.EditReactionOption{}), repo.PostIssueReaction).
|
||||
Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction)
|
||||
})
|
||||
}, mustEnableIssuesOrPulls)
|
||||
}, mustEnableIssuesOrPulls, reqToken(auth_model.AccessTokenScopeRepo))
|
||||
m.Group("/labels", func() {
|
||||
m.Combo("").Get(repo.ListLabels).
|
||||
Post(reqToken(""), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)
|
||||
|
|
|
|||
|
|
@ -31,7 +31,8 @@ func TestAPIListRepoComments(t *testing.T) {
|
|||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments", repoOwner.Name, repo.Name))
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments?token=%s", repoOwner.Name, repo.Name, token))
|
||||
req := NewRequest(t, "GET", link.String())
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
|
|
@ -77,8 +78,9 @@ func TestAPIListIssueComments(t *testing.T) {
|
|||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/comments",
|
||||
repoOwner.Name, repo.Name, issue.Index)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
var comments []*api.Comment
|
||||
|
|
@ -97,7 +99,7 @@ func TestAPICreateComment(t *testing.T) {
|
|||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
|
||||
|
|
@ -120,10 +122,8 @@ func TestAPIGetComment(t *testing.T) {
|
|||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID)
|
||||
session.MakeRequest(t, req, http.StatusOK)
|
||||
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, token)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
var apiComment api.Comment
|
||||
|
|
@ -149,7 +149,7 @@ func TestAPIEditComment(t *testing.T) {
|
|||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, token)
|
||||
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
|
||||
|
|
@ -174,7 +174,7 @@ func TestAPIDeleteComment(t *testing.T) {
|
|||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, token)
|
||||
session.MakeRequest(t, req, http.StatusNoContent)
|
||||
|
|
@ -192,8 +192,9 @@ func TestAPIListIssueTimeline(t *testing.T) {
|
|||
|
||||
// make request
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline",
|
||||
repoOwner.Name, repo.Name, issue.Index)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
// check if lens of list returned by API and
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ func TestAPIAddIssueLabels(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
|
||||
repo.OwnerName, repo.Name, issue.Index, token)
|
||||
req := NewRequestWithJSON(t, "POST", urlStr, &api.IssueLabelsOption{
|
||||
|
|
@ -120,7 +120,7 @@ func TestAPIReplaceIssueLabels(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
|
||||
owner.Name, repo.Name, issue.Index, token)
|
||||
req := NewRequestWithJSON(t, "PUT", urlStr, &api.IssueLabelsOption{
|
||||
|
|
@ -144,7 +144,7 @@ func TestAPIModifyOrgLabels(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
user := "user1"
|
||||
session := loginUser(t, user)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/orgs/%s/labels?token=%s", owner.Name, token)
|
||||
|
||||
// CreateLabel
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ func TestAPIIssuesReactions(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: issue.Repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/reactions?token=%s",
|
||||
|
|
@ -88,7 +88,7 @@ func TestAPICommentReactions(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: issue.Repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ func TestAPIStopStopWatches(t *testing.T) {
|
|||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/stop?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
|
||||
session.MakeRequest(t, req, http.StatusCreated)
|
||||
|
|
@ -68,7 +68,7 @@ func TestAPICancelStopWatches(t *testing.T) {
|
|||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/stopwatch/delete?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
|
||||
session.MakeRequest(t, req, http.StatusNoContent)
|
||||
|
|
@ -84,7 +84,7 @@ func TestAPIStartStopWatches(t *testing.T) {
|
|||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/start?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
|
||||
session.MakeRequest(t, req, http.StatusCreated)
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ func TestAPIIssueSubscriptions(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: issue1.PosterID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
testSubscription := func(issue *issues_model.Issue, isWatching bool) {
|
||||
issueRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ func TestAPIListIssues(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues", owner.Name, repo.Name))
|
||||
|
||||
link.RawQuery = url.Values{"token": {token}, "state": {"all"}}.Encode()
|
||||
|
|
@ -81,7 +81,7 @@ func TestAPICreateIssue(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repoBefore.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
|
||||
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
|
||||
Body: body,
|
||||
|
|
@ -117,7 +117,7 @@ func TestAPIEditIssue(t *testing.T) {
|
|||
assert.Equal(t, api.StateOpen, issueBefore.State())
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
// update values of issue
|
||||
issueState := "closed"
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ func TestAPIGetTrackedTimes(t *testing.T) {
|
|||
assert.NoError(t, issue2.LoadRepo(db.DefaultContext))
|
||||
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
|
@ -71,7 +71,7 @@ func TestAPIDeleteTrackedTime(t *testing.T) {
|
|||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
// Deletion not allowed
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times/%d?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, time6.ID, token)
|
||||
|
|
@ -106,7 +106,7 @@ func TestAPIAddTrackedTimes(t *testing.T) {
|
|||
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
session := loginUser(t, admin.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ func testPrivateActivityDoSomethingForActionEntries(t *testing.T) {
|
|||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repoBefore.OwnerID})
|
||||
|
||||
session := loginUser(t, privateActivityTestUser)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, "repo")
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
|
||||
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
|
||||
Body: "test",
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue