Limit token scope for some repo APIs

This commit is contained in:
harryzcy 2022-10-30 01:14:12 -04:00
parent 0583e79f37
commit a282f02de6
No known key found for this signature in database
GPG key ID: CC2953E050C19686
14 changed files with 86 additions and 78 deletions

View file

@ -794,74 +794,77 @@ func Routes(ctx gocontext.Context) *web.Route {
}, reqToken(""))
// Repositories
m.Post("/org/{org}/repos", reqToken(""), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)
m.Post("/org/{org}/repos", reqToken("auth_model.AccessTokenScopeAdminOrg"), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)
m.Combo("/repositories/{id}", reqToken("")).Get(repo.GetByID)
m.Combo("/repositories/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Get(repo.GetByID)
m.Group("/repos", func() {
m.Get("/search", repo.Search)
m.Get("/issues/search", repo.SearchIssues)
m.Post("/migrate", reqToken(""), bind(api.MigrateRepoOptions{}), repo.Migrate)
// (repo scope)
m.Post("/migrate", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MigrateRepoOptions{}), repo.Migrate)
m.Group("/{username}/{reponame}", func() {
m.Combo("").Get(reqAnyRepoReader(), repo.Get).
Delete(reqToken(""), reqOwner(), repo.Delete).
Patch(reqToken(""), reqAdmin(), bind(api.EditRepoOption{}), repo.Edit)
m.Post("/generate", reqToken(""), reqRepoReader(unit.TypeCode), bind(api.GenerateRepoOption{}), repo.Generate)
m.Post("/transfer", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)
m.Post("/transfer/accept", reqToken(""), repo.AcceptTransfer)
m.Post("/transfer/reject", reqToken(""), repo.RejectTransfer)
m.Combo("/notifications").
Delete(reqToken(auth_model.AccessTokenScopeDeleteRepo), reqOwner(), repo.Delete).
Patch(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.EditRepoOption{}), repo.Edit)
m.Post("/generate", reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.GenerateRepoOption{}), repo.Generate)
m.Group("/transfer", func() {
m.Post("", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)
m.Post("/accept", repo.AcceptTransfer)
m.Post("/reject", repo.RejectTransfer)
}, reqToken(auth_model.AccessTokenScopeRepo))
m.Combo("/notifications", reqToken(auth_model.AccessTokenScopeNotification)).
Get(reqToken(""), notify.ListRepoNotifications).
Put(reqToken(""), notify.ReadRepoNotifications)
m.Group("/hooks/git", func() {
m.Combo("").Get(repo.ListGitHooks)
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListGitHooks)
m.Group("/{id}", func() {
m.Combo("").Get(repo.GetGitHook).
Patch(bind(api.EditGitHookOption{}), repo.EditGitHook).
Delete(repo.DeleteGitHook)
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetGitHook).
Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditGitHookOption{}), repo.EditGitHook).
Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteGitHook)
})
}, reqToken(""), reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))
}, reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))
m.Group("/hooks", func() {
m.Combo("").Get(repo.ListHooks).
Post(bind(api.CreateHookOption{}), repo.CreateHook)
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListHooks).
Post(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.CreateHookOption{}), repo.CreateHook)
m.Group("/{id}", func() {
m.Combo("").Get(repo.GetHook).
Patch(bind(api.EditHookOption{}), repo.EditHook).
Delete(repo.DeleteHook)
m.Post("/tests", context.ReferencesGitRepo(), context.RepoRefForAPI, repo.TestHook)
m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetHook).
Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditHookOption{}), repo.EditHook).
Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteHook)
m.Post("/tests", reqToken(auth_model.AccessTokenScopeReadRepoHook), context.ReferencesGitRepo(), context.RepoRefForAPI, repo.TestHook)
})
}, reqToken(""), reqAdmin(), reqWebhooksEnabled())
}, reqAdmin(), reqWebhooksEnabled())
m.Group("/collaborators", func() {
m.Get("", reqAnyRepoReader(), repo.ListCollaborators)
m.Get("", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.ListCollaborators)
m.Group("/{collaborator}", func() {
m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator).
Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).
Delete(reqAdmin(), repo.DeleteCollaborator)
m.Get("/permission", repo.GetRepoPermissions)
}, reqToken(""))
}, reqToken(""))
m.Get("/assignees", reqToken(""), reqAnyRepoReader(), repo.GetAssignees)
m.Get("/reviewers", reqToken(""), reqAnyRepoReader(), repo.GetReviewers)
})
}, reqToken(auth_model.AccessTokenScopeRepo))
m.Get("/assignees", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetAssignees)
m.Get("/reviewers", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetReviewers)
m.Group("/teams", func() {
m.Get("", reqAnyRepoReader(), repo.ListTeams)
m.Combo("/{team}").Get(reqAnyRepoReader(), repo.IsTeam).
Put(reqAdmin(), repo.AddTeam).
Delete(reqAdmin(), repo.DeleteTeam)
}, reqToken(""))
m.Get("/raw/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile)
m.Get("/media/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS)
m.Get("/archive/*", reqRepoReader(unit.TypeCode), repo.GetArchive)
m.Combo("/forks").Get(repo.ListForks).
Post(reqToken(""), reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork)
}, reqToken(auth_model.AccessTokenScopeRepo))
m.Get("/raw/*", reqToken(auth_model.AccessTokenScopeRepo), context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile)
m.Get("/media/*", reqToken(auth_model.AccessTokenScopeRepo), context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS)
m.Get("/archive/*", reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), repo.GetArchive)
m.Combo("/forks", reqToken(auth_model.AccessTokenScopeRepo)).Get(repo.ListForks).
Post(reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork)
m.Group("/branches", func() {
m.Get("", repo.ListBranches)
m.Get("/*", repo.GetBranch)
m.Delete("/*", reqRepoWriter(unit.TypeCode), repo.DeleteBranch)
m.Post("", reqRepoWriter(unit.TypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch)
}, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))
}, reqToken(auth_model.AccessTokenScopeRepo), context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))
m.Group("/branch_protections", func() {
m.Get("", repo.ListBranchProtections)
m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)
@ -870,23 +873,23 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)
m.Delete("", repo.DeleteBranchProtection)
})
}, reqToken(""), reqAdmin())
}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())
m.Group("/tags", func() {
m.Get("", repo.ListTags)
m.Get("/*", repo.GetTag)
m.Post("", reqRepoWriter(unit.TypeCode), bind(api.CreateTagOption{}), repo.CreateTag)
m.Delete("/*", repo.DeleteTag)
}, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true))
}, reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true))
m.Group("/keys", func() {
m.Combo("").Get(repo.ListDeployKeys).
Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)
m.Combo("/{id}").Get(repo.GetDeployKey).
Delete(repo.DeleteDeploykey)
}, reqToken(""), reqAdmin())
}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())
m.Group("/times", func() {
m.Combo("").Get(repo.ListTrackedTimesByRepository)
m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)
}, mustEnableIssues, reqToken(""))
}, mustEnableIssues, reqToken(auth_model.AccessTokenScopeRepo))
m.Group("/wiki", func() {
m.Combo("/page/{pageName}").
Get(repo.GetWikiPage).
@ -895,7 +898,9 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Get("/revisions/{pageName}", repo.ListPageRevisions)
m.Post("/new", mustNotBeArchived, reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage)
m.Get("/pages", repo.ListWikiPages)
}, mustEnableWiki)
}, mustEnableWiki, reqToken(auth_model.AccessTokenScopeRepo))
// TODO: continue here
m.Group("/issues", func() {
m.Combo("").Get(repo.ListIssues).
Post(reqToken(""), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)

View file

@ -54,7 +54,7 @@ func TestCreateReadOnlyDeployKey(t *testing.T) {
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, repoOwner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
rawKeyBody := api.CreateKeyOption{
Title: "read-only",
@ -80,7 +80,7 @@ func TestCreateReadWriteDeployKey(t *testing.T) {
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, repoOwner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
rawKeyBody := api.CreateKeyOption{
Title: "read-write",

View file

@ -215,7 +215,7 @@ func TestAPIDeleteReleaseByTagName(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, owner.LowerName)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
createNewReleaseUsingAPI(t, session, token, owner, repo, "release-tag", "", "Release Tag", "test")

View file

@ -25,7 +25,7 @@ func TestAPIDownloadArchive(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
session := loginUser(t, user2.LowerName)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/archive/master.zip", user2.Name, repo.Name))
link.RawQuery = url.Values{"token": {token}}.Encode()

View file

@ -29,7 +29,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
user11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 11})
session := loginUser(t, repo2Owner.Name)
testCtx := NewAPITestContext(t, repo2Owner.Name, repo2.Name)
testCtx := NewAPITestContext(t, repo2Owner.Name, repo2.Name, "repo")
t.Run("RepoOwnerShouldBeOwner", func(t *testing.T) {
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, repo2Owner.Name, testCtx.Token)
@ -86,7 +86,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user5.Name, perm.AccessModeRead))
_session := loginUser(t, user5.Name)
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name)
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, "repo")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token)
resp := _session.MakeRequest(t, req, http.StatusOK)
@ -101,7 +101,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user5.Name, perm.AccessModeRead))
_session := loginUser(t, user5.Name)
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name)
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, "repo")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token)
resp := _session.MakeRequest(t, req, http.StatusOK)
@ -117,7 +117,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user11.Name, perm.AccessModeRead))
_session := loginUser(t, user10.Name)
_testCtx := NewAPITestContext(t, user10.Name, repo2.Name)
_testCtx := NewAPITestContext(t, user10.Name, repo2.Name, "repo")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user11.Name, _testCtx.Token)
resp := _session.MakeRequest(t, req, http.StatusOK)

View file

@ -146,10 +146,10 @@ func TestAPIRepoEdit(t *testing.T) {
// Get user2's token
session := loginUser(t, user2.Name)
token2 := getTokenForLoggedInUser(t, session)
token2 := getTokenForLoggedInUser(t, session, "repo")
// Get user4's token
session = loginUser(t, user4.Name)
token4 := getTokenForLoggedInUser(t, session)
token4 := getTokenForLoggedInUser(t, session, "repo")
session = emptyTestSession(t)
// Test editing a repo1 which user2 owns, changing name and many properties

View file

@ -31,7 +31,7 @@ func TestAPIListGitHooks(t *testing.T) {
// user1 is an admin user
session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "read_repo_hook")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
owner.Name, repo.Name, token)
resp := MakeRequest(t, req, http.StatusOK)
@ -57,7 +57,7 @@ func TestAPIListGitHooksNoHooks(t *testing.T) {
// user1 is an admin user
session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "read_repo_hook")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
owner.Name, repo.Name, token)
resp := MakeRequest(t, req, http.StatusOK)
@ -77,7 +77,7 @@ func TestAPIListGitHooksNoAccess(t *testing.T) {
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, owner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "read_repo_hook")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
owner.Name, repo.Name, token)
MakeRequest(t, req, http.StatusForbidden)
@ -91,7 +91,7 @@ func TestAPIGetGitHook(t *testing.T) {
// user1 is an admin user
session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "read_repo_hook")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
owner.Name, repo.Name, token)
resp := MakeRequest(t, req, http.StatusOK)
@ -108,7 +108,7 @@ func TestAPIGetGitHookNoAccess(t *testing.T) {
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, owner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "read_repo_hook")
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
owner.Name, repo.Name, token)
MakeRequest(t, req, http.StatusForbidden)
@ -122,7 +122,7 @@ func TestAPIEditGitHook(t *testing.T) {
// user1 is an admin user
session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "write_repo_hook")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
owner.Name, repo.Name, token)
@ -151,7 +151,7 @@ func TestAPIEditGitHookNoAccess(t *testing.T) {
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, owner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "write_repo_hook")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
owner.Name, repo.Name, token)
req := NewRequestWithJSON(t, "PATCH", urlStr, &api.EditGitHookOption{
@ -168,7 +168,7 @@ func TestAPIDeleteGitHook(t *testing.T) {
// user1 is an admin user
session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "write_repo_hook")
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
owner.Name, repo.Name, token)
@ -190,7 +190,7 @@ func TestAPIDeleteGitHookNoAccess(t *testing.T) {
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, owner.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "write_repo_hook")
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
owner.Name, repo.Name, token)
MakeRequest(t, req, http.StatusForbidden)

View file

@ -70,7 +70,7 @@ func TestAPIDeleteTagByName(t *testing.T) {
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
session := loginUser(t, owner.LowerName)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/tags/delete-tag?token=%s",
owner.Name, repo.Name, token)

View file

@ -31,7 +31,7 @@ func TestAPIRepoLFSMigrateLocal(t *testing.T) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOptions{
CloneAddr: path.Join(setting.RepoRootPath, "migration/lfs-test.git"),

View file

@ -23,7 +23,7 @@ func TestAPIRepoTags(t *testing.T) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
// Login as User2.
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
repoName := "repo1"

View file

@ -349,7 +349,7 @@ func TestAPIRepoMigrate(t *testing.T) {
for _, testCase := range testCases {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOptions{
CloneAddr: testCase.cloneURL,
RepoOwnerID: testCase.userID,
@ -528,7 +528,7 @@ func TestAPIRepoTransfer(t *testing.T) {
user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepo.ID})
session = loginUser(t, user.Name)
token = getTokenForLoggedInUser(t, session)
token = getTokenForLoggedInUser(t, session, "repo")
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer?token=%s", repo.OwnerName, repo.Name, token), &api.TransferRepoOption{
NewOwner: testCase.newOwner,
TeamIDs: testCase.teams,
@ -575,7 +575,7 @@ func TestAPIAcceptTransfer(t *testing.T) {
// try to accept with not authorized user
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
session.MakeRequest(t, req, http.StatusForbidden)
@ -601,7 +601,7 @@ func TestAPIRejectTransfer(t *testing.T) {
// try to reject with not authorized user
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
session.MakeRequest(t, req, http.StatusForbidden)
@ -611,7 +611,7 @@ func TestAPIRejectTransfer(t *testing.T) {
// reject transfer
session = loginUser(t, "user4")
token = getTokenForLoggedInUser(t, session)
token = getTokenForLoggedInUser(t, session, "repo")
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
resp := session.MakeRequest(t, req, http.StatusOK)
@ -625,7 +625,7 @@ func TestAPIGenerateRepo(t *testing.T) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
templateRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 44})
@ -661,7 +661,7 @@ func TestAPIRepoGetReviewers(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/reviewers?token=%s", user.Name, repo.Name, token)
@ -675,7 +675,7 @@ func TestAPIRepoGetAssignees(t *testing.T) {
defer tests.PrepareTestEnv(t)()
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/assignees?token=%s", user.Name, repo.Name, token)

View file

@ -21,8 +21,9 @@ func TestAPIGetWikiPage(t *testing.T) {
username := "user2"
session := loginUser(t, username)
token := getTokenForLoggedInUser(t, session, "repo")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Home", username, "repo1")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Home?token=%s", username, "repo1", token)
req := NewRequest(t, "GET", urlStr)
resp := session.MakeRequest(t, req, http.StatusOK)
@ -67,8 +68,9 @@ func TestAPIListWikiPages(t *testing.T) {
username := "user2"
session := loginUser(t, username)
token := getTokenForLoggedInUser(t, session, "repo")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/pages", username, "repo1")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/pages?token=%s", username, "repo1", token)
req := NewRequest(t, "GET", urlStr)
resp := session.MakeRequest(t, req, http.StatusOK)
@ -182,7 +184,7 @@ func TestAPINewWikiPage(t *testing.T) {
defer tests.PrepareTestEnv(t)()
username := "user2"
session := loginUser(t, username)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/new?token=%s", username, "repo1", token)
@ -199,7 +201,7 @@ func TestAPIEditWikiPage(t *testing.T) {
defer tests.PrepareTestEnv(t)()
username := "user2"
session := loginUser(t, username)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "repo")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Page-With-Spaced-Name?token=%s", username, "repo1", token)
@ -215,8 +217,9 @@ func TestAPIListPageRevisions(t *testing.T) {
defer tests.PrepareTestEnv(t)()
username := "user2"
session := loginUser(t, username)
token := getTokenForLoggedInUser(t, session, "repo")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/revisions/Home", username, "repo1")
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/revisions/Home>token=%s", username, "repo1", token)
req := NewRequest(t, "GET", urlStr)
resp := session.MakeRequest(t, req, http.StatusOK)

View file

@ -43,7 +43,7 @@ func TestGit(t *testing.T) {
func testGit(t *testing.T, u *url.URL) {
username := "user2"
baseAPITestContext := NewAPITestContext(t, username, "repo1", "write_public_key")
baseAPITestContext := NewAPITestContext(t, username, "repo1", "repo", "write_public_key")
u.Path = baseAPITestContext.GitPath()

View file

@ -264,7 +264,7 @@ func TestGPGGit(t *testing.T) {
t.Run("UnsignedMerging", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
var err error
t.Run("CreatePullRequest", func(t *testing.T) {
pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "never2")(t)
@ -285,7 +285,7 @@ func TestGPGGit(t *testing.T) {
t.Run("BaseSignedMerging", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
var err error
t.Run("CreatePullRequest", func(t *testing.T) {
pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "parentsigned2")(t)
@ -306,7 +306,7 @@ func TestGPGGit(t *testing.T) {
t.Run("CommitsSignedMerging", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
testCtx := NewAPITestContext(t, username, "initial-unsigned")
testCtx := NewAPITestContext(t, username, "initial-unsigned", "repo")
var err error
t.Run("CreatePullRequest", func(t *testing.T) {
pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "always-parentsigned")(t)