Restrict token scope for notifications

This commit is contained in:
harryzcy 2022-10-29 15:14:59 -04:00
parent 06e9c81b64
commit be5164b4f4
No known key found for this signature in database
GPG key ID: CC2953E050C19686
2 changed files with 3 additions and 3 deletions

View file

@ -685,7 +685,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Combo("/threads/{id}").
Get(notify.GetThread).
Patch(notify.ReadThread)
}, reqToken(""))
}, reqToken(auth_model.AccessTokenScopeNotification))
// Users
m.Group("/users", func() {

View file

@ -27,7 +27,7 @@ func TestAPINotification(t *testing.T) {
thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5})
assert.NoError(t, thread5.LoadAttributes())
session := loginUser(t, user2.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "notification")
// -- GET /notifications --
// test filter
@ -145,7 +145,7 @@ func TestAPINotificationPUT(t *testing.T) {
thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5})
assert.NoError(t, thread5.LoadAttributes())
session := loginUser(t, user2.Name)
token := getTokenForLoggedInUser(t, session)
token := getTokenForLoggedInUser(t, session, "notification")
// Check notifications are as expected
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=true&token=%s", token))