From be5164b4f4f039a3038a3f9d42d582b1c3081ef6 Mon Sep 17 00:00:00 2001 From: harryzcy Date: Sat, 29 Oct 2022 15:14:59 -0400 Subject: [PATCH] Restrict token scope for notifications --- routers/api/v1/api.go | 2 +- tests/integration/api_notification_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index b86db484b1..27b4e07d4e 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -685,7 +685,7 @@ func Routes(ctx gocontext.Context) *web.Route { m.Combo("/threads/{id}"). Get(notify.GetThread). Patch(notify.ReadThread) - }, reqToken("")) + }, reqToken(auth_model.AccessTokenScopeNotification)) // Users m.Group("/users", func() { diff --git a/tests/integration/api_notification_test.go b/tests/integration/api_notification_test.go index bf85520bb5..75dd8a288c 100644 --- a/tests/integration/api_notification_test.go +++ b/tests/integration/api_notification_test.go @@ -27,7 +27,7 @@ func TestAPINotification(t *testing.T) { thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5}) assert.NoError(t, thread5.LoadAttributes()) session := loginUser(t, user2.Name) - token := getTokenForLoggedInUser(t, session) + token := getTokenForLoggedInUser(t, session, "notification") // -- GET /notifications -- // test filter @@ -145,7 +145,7 @@ func TestAPINotificationPUT(t *testing.T) { thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5}) assert.NoError(t, thread5.LoadAttributes()) session := loginUser(t, user2.Name) - token := getTokenForLoggedInUser(t, session) + token := getTokenForLoggedInUser(t, session, "notification") // Check notifications are as expected req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=true&token=%s", token))