From f45bfe3b4dc5f2fc748f40d20b1cc58ac227fc56 Mon Sep 17 00:00:00 2001 From: harryzcy Date: Sun, 30 Oct 2022 22:33:14 -0400 Subject: [PATCH] No token needed for some public info --- routers/api/v1/api.go | 80 ++++++++++----------- tests/integration/api_comment_test.go | 9 +-- tests/integration/api_repo_file_get_test.go | 5 +- tests/integration/api_wiki_test.go | 9 +-- 4 files changed, 47 insertions(+), 56 deletions(-) diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 12f9d25742..74d28fa51c 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -838,7 +838,7 @@ func Routes(ctx gocontext.Context) *web.Route { }) }, reqAdmin(), reqWebhooksEnabled()) m.Group("/collaborators", func() { - m.Get("", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.ListCollaborators) + m.Get("", reqAnyRepoReader(), repo.ListCollaborators) m.Group("/{collaborator}", func() { m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator). Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator). @@ -854,17 +854,17 @@ func Routes(ctx gocontext.Context) *web.Route { Put(reqAdmin(), repo.AddTeam). Delete(reqAdmin(), repo.DeleteTeam) }, reqToken(auth_model.AccessTokenScopeRepo)) - m.Get("/raw/*", reqToken(auth_model.AccessTokenScopeRepo), context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile) - m.Get("/media/*", reqToken(auth_model.AccessTokenScopeRepo), context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS) - m.Get("/archive/*", reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), repo.GetArchive) - m.Combo("/forks", reqToken(auth_model.AccessTokenScopeRepo)).Get(repo.ListForks). - Post(reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork) + m.Get("/raw/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile) + m.Get("/media/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS) + m.Get("/archive/*", reqRepoReader(unit.TypeCode), repo.GetArchive) + m.Combo("/forks").Get(repo.ListForks). + Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork) m.Group("/branches", func() { m.Get("", repo.ListBranches) m.Get("/*", repo.GetBranch) - m.Delete("/*", reqRepoWriter(unit.TypeCode), repo.DeleteBranch) - m.Post("", reqRepoWriter(unit.TypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch) - }, reqToken(auth_model.AccessTokenScopeRepo), context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode)) + m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.DeleteBranch) + m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch) + }, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode)) m.Group("/branch_protections", func() { m.Get("", repo.ListBranchProtections) m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection) @@ -877,9 +877,9 @@ func Routes(ctx gocontext.Context) *web.Route { m.Group("/tags", func() { m.Get("", repo.ListTags) m.Get("/*", repo.GetTag) - m.Post("", reqRepoWriter(unit.TypeCode), bind(api.CreateTagOption{}), repo.CreateTag) - m.Delete("/*", repo.DeleteTag) - }, reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true)) + m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateTagOption{}), repo.CreateTag) + m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTag) + }, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true)) m.Group("/keys", func() { m.Combo("").Get(repo.ListDeployKeys). Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey) @@ -893,45 +893,45 @@ func Routes(ctx gocontext.Context) *web.Route { m.Group("/wiki", func() { m.Combo("/page/{pageName}"). Get(repo.GetWikiPage). - Patch(mustNotBeArchived, reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.EditWikiPage). - Delete(mustNotBeArchived, reqRepoWriter(unit.TypeWiki), repo.DeleteWikiPage) + Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.EditWikiPage). + Delete(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), repo.DeleteWikiPage) m.Get("/revisions/{pageName}", repo.ListPageRevisions) - m.Post("/new", mustNotBeArchived, reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage) + m.Post("/new", mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage) m.Get("/pages", repo.ListWikiPages) - }, mustEnableWiki, reqToken(auth_model.AccessTokenScopeRepo)) + }, mustEnableWiki) m.Group("/issues", func() { m.Combo("").Get(repo.ListIssues). - Post(mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue) + Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue) m.Group("/comments", func() { m.Get("", repo.ListRepoIssueComments) m.Group("/{id}", func() { m.Combo(""). Get(repo.GetIssueComment). - Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment). - Delete(repo.DeleteIssueComment) + Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueCommentOption{}), repo.EditIssueComment). + Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueComment) m.Combo("/reactions"). Get(repo.GetIssueCommentReactions). - Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction). - Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction) + Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction). + Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction) }) }) m.Group("/{index}", func() { m.Combo("").Get(repo.GetIssue). - Patch(bind(api.EditIssueOption{}), repo.EditIssue). - Delete(reqAdmin(), repo.DeleteIssue) + Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueOption{}), repo.EditIssue). + Delete(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), repo.DeleteIssue) m.Group("/comments", func() { m.Combo("").Get(repo.ListIssueComments). - Post(mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment) - m.Combo("/{id}", reqToken("")).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated). + Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment) + m.Combo("/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated). Delete(repo.DeleteIssueCommentDeprecated) }) m.Get("/timeline", repo.ListIssueCommentsAndTimeline) m.Group("/labels", func() { m.Combo("").Get(repo.ListIssueLabels). - Post(bind(api.IssueLabelsOption{}), repo.AddIssueLabels). - Put(bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels). - Delete(repo.ClearIssueLabels) - m.Delete("/{id}", repo.DeleteIssueLabel) + Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.AddIssueLabels). + Put(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels). + Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.ClearIssueLabels) + m.Delete("/{id}", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueLabel) }) m.Group("/times", func() { m.Combo(""). @@ -939,25 +939,25 @@ func Routes(ctx gocontext.Context) *web.Route { Post(bind(api.AddTimeOption{}), repo.AddTime). Delete(repo.ResetIssueTime) m.Delete("/{id}", repo.DeleteTime) - }, reqToken("")) - m.Combo("/deadline").Post(bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline) + }, reqToken(auth_model.AccessTokenScopeRepo)) + m.Combo("/deadline").Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline) m.Group("/stopwatch", func() { - m.Post("/start", repo.StartIssueStopwatch) - m.Post("/stop", repo.StopIssueStopwatch) - m.Delete("/delete", repo.DeleteIssueStopwatch) + m.Post("/start", reqToken(auth_model.AccessTokenScopeRepo), repo.StartIssueStopwatch) + m.Post("/stop", reqToken(auth_model.AccessTokenScopeRepo), repo.StopIssueStopwatch) + m.Delete("/delete", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueStopwatch) }) m.Group("/subscriptions", func() { m.Get("", repo.GetIssueSubscribers) - m.Get("/check", repo.CheckIssueSubscription) - m.Put("/{user}", repo.AddIssueSubscription) - m.Delete("/{user}", repo.DelIssueSubscription) + m.Get("/check", reqToken(auth_model.AccessTokenScopeRepo), repo.CheckIssueSubscription) + m.Put("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.AddIssueSubscription) + m.Delete("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.DelIssueSubscription) }) m.Combo("/reactions"). Get(repo.GetIssueReactions). - Post(bind(api.EditReactionOption{}), repo.PostIssueReaction). - Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction) + Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueReaction). + Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueReaction) }) - }, mustEnableIssuesOrPulls, reqToken(auth_model.AccessTokenScopeRepo)) + }, mustEnableIssuesOrPulls) m.Group("/labels", func() { m.Combo("").Get(repo.ListLabels). Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel) diff --git a/tests/integration/api_comment_test.go b/tests/integration/api_comment_test.go index 1573c2e549..c076ef0bb5 100644 --- a/tests/integration/api_comment_test.go +++ b/tests/integration/api_comment_test.go @@ -31,8 +31,7 @@ func TestAPIListRepoComments(t *testing.T) { repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}) session := loginUser(t, repoOwner.Name) - token := getTokenForLoggedInUser(t, session, "repo") - link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments?token=%s", repoOwner.Name, repo.Name, token)) + link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments", repoOwner.Name, repo.Name)) req := NewRequest(t, "GET", link.String()) resp := session.MakeRequest(t, req, http.StatusOK) @@ -51,7 +50,6 @@ func TestAPIListRepoComments(t *testing.T) { before := "2000-01-01T00:00:11+00:00" // unix: 946684811 since := "2000-01-01T00:00:12+00:00" // unix: 946684812 query.Add("before", before) - query.Add("token", token) link.RawQuery = query.Encode() req = NewRequest(t, "GET", link.String()) resp = session.MakeRequest(t, req, http.StatusOK) @@ -193,9 +191,8 @@ func TestAPIListIssueTimeline(t *testing.T) { // make request session := loginUser(t, repoOwner.Name) - token := getTokenForLoggedInUser(t, session, "repo") - req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline?token=%s", - repoOwner.Name, repo.Name, issue.Index, token) + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/timeline", + repoOwner.Name, repo.Name, issue.Index) resp := session.MakeRequest(t, req, http.StatusOK) // check if lens of list returned by API and diff --git a/tests/integration/api_repo_file_get_test.go b/tests/integration/api_repo_file_get_test.go index e4d351fb91..9ce88bd913 100644 --- a/tests/integration/api_repo_file_get_test.go +++ b/tests/integration/api_repo_file_get_test.go @@ -18,11 +18,8 @@ import ( func TestAPIGetRawFileOrLFS(t *testing.T) { defer tests.PrepareTestEnv(t)() - session := loginUser(t, "user1") - token := getTokenForLoggedInUser(t, session, "repo") - // Test with raw file - req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/media/README.md?token="+token) + req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1/media/README.md") resp := MakeRequest(t, req, http.StatusOK) assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String()) diff --git a/tests/integration/api_wiki_test.go b/tests/integration/api_wiki_test.go index 78c1555ff2..e154c1c438 100644 --- a/tests/integration/api_wiki_test.go +++ b/tests/integration/api_wiki_test.go @@ -21,9 +21,8 @@ func TestAPIGetWikiPage(t *testing.T) { username := "user2" session := loginUser(t, username) - token := getTokenForLoggedInUser(t, session, "repo") - urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Home?token=%s", username, "repo1", token) + urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Home", username, "repo1") req := NewRequest(t, "GET", urlStr) resp := session.MakeRequest(t, req, http.StatusOK) @@ -68,9 +67,8 @@ func TestAPIListWikiPages(t *testing.T) { username := "user2" session := loginUser(t, username) - token := getTokenForLoggedInUser(t, session, "repo") - urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/pages?token=%s", username, "repo1", token) + urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/pages", username, "repo1") req := NewRequest(t, "GET", urlStr) resp := session.MakeRequest(t, req, http.StatusOK) @@ -217,9 +215,8 @@ func TestAPIListPageRevisions(t *testing.T) { defer tests.PrepareTestEnv(t)() username := "user2" session := loginUser(t, username) - token := getTokenForLoggedInUser(t, session, "repo") - urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/revisions/Home?token=%s", username, "repo1", token) + urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/revisions/Home", username, "repo1") req := NewRequest(t, "GET", urlStr) resp := session.MakeRequest(t, req, http.StatusOK)