core
/
gitea
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add missing `reqToken()` to notifications endpoints (#26914) 

They currently throw a Internal Server Error when you use them without a
token. Now they correctly return a `token is required` error.

This is no security issue. If you use this endpoints with a token that
don't have the correct permission, you get the correct error. This is
not affected by this PR.
This commit is contained in:
JakobDev 2023-09-05 16:43:34 +02:00 committed by GitHub
parent f79f6a26ae
commit e9f5067653
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
routers/api/v1/api.go
View File

@ -776,11 +776,11 @@ func Routes() *web.Route {
// Notifications (requires 'notifications' scope) // Notifications (requires 'notifications' scope)
m.Group("/notifications", func() { m.Group("/notifications", func() {
m.Combo(""). m.Combo("").
Get(notify.ListNotifications). Get(reqToken(), notify.ListNotifications).
Put(reqToken(), notify.ReadNotifications) Put(reqToken(), notify.ReadNotifications)
m.Get("/new", notify.NewAvailable) m.Get("/new", reqToken(), notify.NewAvailable)
m.Combo("/threads/{id}"). m.Combo("/threads/{id}").
Get(notify.GetThread). Get(reqToken(), notify.GetThread).
Patch(reqToken(), notify.ReadThread) Patch(reqToken(), notify.ReadThread)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification)) }, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification))

6
tests/integration/api_notification_test.go
View File

@ -30,6 +30,8 @@ func TestAPINotification(t *testing.T) {
session := loginUser(t, user2.Name) session := loginUser(t, user2.Name)
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository) token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications"), http.StatusUnauthorized)
// -- GET /notifications -- // -- GET /notifications --
// test filter // test filter
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
@ -80,6 +82,8 @@ func TestAPINotification(t *testing.T) {
assert.False(t, apiNL[1].Unread) assert.False(t, apiNL[1].Unread)
assert.True(t, apiNL[1].Pinned) assert.True(t, apiNL[1].Pinned)
MakeRequest(t, NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d", 1)), http.StatusUnauthorized)
// -- GET /notifications/threads/{id} -- // -- GET /notifications/threads/{id} --
// get forbidden // get forbidden
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token)) req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
@ -99,6 +103,8 @@ func TestAPINotification(t *testing.T) {
assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL) assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL)
assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL) assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL)
MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications/new"), http.StatusUnauthorized)
new := struct { new := struct {
New int64 `json:"new"` New int64 `json:"new"`
}{} }{}