loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Fix permissions for Token DELETE endpoint to match GET and POST (#27610)

Fixes #27598

In #27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds unit tests

authored by

Evan Tobin and committed by
GitHub
ae419fa4 c6c829fe

+30 -3
+1 -1
routers/api/v1/user/app.go
··· 193 193 return 194 194 } 195 195 196 - if err := auth_model.DeleteAccessTokenByID(ctx, tokenID, ctx.Doer.ID); err != nil { 196 + if err := auth_model.DeleteAccessTokenByID(ctx, tokenID, ctx.ContextUser.ID); err != nil { 197 197 if auth_model.IsErrAccessTokenNotExist(err) { 198 198 ctx.NotFound() 199 199 } else {
+29 -2
tests/integration/api_token_test.go
··· 63 63 MakeRequest(t, req, http.StatusForbidden) 64 64 } 65 65 66 + // TestAPIDeleteTokensPermission ensures that only the admin can delete tokens from other users 67 + func TestAPIDeleteTokensPermission(t *testing.T) { 68 + defer tests.PrepareTestEnv(t)() 69 + 70 + admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) 71 + user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) 72 + user4 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) 73 + 74 + // admin can delete tokens for other users 75 + createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user2, nil) 76 + req := NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-1") 77 + req = AddBasicAuthHeader(req, admin.Name) 78 + MakeRequest(t, req, http.StatusNoContent) 79 + 80 + // non-admin can delete tokens for himself 81 + createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user2, nil) 82 + req = NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-2") 83 + req = AddBasicAuthHeader(req, user2.Name) 84 + MakeRequest(t, req, http.StatusNoContent) 85 + 86 + // non-admin can't delete tokens for other users 87 + createAPIAccessTokenWithoutCleanUp(t, "test-key-3", user2, nil) 88 + req = NewRequestf(t, "DELETE", "/api/v1/users/"+user2.LoginName+"/tokens/test-key-3") 89 + req = AddBasicAuthHeader(req, user4.Name) 90 + MakeRequest(t, req, http.StatusForbidden) 91 + } 92 + 66 93 type permission struct { 67 94 category auth_model.AccessTokenScopeCategory 68 95 level auth_model.AccessTokenScopeLevel ··· 525 552 } 526 553 } 527 554 log.Debug("Requesting creation of token with scopes: %v", scopes) 528 - req := NewRequestWithJSON(t, "POST", "/api/v1/users/user1/tokens", payload) 555 + req := NewRequestWithJSON(t, "POST", "/api/v1/users/"+user.LoginName+"/tokens", payload) 529 556 530 557 req = AddBasicAuthHeader(req, user.Name) 531 558 resp := MakeRequest(t, req, http.StatusCreated) ··· 545 572 // createAPIAccessTokenWithoutCleanUp Delete an API access token and assert that 546 573 // deletion succeeded. 547 574 func deleteAPIAccessToken(t *testing.T, accessToken api.AccessToken, user *user_model.User) { 548 - req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", accessToken.ID) 575 + req := NewRequestf(t, "DELETE", "/api/v1/users/"+user.LoginName+"/tokens/%d", accessToken.ID) 549 576 req = AddBasicAuthHeader(req, user.Name) 550 577 MakeRequest(t, req, http.StatusNoContent) 551 578