mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-25 08:59:31 -05:00
Add missing reqToken()
to notifications endpoints (#26914)
They currently throw a Internal Server Error when you use them without a token. Now they correctly return a `token is required` error. This is no security issue. If you use this endpoints with a token that don't have the correct permission, you get the correct error. This is not affected by this PR.
This commit is contained in:
parent
f79f6a26ae
commit
e9f5067653
2 changed files with 9 additions and 3 deletions
|
@ -776,11 +776,11 @@ func Routes() *web.Route {
|
||||||
// Notifications (requires 'notifications' scope)
|
// Notifications (requires 'notifications' scope)
|
||||||
m.Group("/notifications", func() {
|
m.Group("/notifications", func() {
|
||||||
m.Combo("").
|
m.Combo("").
|
||||||
Get(notify.ListNotifications).
|
Get(reqToken(), notify.ListNotifications).
|
||||||
Put(reqToken(), notify.ReadNotifications)
|
Put(reqToken(), notify.ReadNotifications)
|
||||||
m.Get("/new", notify.NewAvailable)
|
m.Get("/new", reqToken(), notify.NewAvailable)
|
||||||
m.Combo("/threads/{id}").
|
m.Combo("/threads/{id}").
|
||||||
Get(notify.GetThread).
|
Get(reqToken(), notify.GetThread).
|
||||||
Patch(reqToken(), notify.ReadThread)
|
Patch(reqToken(), notify.ReadThread)
|
||||||
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification))
|
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification))
|
||||||
|
|
||||||
|
|
|
@ -30,6 +30,8 @@ func TestAPINotification(t *testing.T) {
|
||||||
session := loginUser(t, user2.Name)
|
session := loginUser(t, user2.Name)
|
||||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository)
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository)
|
||||||
|
|
||||||
|
MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications"), http.StatusUnauthorized)
|
||||||
|
|
||||||
// -- GET /notifications --
|
// -- GET /notifications --
|
||||||
// test filter
|
// test filter
|
||||||
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
|
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801
|
||||||
|
@ -80,6 +82,8 @@ func TestAPINotification(t *testing.T) {
|
||||||
assert.False(t, apiNL[1].Unread)
|
assert.False(t, apiNL[1].Unread)
|
||||||
assert.True(t, apiNL[1].Pinned)
|
assert.True(t, apiNL[1].Pinned)
|
||||||
|
|
||||||
|
MakeRequest(t, NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d", 1)), http.StatusUnauthorized)
|
||||||
|
|
||||||
// -- GET /notifications/threads/{id} --
|
// -- GET /notifications/threads/{id} --
|
||||||
// get forbidden
|
// get forbidden
|
||||||
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
|
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token))
|
||||||
|
@ -99,6 +103,8 @@ func TestAPINotification(t *testing.T) {
|
||||||
assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL)
|
assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL)
|
||||||
assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL)
|
assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL)
|
||||||
|
|
||||||
|
MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications/new"), http.StatusUnauthorized)
|
||||||
|
|
||||||
new := struct {
|
new := struct {
|
||||||
New int64 `json:"new"`
|
New int64 `json:"new"`
|
||||||
}{}
|
}{}
|
||||||
|
|
Loading…
Reference in a new issue