[API] dont reqToken on GetReactions (fix #9543) (#9548)

* dont reqToken on GetReactions

* ctx.Repo.CanWrite has ctx.User.IsAdmin in It

Co-authored-by: Lauris BH <lauris@nix.lv>

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 0bb5320b1602171883eb4967431d60c8bb56c170..e4288f40f650bd224396b18e0eb19d667a28599f 100644 (file)
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -664,10 +664,10 @@ func RegisterRoutes(m *macaron.Macaron) {
                                                        m.Combo("", reqToken()).
                                                                Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
                                                                Delete(repo.DeleteIssueComment)
-                                                       m.Combo("/reactions", reqToken()).
+                                                       m.Combo("/reactions").
                                                                Get(repo.GetIssueCommentReactions).
-                                                               Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).
-                                                               Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)
+                                                               Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueCommentReaction).
+                                                               Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueCommentReaction)
                                                })
                                        })
                                        m.Group("/:index", func() {
@@ -704,10 +704,10 @@ func RegisterRoutes(m *macaron.Macaron) {
                                                        m.Put("/:user", reqToken(), repo.AddIssueSubscription)
                                                        m.Delete("/:user", reqToken(), repo.DelIssueSubscription)
                                                })
-                                               m.Combo("/reactions", reqToken()).
+                                               m.Combo("/reactions").
                                                        Get(repo.GetIssueReactions).
-                                                       Post(bind(api.EditReactionOption{}), repo.PostIssueReaction).
-                                                       Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction)
+                                                       Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueReaction).
+                                                       Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueReaction)
                                        })
                                }, mustEnableIssuesOrPulls)
                                m.Group("/labels", func() {

diff --git a/routers/api/v1/repo/issue_reaction.go b/routers/api/v1/repo/issue_reaction.go
index bbc767cc99ad4221c297b39d0ddf057ec2901385..d612b20d7e5e1e1b0ec68a248424b179f6598f5a 100644 (file)
--- a/routers/api/v1/repo/issue_reaction.go
+++ b/routers/api/v1/repo/issue_reaction.go
@@ -55,7 +55,7 @@ func GetIssueCommentReactions(ctx *context.APIContext) {
                return
        }
 
-       if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+       if !ctx.Repo.CanRead(models.UnitTypeIssues) {
                ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions"))
                return
        }
@@ -179,7 +179,7 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
                ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
        }
 
-       if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+       if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
                ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
                return
        }
@@ -261,7 +261,7 @@ func GetIssueReactions(ctx *context.APIContext) {
                return
        }
 
-       if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+       if !ctx.Repo.CanRead(models.UnitTypeIssues) {
                ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions"))
                return
        }
@@ -380,7 +380,7 @@ func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, i
                return
        }
 
-       if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+       if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
                ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
                return
        }