Fixes #6881 - API users search fix (#6882)

diff --git a/integrations/api_admin_test.go b/integrations/api_admin_test.go
index a7bbde4c53752349a061196b3e820a145f9520bc..41add454583709ccc58c554f4a7f5c9bf22d580d 100644 (file)
--- a/integrations/api_admin_test.go
+++ b/integrations/api_admin_test.go
@@ -129,3 +129,18 @@ func TestAPIListUsers(t *testing.T) {
        numberOfUsers := models.GetCount(t, &models.User{}, "type = 0")
        assert.Equal(t, numberOfUsers, len(users))
 }
+
+func TestAPIListUsersNotLoggedIn(t *testing.T) {
+       prepareTestEnv(t)
+       req := NewRequest(t, "GET", "/api/v1/admin/users")
+       MakeRequest(t, req, http.StatusUnauthorized)
+}
+
+func TestAPIListUsersNonAdmin(t *testing.T) {
+       prepareTestEnv(t)
+       nonAdminUsername := "user2"
+       session := loginUser(t, nonAdminUsername)
+       token := getTokenForLoggedInUser(t, session)
+       req := NewRequestf(t, "GET", "/api/v1/admin/users?token=%s", token)
+       session.MakeRequest(t, req, http.StatusForbidden)
+}

diff --git a/integrations/api_user_search_test.go b/integrations/api_user_search_test.go
new file mode 100644 (file)
index 0000000..8e7c429
--- /dev/null
+++ b/integrations/api_user_search_test.go
@@ -0,0 +1,52 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.package models
+
+package integrations
+
+import (
+       "net/http"
+       "testing"
+
+       api "code.gitea.io/sdk/gitea"
+
+       "github.com/stretchr/testify/assert"
+)
+
+type SearchResults struct {
+       OK   bool        `json:"ok"`
+       Data []*api.User `json:"data"`
+}
+
+func TestAPIUserSearchLoggedIn(t *testing.T) {
+       prepareTestEnv(t)
+       adminUsername := "user1"
+       session := loginUser(t, adminUsername)
+       token := getTokenForLoggedInUser(t, session)
+       query := "user2"
+       req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
+       resp := session.MakeRequest(t, req, http.StatusOK)
+
+       var results SearchResults
+       DecodeJSON(t, resp, &results)
+       assert.NotEmpty(t, results.Data)
+       for _, user := range results.Data {
+               assert.Contains(t, user.UserName, query)
+               assert.NotEmpty(t, user.Email)
+       }
+}
+
+func TestAPIUserSearchNotLoggedIn(t *testing.T) {
+       prepareTestEnv(t)
+       query := "user2"
+       req := NewRequestf(t, "GET", "/api/v1/users/search?q=%s", query)
+       resp := MakeRequest(t, req, http.StatusOK)
+
+       var results SearchResults
+       DecodeJSON(t, resp, &results)
+       assert.NotEmpty(t, results.Data)
+       for _, user := range results.Data {
+               assert.Contains(t, user.UserName, query)
+               assert.Empty(t, user.Email)
+       }
+}

diff --git a/routers/api/v1/admin/user.go b/routers/api/v1/admin/user.go
index 609b53874e58600afbb4ff894644033dfaddb992..0c7088151f5cd752bfa0eb98576e33481ca5b8cf 100644 (file)
--- a/routers/api/v1/admin/user.go
+++ b/routers/api/v1/admin/user.go
@@ -326,7 +326,7 @@ func GetAllUsers(ctx *context.APIContext) {
 
        results := make([]*api.User, len(users))
        for i := range users {
-               results[i] = convert.ToUser(users[i], ctx.IsSigned, ctx.User.IsAdmin)
+               results[i] = convert.ToUser(users[i], ctx.IsSigned, ctx.User != nil && ctx.User.IsAdmin)
        }
 
        ctx.JSON(200, &results)

diff --git a/routers/api/v1/user/user.go b/routers/api/v1/user/user.go
index 2e4ae273e5433872e9ba6c15702e3b34190e567d..76b4fc8dcca42eb6a9dbf02758aceabb34cae861 100644 (file)
--- a/routers/api/v1/user/user.go
+++ b/routers/api/v1/user/user.go
@@ -67,7 +67,7 @@ func Search(ctx *context.APIContext) {
 
        results := make([]*api.User, len(users))
        for i := range users {
-               results[i] = convert.ToUser(users[i], ctx.IsSigned, ctx.User.IsAdmin)
+               results[i] = convert.ToUser(users[i], ctx.IsSigned, ctx.User != nil && ctx.User.IsAdmin)
        }
 
        ctx.JSON(200, map[string]interface{}{