diff options
| author | zeripath <art27@cantab.net> | 2021-06-21 14:01:44 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-21 14:01:44 +0100 |
| commit | 681e81babdbbe777b3ea2af353b872aee2dd9b32 (patch) | |
| tree | 2987629e07fccd4a046626387ead70d2dee74b9f | |
| parent | 4fcae3d06d1099ade682df96e41baf4f5ac56620 (diff) | |
| download | gitea-681e81babdbbe777b3ea2af353b872aee2dd9b32.tar.gz gitea-681e81babdbbe777b3ea2af353b872aee2dd9b32.zip | |
reqOrgMembership calls need to be preceded by reqToken (#16198)
ReqOrgMembership calls need to be preceded by reqToken
Fix #16192
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
| -rw-r--r-- | integrations/api_team_test.go | 4 | ||||
| -rw-r--r-- | routers/api/v1/api.go | 6 |
2 files changed, 7 insertions, 3 deletions
diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go index 8b202862a1..0b77dc3be7 100644 --- a/integrations/api_team_test.go +++ b/integrations/api_team_test.go @@ -144,7 +144,9 @@ func TestAPITeamSearch(t *testing.T) { var results TeamSearchResults session := loginUser(t, user.Name) + csrf := GetCSRF(t, session, "/"+org.Name) req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "_team") + req.Header.Add("X-Csrf-Token", csrf) resp := session.MakeRequest(t, req, http.StatusOK) DecodeJSON(t, resp, &results) assert.NotEmpty(t, results.Data) @@ -154,7 +156,9 @@ func TestAPITeamSearch(t *testing.T) { // no access if not organization member user5 := models.AssertExistsAndLoadBean(t, &models.User{ID: 5}).(*models.User) session = loginUser(t, user5.Name) + csrf = GetCSRF(t, session, "/"+org.Name) req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "team") + req.Header.Add("X-Csrf-Token", csrf) resp = session.MakeRequest(t, req, http.StatusForbidden) } diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 34cf80e072..9efc2af244 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -989,10 +989,10 @@ func Routes() *web.Route { Delete(reqToken(), reqOrgMembership(), org.ConcealMember) }) m.Group("/teams", func() { - m.Combo("", reqToken()).Get(org.ListTeams). - Post(reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam) + m.Get("", org.ListTeams) + m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam) m.Get("/search", org.SearchTeam) - }, reqOrgMembership()) + }, reqToken(), reqOrgMembership()) m.Group("/labels", func() { m.Get("", org.ListLabels) m.Post("", reqToken(), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel) |