diff options
| author | B-OnTheGo <42626718+beeonthego@users.noreply.github.com> | 2018-09-11 02:15:52 +1000 |
|---|---|---|
| committer | techknowlogick <techknowlogick@users.noreply.github.com> | 2018-09-10 12:15:52 -0400 |
| commit | e47df0b301510a49b49fc43266f436b7d58a02b1 (patch) | |
| tree | acc014c8e82a3b75754c9969f078b25579a523e9 /integrations/api_comment_test.go | |
| parent | 387a4b09c1b62a2a5eb70b89559d5ae53032c989 (diff) | |
| download | gitea-e47df0b301510a49b49fc43266f436b7d58a02b1.tar.gz gitea-e47df0b301510a49b49fc43266f436b7d58a02b1.zip | |
Enforce token on api routes [fixed critical security issue #4357] (#4840)
Diffstat (limited to 'integrations/api_comment_test.go')
| -rw-r--r-- | integrations/api_comment_test.go | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/integrations/api_comment_test.go b/integrations/api_comment_test.go index 423d0f7989..60bb2cfb7b 100644 --- a/integrations/api_comment_test.go +++ b/integrations/api_comment_test.go @@ -69,8 +69,9 @@ func TestAPICreateComment(t *testing.T) { repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User) session := loginUser(t, repoOwner.Name) - urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments", - repoOwner.Name, repo.Name, issue.Index) + token := getTokenForLoggedInUser(t, session) + urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s", + repoOwner.Name, repo.Name, issue.Index, token) req := NewRequestWithValues(t, "POST", urlStr, map[string]string{ "body": commentBody, }) @@ -93,8 +94,9 @@ func TestAPIEditComment(t *testing.T) { repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User) session := loginUser(t, repoOwner.Name) - urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d", - repoOwner.Name, repo.Name, comment.ID) + token := getTokenForLoggedInUser(t, session) + urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s", + repoOwner.Name, repo.Name, comment.ID, token) req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{ "body": newCommentBody, }) @@ -117,8 +119,9 @@ func TestAPIDeleteComment(t *testing.T) { repoOwner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User) session := loginUser(t, repoOwner.Name) - req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d", - repoOwner.Name, repo.Name, comment.ID) + token := getTokenForLoggedInUser(t, session) + req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s", + repoOwner.Name, repo.Name, comment.ID, token) session.MakeRequest(t, req, http.StatusNoContent) models.AssertNotExistsBean(t, &models.Comment{ID: comment.ID}) |