Enforce token on api routes [fixed critical security issue #4357] (#4840)

1 files changed, 5 insertions, 4 deletions

diff --git a/integrations/api_issue_test.go b/integrations/api_issue_test.go
index 74436ffe9e..97207f3368 100644
--- a/integrations/api_issue_test.go
+++ b/integrations/api_issue_test.go
@@ -22,8 +22,9 @@ func TestAPIListIssues(t *testing.T) {
 	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
 
 	session := loginUser(t, owner.Name)
-	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues?state=all",
-		owner.Name, repo.Name)
+	token := getTokenForLoggedInUser(t, session)
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues?state=all&token=%s",
+		owner.Name, repo.Name, token)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	var apiIssues []*api.Issue
 	DecodeJSON(t, resp, &apiIssues)
@@ -41,8 +42,8 @@ func TestAPICreateIssue(t *testing.T) {
 	owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User)
 
 	session := loginUser(t, owner.Name)
-
-	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all", owner.Name, repo.Name)
+	token := getTokenForLoggedInUser(t, session)
+	urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repo.Name, token)
 	req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
 		Body:     body,
 		Title:    title,