diff options
| author | B-OnTheGo <42626718+beeonthego@users.noreply.github.com> | 2018-09-11 02:15:52 +1000 |
|---|---|---|
| committer | techknowlogick <techknowlogick@users.noreply.github.com> | 2018-09-10 12:15:52 -0400 |
| commit | e47df0b301510a49b49fc43266f436b7d58a02b1 (patch) | |
| tree | acc014c8e82a3b75754c9969f078b25579a523e9 /integrations/api_pull_test.go | |
| parent | 387a4b09c1b62a2a5eb70b89559d5ae53032c989 (diff) | |
| download | gitea-e47df0b301510a49b49fc43266f436b7d58a02b1.tar.gz gitea-e47df0b301510a49b49fc43266f436b7d58a02b1.zip | |
Enforce token on api routes [fixed critical security issue #4357] (#4840)
Diffstat (limited to 'integrations/api_pull_test.go')
| -rw-r--r-- | integrations/api_pull_test.go | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/integrations/api_pull_test.go b/integrations/api_pull_test.go index e56b91d8b9..c416fee8ba 100644 --- a/integrations/api_pull_test.go +++ b/integrations/api_pull_test.go @@ -23,7 +23,8 @@ func TestAPIViewPulls(t *testing.T) { owner := models.AssertExistsAndLoadBean(t, &models.User{ID: repo.OwnerID}).(*models.User) session := loginUser(t, "user2") - req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all", owner.Name, repo.Name) + token := getTokenForLoggedInUser(t, session) + req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&token="+token, owner.Name, repo.Name) resp := session.MakeRequest(t, req, http.StatusOK) var pulls []*api.PullRequest @@ -47,7 +48,8 @@ func TestAPIMergePullWIP(t *testing.T) { assert.Contains(t, pr.Issue.Title, setting.Repository.PullRequest.WorkInProgressPrefixes[0]) session := loginUser(t, owner.Name) - req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge", owner.Name, repo.Name, pr.Index), &auth.MergePullRequestForm{ + token := getTokenForLoggedInUser(t, session) + req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s", owner.Name, repo.Name, pr.Index, token), &auth.MergePullRequestForm{ MergeMessageField: pr.Issue.Title, Do: string(models.MergeStyleMerge), }) |