aboutsummaryrefslogtreecommitdiffstats
path: root/integrations/api_repo_test.go
diff options
context:
space:
mode:
authorB-OnTheGo <42626718+beeonthego@users.noreply.github.com>2018-09-11 02:15:52 +1000
committertechknowlogick <techknowlogick@users.noreply.github.com>2018-09-10 12:15:52 -0400
commite47df0b301510a49b49fc43266f436b7d58a02b1 (patch)
treeacc014c8e82a3b75754c9969f078b25579a523e9 /integrations/api_repo_test.go
parent387a4b09c1b62a2a5eb70b89559d5ae53032c989 (diff)
downloadgitea-e47df0b301510a49b49fc43266f436b7d58a02b1.tar.gz
gitea-e47df0b301510a49b49fc43266f436b7d58a02b1.zip
Enforce token on api routes [fixed critical security issue #4357] (#4840)
Diffstat (limited to 'integrations/api_repo_test.go')
-rw-r--r--integrations/api_repo_test.go25
1 files changed, 14 insertions, 11 deletions
diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go
index 5dc2f88cb9..3fa2ae21dc 100644
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -76,7 +76,7 @@ func TestAPISearchRepo(t *testing.T) {
user: {count: 10},
user2: {count: 10}},
},
- {name: "RepositoriesDefaultMax10", requestURL: "/api/v1/repos/search", expectedResults: expectedResults{
+ {name: "RepositoriesDefaultMax10", requestURL: "/api/v1/repos/search?default", expectedResults: expectedResults{
nil: {count: 10},
user: {count: 10},
user2: {count: 10}},
@@ -143,9 +143,11 @@ func TestAPISearchRepo(t *testing.T) {
var session *TestSession
var testName string
var userID int64
+ var token string
if userToLogin != nil && userToLogin.ID > 0 {
testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
session = loginUser(t, userToLogin.Name)
+ token = getTokenForLoggedInUser(t, session)
userID = userToLogin.ID
} else {
testName = "AnonymousUser"
@@ -153,7 +155,7 @@ func TestAPISearchRepo(t *testing.T) {
}
t.Run(testName, func(t *testing.T) {
- request := NewRequest(t, "GET", testCase.requestURL)
+ request := NewRequest(t, "GET", testCase.requestURL+"&token="+token)
response := session.MakeRequest(t, request, http.StatusOK)
var body api.SearchResults
@@ -214,8 +216,8 @@ func TestAPIOrgRepos(t *testing.T) {
sourceOrg := models.AssertExistsAndLoadBean(t, &models.User{ID: 3}).(*models.User)
// Login as User2.
session := loginUser(t, user.Name)
-
- req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", sourceOrg.Name)
+ token := getTokenForLoggedInUser(t, session)
+ req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
resp := session.MakeRequest(t, req, http.StatusOK)
var apiRepos []*api.Repository
@@ -231,9 +233,10 @@ func TestAPIOrgRepos(t *testing.T) {
func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
prepareTestEnv(t)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User)
- sess := loginUser(t, user.Name)
- req := NewRequestf(t, "GET", "/api/v1/repositories/2")
- sess.MakeRequest(t, req, http.StatusNotFound)
+ session := loginUser(t, user.Name)
+ token := getTokenForLoggedInUser(t, session)
+ req := NewRequestf(t, "GET", "/api/v1/repositories/2?token="+token)
+ session.MakeRequest(t, req, http.StatusNotFound)
}
func TestAPIRepoMigrate(t *testing.T) {
@@ -253,8 +256,8 @@ func TestAPIRepoMigrate(t *testing.T) {
for _, testCase := range testCases {
user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User)
session := loginUser(t, user.Name)
-
- req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOption{
+ token := getTokenForLoggedInUser(t, session)
+ req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOption{
CloneAddr: testCase.cloneURL,
UID: int(testCase.userID),
RepoName: testCase.repoName,
@@ -278,8 +281,8 @@ func TestAPIOrgRepoCreate(t *testing.T) {
for _, testCase := range testCases {
user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User)
session := loginUser(t, user.Name)
-
- req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos", testCase.orgName), &api.CreateRepoOption{
+ token := getTokenForLoggedInUser(t, session)
+ req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos?token="+token, testCase.orgName), &api.CreateRepoOption{
Name: testCase.repoName,
})
session.MakeRequest(t, req, testCase.expectedStatus)