Enforce token on api routes [fixed critical security issue #4357] (#4840)

1 files changed, 14 insertions, 11 deletions

diff --git a/integrations/api_repo_test.go b/integrations/api_repo_test.go
index 5dc2f88cb9..3fa2ae21dc 100644
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -76,7 +76,7 @@ func TestAPISearchRepo(t *testing.T) {
 			user:  {count: 10},
 			user2: {count: 10}},
 		},
-		{name: "RepositoriesDefaultMax10", requestURL: "/api/v1/repos/search", expectedResults: expectedResults{
+		{name: "RepositoriesDefaultMax10", requestURL: "/api/v1/repos/search?default", expectedResults: expectedResults{
 			nil:   {count: 10},
 			user:  {count: 10},
 			user2: {count: 10}},
@@ -143,9 +143,11 @@ func TestAPISearchRepo(t *testing.T) {
 				var session *TestSession
 				var testName string
 				var userID int64
+				var token string
 				if userToLogin != nil && userToLogin.ID > 0 {
 					testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
 					session = loginUser(t, userToLogin.Name)
+					token = getTokenForLoggedInUser(t, session)
 					userID = userToLogin.ID
 				} else {
 					testName = "AnonymousUser"
@@ -153,7 +155,7 @@ func TestAPISearchRepo(t *testing.T) {
 				}
 
 				t.Run(testName, func(t *testing.T) {
-					request := NewRequest(t, "GET", testCase.requestURL)
+					request := NewRequest(t, "GET", testCase.requestURL+"&token="+token)
 					response := session.MakeRequest(t, request, http.StatusOK)
 
 					var body api.SearchResults
@@ -214,8 +216,8 @@ func TestAPIOrgRepos(t *testing.T) {
 	sourceOrg := models.AssertExistsAndLoadBean(t, &models.User{ID: 3}).(*models.User)
 	// Login as User2.
 	session := loginUser(t, user.Name)
-
-	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", sourceOrg.Name)
+	token := getTokenForLoggedInUser(t, session)
+	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 
 	var apiRepos []*api.Repository
@@ -231,9 +233,10 @@ func TestAPIOrgRepos(t *testing.T) {
 func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
 	prepareTestEnv(t)
 	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 4}).(*models.User)
-	sess := loginUser(t, user.Name)
-	req := NewRequestf(t, "GET", "/api/v1/repositories/2")
-	sess.MakeRequest(t, req, http.StatusNotFound)
+	session := loginUser(t, user.Name)
+	token := getTokenForLoggedInUser(t, session)
+	req := NewRequestf(t, "GET", "/api/v1/repositories/2?token="+token)
+	session.MakeRequest(t, req, http.StatusNotFound)
 }
 
 func TestAPIRepoMigrate(t *testing.T) {
@@ -253,8 +256,8 @@ func TestAPIRepoMigrate(t *testing.T) {
 	for _, testCase := range testCases {
 		user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User)
 		session := loginUser(t, user.Name)
-
-		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate", &api.MigrateRepoOption{
+		token := getTokenForLoggedInUser(t, session)
+		req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOption{
 			CloneAddr: testCase.cloneURL,
 			UID:       int(testCase.userID),
 			RepoName:  testCase.repoName,
@@ -278,8 +281,8 @@ func TestAPIOrgRepoCreate(t *testing.T) {
 	for _, testCase := range testCases {
 		user := models.AssertExistsAndLoadBean(t, &models.User{ID: testCase.ctxUserID}).(*models.User)
 		session := loginUser(t, user.Name)
-
-		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos", testCase.orgName), &api.CreateRepoOption{
+		token := getTokenForLoggedInUser(t, session)
+		req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos?token="+token, testCase.orgName), &api.CreateRepoOption{
 			Name: testCase.repoName,
 		})
 		session.MakeRequest(t, req, testCase.expectedStatus)