summaryrefslogtreecommitdiffstats
path: root/routers
diff options
context:
space:
mode:
author6543 <6543@obermui.de>2020-01-02 22:27:31 +0100
committerLauris BH <lauris@nix.lv>2020-01-02 23:27:31 +0200
commit134e3fdf3d271f1015d062c74d55e3f28f7825d6 (patch)
tree94dc46638e5d47d4ac0a4641bdad34d5f5512bfe /routers
parentb3c5b4b0d12ae42d10cb677deb9abdef6b044166 (diff)
downloadgitea-134e3fdf3d271f1015d062c74d55e3f28f7825d6.tar.gz
gitea-134e3fdf3d271f1015d062c74d55e3f28f7825d6.zip
[API] dont reqToken on GetReactions (fix #9543) (#9548)
* dont reqToken on GetReactions * ctx.Repo.CanWrite has ctx.User.IsAdmin in It Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'routers')
-rw-r--r--routers/api/v1/api.go12
-rw-r--r--routers/api/v1/repo/issue_reaction.go8
2 files changed, 10 insertions, 10 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 0bb5320b16..e4288f40f6 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -664,10 +664,10 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Combo("", reqToken()).
Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment).
Delete(repo.DeleteIssueComment)
- m.Combo("/reactions", reqToken()).
+ m.Combo("/reactions").
Get(repo.GetIssueCommentReactions).
- Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).
- Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)
+ Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueCommentReaction).
+ Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueCommentReaction)
})
})
m.Group("/:index", func() {
@@ -704,10 +704,10 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Put("/:user", reqToken(), repo.AddIssueSubscription)
m.Delete("/:user", reqToken(), repo.DelIssueSubscription)
})
- m.Combo("/reactions", reqToken()).
+ m.Combo("/reactions").
Get(repo.GetIssueReactions).
- Post(bind(api.EditReactionOption{}), repo.PostIssueReaction).
- Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction)
+ Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueReaction).
+ Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueReaction)
})
}, mustEnableIssuesOrPulls)
m.Group("/labels", func() {
diff --git a/routers/api/v1/repo/issue_reaction.go b/routers/api/v1/repo/issue_reaction.go
index bbc767cc99..d612b20d7e 100644
--- a/routers/api/v1/repo/issue_reaction.go
+++ b/routers/api/v1/repo/issue_reaction.go
@@ -55,7 +55,7 @@ func GetIssueCommentReactions(ctx *context.APIContext) {
return
}
- if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+ if !ctx.Repo.CanRead(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions"))
return
}
@@ -179,7 +179,7 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp
ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err)
}
- if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+ if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
return
}
@@ -261,7 +261,7 @@ func GetIssueReactions(ctx *context.APIContext) {
return
}
- if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+ if !ctx.Repo.CanRead(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions"))
return
}
@@ -380,7 +380,7 @@ func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, i
return
}
- if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin {
+ if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) {
ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction"))
return
}