diff options
author | 6543 <6543@obermui.de> | 2020-01-02 22:27:31 +0100 |
---|---|---|
committer | Lauris BH <lauris@nix.lv> | 2020-01-02 23:27:31 +0200 |
commit | 134e3fdf3d271f1015d062c74d55e3f28f7825d6 (patch) | |
tree | 94dc46638e5d47d4ac0a4641bdad34d5f5512bfe /routers | |
parent | b3c5b4b0d12ae42d10cb677deb9abdef6b044166 (diff) | |
download | gitea-134e3fdf3d271f1015d062c74d55e3f28f7825d6.tar.gz gitea-134e3fdf3d271f1015d062c74d55e3f28f7825d6.zip |
[API] dont reqToken on GetReactions (fix #9543) (#9548)
* dont reqToken on GetReactions
* ctx.Repo.CanWrite has ctx.User.IsAdmin in It
Co-authored-by: Lauris BH <lauris@nix.lv>
Diffstat (limited to 'routers')
-rw-r--r-- | routers/api/v1/api.go | 12 | ||||
-rw-r--r-- | routers/api/v1/repo/issue_reaction.go | 8 |
2 files changed, 10 insertions, 10 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 0bb5320b16..e4288f40f6 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -664,10 +664,10 @@ func RegisterRoutes(m *macaron.Macaron) { m.Combo("", reqToken()). Patch(mustNotBeArchived, bind(api.EditIssueCommentOption{}), repo.EditIssueComment). Delete(repo.DeleteIssueComment) - m.Combo("/reactions", reqToken()). + m.Combo("/reactions"). Get(repo.GetIssueCommentReactions). - Post(bind(api.EditReactionOption{}), repo.PostIssueCommentReaction). - Delete(bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction) + Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueCommentReaction). + Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueCommentReaction) }) }) m.Group("/:index", func() { @@ -704,10 +704,10 @@ func RegisterRoutes(m *macaron.Macaron) { m.Put("/:user", reqToken(), repo.AddIssueSubscription) m.Delete("/:user", reqToken(), repo.DelIssueSubscription) }) - m.Combo("/reactions", reqToken()). + m.Combo("/reactions"). Get(repo.GetIssueReactions). - Post(bind(api.EditReactionOption{}), repo.PostIssueReaction). - Delete(bind(api.EditReactionOption{}), repo.DeleteIssueReaction) + Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueReaction). + Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueReaction) }) }, mustEnableIssuesOrPulls) m.Group("/labels", func() { diff --git a/routers/api/v1/repo/issue_reaction.go b/routers/api/v1/repo/issue_reaction.go index bbc767cc99..d612b20d7e 100644 --- a/routers/api/v1/repo/issue_reaction.go +++ b/routers/api/v1/repo/issue_reaction.go @@ -55,7 +55,7 @@ func GetIssueCommentReactions(ctx *context.APIContext) { return } - if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin { + if !ctx.Repo.CanRead(models.UnitTypeIssues) { ctx.Error(http.StatusForbidden, "GetIssueCommentReactions", errors.New("no permission to get reactions")) return } @@ -179,7 +179,7 @@ func changeIssueCommentReaction(ctx *context.APIContext, form api.EditReactionOp ctx.Error(http.StatusInternalServerError, "comment.LoadIssue() failed", err) } - if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin { + if comment.Issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) { ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction")) return } @@ -261,7 +261,7 @@ func GetIssueReactions(ctx *context.APIContext) { return } - if !ctx.Repo.CanRead(models.UnitTypeIssues) && !ctx.User.IsAdmin { + if !ctx.Repo.CanRead(models.UnitTypeIssues) { ctx.Error(http.StatusForbidden, "GetIssueReactions", errors.New("no permission to get reactions")) return } @@ -380,7 +380,7 @@ func changeIssueReaction(ctx *context.APIContext, form api.EditReactionOption, i return } - if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) && !ctx.User.IsAdmin { + if issue.IsLocked && !ctx.Repo.CanWrite(models.UnitTypeIssues) { ctx.Error(http.StatusForbidden, "ChangeIssueCommentReaction", errors.New("no permission to change reaction")) return } |