diff options
| author | Giteabot <teabot@gitea.io> | 2023-11-17 12:24:16 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-17 12:24:16 +0800 |
| commit | 93ede4bc83ccb231b9ca67041318a0811d1d34dd (patch) | |
| tree | 0d8e08679829c0e64be64712e70ac5a89363b0c0 /routers | |
| parent | 9f63d27ec4041897bb393a5f132af609a4988bf2 (diff) | |
| download | gitea-93ede4bc83ccb231b9ca67041318a0811d1d34dd.tar.gz gitea-93ede4bc83ccb231b9ca67041318a0811d1d34dd.zip | |
Fix permissions for Token DELETE endpoint to match GET and POST (#27610) (#28099)
Backport #27610 by @evantobin
Fixes #27598
In #27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds
unit tests
Co-authored-by: Evan Tobin <me@evantob.in>
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/api/v1/user/app.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go index 6972931abc..cdec69be57 100644 --- a/routers/api/v1/user/app.go +++ b/routers/api/v1/user/app.go @@ -193,7 +193,7 @@ func DeleteAccessToken(ctx *context.APIContext) { return } - if err := auth_model.DeleteAccessTokenByID(ctx, tokenID, ctx.Doer.ID); err != nil { + if err := auth_model.DeleteAccessTokenByID(ctx, tokenID, ctx.ContextUser.ID); err != nil { if auth_model.IsErrAccessTokenNotExist(err) { ctx.NotFound() } else { |