Fix token endpoints ignore specified account (#27080)

Fix #26234
close #26323
close #27040

---------

Co-authored-by: silverwind <me@silverwind.io>

1 files changed, 23 insertions, 0 deletions

diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go
index 1c63d07f22..a713922982 100644
--- a/tests/integration/api_token_test.go
+++ b/tests/integration/api_token_test.go
@@ -40,6 +40,29 @@ func TestAPIDeleteMissingToken(t *testing.T) {
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
+// TestAPIGetTokensPermission ensures that only the admin can get tokens from other users
+func TestAPIGetTokensPermission(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// admin can get tokens for other users
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	req := NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
+	req = AddBasicAuthHeader(req, user.Name)
+	MakeRequest(t, req, http.StatusOK)
+
+	// non-admin can get tokens for himself
+	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
+	req = AddBasicAuthHeader(req, user.Name)
+	MakeRequest(t, req, http.StatusOK)
+
+	// non-admin can't get tokens for other users
+	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
+	req = AddBasicAuthHeader(req, user.Name)
+	MakeRequest(t, req, http.StatusForbidden)
+}
+
 type permission struct {
 	category auth_model.AccessTokenScopeCategory
 	level    auth_model.AccessTokenScopeLevel