diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/integration/api_token_test.go | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go index 1c63d07f22..a713922982 100644 --- a/tests/integration/api_token_test.go +++ b/tests/integration/api_token_test.go @@ -40,6 +40,29 @@ func TestAPIDeleteMissingToken(t *testing.T) { MakeRequest(t, req, http.StatusNotFound) } +// TestAPIGetTokensPermission ensures that only the admin can get tokens from other users +func TestAPIGetTokensPermission(t *testing.T) { + defer tests.PrepareTestEnv(t)() + + // admin can get tokens for other users + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) + req := NewRequestf(t, "GET", "/api/v1/users/user2/tokens") + req = AddBasicAuthHeader(req, user.Name) + MakeRequest(t, req, http.StatusOK) + + // non-admin can get tokens for himself + user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) + req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens") + req = AddBasicAuthHeader(req, user.Name) + MakeRequest(t, req, http.StatusOK) + + // non-admin can't get tokens for other users + user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4}) + req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens") + req = AddBasicAuthHeader(req, user.Name) + MakeRequest(t, req, http.StatusForbidden) +} + type permission struct { category auth_model.AccessTokenScopeCategory level auth_model.AccessTokenScopeLevel |