From 5e360241053f6fcfb7f8b89373cba431adaf44ce Mon Sep 17 00:00:00 2001 From: John Olheiser Date: Wed, 26 Apr 2023 19:24:03 -0500 Subject: Require repo scope for PATs for private repos and basic authentication (#24362) > The scoped token PR just checked all API routes but in fact, some web routes like `LFS`, git `HTTP`, container, and attachments supports basic auth. This PR added scoped token check for them. --------- Signed-off-by: jolheiser Co-authored-by: Lunny Xiao --- tests/integration/api_packages_npm_test.go | 3 ++- tests/integration/api_packages_nuget_test.go | 3 ++- tests/integration/api_packages_pub_test.go | 3 ++- tests/integration/api_packages_vagrant_test.go | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/integration/api_packages_npm_test.go b/tests/integration/api_packages_npm_test.go index 28c14fb3b8..78389b5740 100644 --- a/tests/integration/api_packages_npm_test.go +++ b/tests/integration/api_packages_npm_test.go @@ -11,6 +11,7 @@ import ( "strings" "testing" + auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/unittest" @@ -27,7 +28,7 @@ func TestPackageNpm(t *testing.T) { user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) - token := fmt.Sprintf("Bearer %s", getTokenForLoggedInUser(t, loginUser(t, user.Name))) + token := fmt.Sprintf("Bearer %s", getTokenForLoggedInUser(t, loginUser(t, user.Name), auth_model.AccessTokenScopePackage)) packageName := "@scope/test-package" packageVersion := "1.0.1-pre" diff --git a/tests/integration/api_packages_nuget_test.go b/tests/integration/api_packages_nuget_test.go index a74d696f03..2240d2a5d4 100644 --- a/tests/integration/api_packages_nuget_test.go +++ b/tests/integration/api_packages_nuget_test.go @@ -16,6 +16,7 @@ import ( "testing" "time" + auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/unittest" @@ -74,7 +75,7 @@ func TestPackageNuGet(t *testing.T) { } user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) - token := getUserToken(t, user.Name) + token := getUserToken(t, user.Name, auth_model.AccessTokenScopePackage) packageName := "test.package" packageVersion := "1.0.3" diff --git a/tests/integration/api_packages_pub_test.go b/tests/integration/api_packages_pub_test.go index 4d4ce12402..5c1cc6052f 100644 --- a/tests/integration/api_packages_pub_test.go +++ b/tests/integration/api_packages_pub_test.go @@ -15,6 +15,7 @@ import ( "testing" "time" + auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/unittest" @@ -30,7 +31,7 @@ func TestPackagePub(t *testing.T) { user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) - token := "Bearer " + getUserToken(t, user.Name) + token := "Bearer " + getUserToken(t, user.Name, auth_model.AccessTokenScopePackage) packageName := "test_package" packageVersion := "1.0.1" diff --git a/tests/integration/api_packages_vagrant_test.go b/tests/integration/api_packages_vagrant_test.go index b4f04b0c89..b28bfca6f0 100644 --- a/tests/integration/api_packages_vagrant_test.go +++ b/tests/integration/api_packages_vagrant_test.go @@ -12,6 +12,7 @@ import ( "strings" "testing" + auth_model "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/packages" "code.gitea.io/gitea/models/unittest" @@ -27,7 +28,7 @@ func TestPackageVagrant(t *testing.T) { defer tests.PrepareTestEnv(t)() user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) - token := "Bearer " + getUserToken(t, user.Name) + token := "Bearer " + getUserToken(t, user.Name, auth_model.AccessTokenScopePackage) packageName := "test_package" packageVersion := "1.0.1" -- cgit v1.2.3