From e9f50676535216b74a467fab4623daf6d0c39fce Mon Sep 17 00:00:00 2001 From: JakobDev Date: Tue, 5 Sep 2023 16:43:34 +0200 Subject: Add missing `reqToken()` to notifications endpoints (#26914) They currently throw a Internal Server Error when you use them without a token. Now they correctly return a `token is required` error. This is no security issue. If you use this endpoints with a token that don't have the correct permission, you get the correct error. This is not affected by this PR. --- tests/integration/api_notification_test.go | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'tests') diff --git a/tests/integration/api_notification_test.go b/tests/integration/api_notification_test.go index 52d6e6d84a..222b2c2e07 100644 --- a/tests/integration/api_notification_test.go +++ b/tests/integration/api_notification_test.go @@ -30,6 +30,8 @@ func TestAPINotification(t *testing.T) { session := loginUser(t, user2.Name) token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository) + MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications"), http.StatusUnauthorized) + // -- GET /notifications -- // test filter since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 @@ -80,6 +82,8 @@ func TestAPINotification(t *testing.T) { assert.False(t, apiNL[1].Unread) assert.True(t, apiNL[1].Pinned) + MakeRequest(t, NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d", 1)), http.StatusUnauthorized) + // -- GET /notifications/threads/{id} -- // get forbidden req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications/threads/%d?token=%s", 1, token)) @@ -99,6 +103,8 @@ func TestAPINotification(t *testing.T) { assert.EqualValues(t, thread5.Issue.APIURL(), apiN.Subject.URL) assert.EqualValues(t, thread5.Repository.HTMLURL(), apiN.Repository.HTMLURL) + MakeRequest(t, NewRequest(t, "GET", "/api/v1/notifications/new"), http.StatusUnauthorized) + new := struct { New int64 `json:"new"` }{} -- cgit v1.2.3