mirror of
https://github.com/go-gitea/gitea.git
synced 2025-06-22 14:08:01 +02:00
Redesign Scoped Access Tokens (#24767)
## Changes
- Adds the following high level access scopes, each with `read` and
`write` levels:
- `activitypub`
- `admin` (hidden if user is not a site admin)
- `misc`
- `notification`
- `organization`
- `package`
- `issue`
- `repository`
- `user`
- Adds new middleware function `tokenRequiresScopes()` in addition to
`reqToken()`
- `tokenRequiresScopes()` is used for each high-level api section
- _if_ a scoped token is present, checks that the required scope is
included based on the section and HTTP method
- `reqToken()` is used for individual routes
- checks that required authentication is present (but does not check
scope levels as this will already have been handled by
`tokenRequiresScopes()`
- Adds migration to convert old scoped access tokens to the new set of
scopes
- Updates the user interface for scope selection
### User interface example
<img width="903" alt="Screen Shot 2023-05-31 at 1 56 55 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/654766ec-2143-4f59-9037-3b51600e32f3">
<img width="917" alt="Screen Shot 2023-05-31 at 1 56 43 PM"
src="https://github.com/go-gitea/gitea/assets/23248839/1ad64081-012c-4a73-b393-66b30352654c">
## tokenRequiresScopes Design Decision
- `tokenRequiresScopes()` was added to more reliably cover api routes.
For an incoming request, this function uses the given scope category
(say `AccessTokenScopeCategoryOrganization`) and the HTTP method (say
`DELETE`) and verifies that any scoped tokens in use include
`delete:organization`.
- `reqToken()` is used to enforce auth for individual routes that
require it. If a scoped token is not present for a request,
`tokenRequiresScopes()` will not return an error
## TODO
- [x] Alphabetize scope categories
- [x] Change 'public repos only' to a radio button (private vs public).
Also expand this to organizations
- [X] Disable token creation if no scopes selected. Alternatively, show
warning
- [x] `reqToken()` is missing from many `POST/DELETE` routes in the api.
`tokenRequiresScopes()` only checks that a given token has the correct
scope, `reqToken()` must be used to check that a token (or some other
auth) is present.
- _This should be addressed in this PR_
- [x] The migration should be reviewed very carefully in order to
minimize access changes to existing user tokens.
- _This should be addressed in this PR_
- [x] Link to api to swagger documentation, clarify what
read/write/delete levels correspond to
- [x] Review cases where more than one scope is needed as this directly
deviates from the api definition.
- _This should be addressed in this PR_
- For example:
```go
m.Group("/users/{username}/orgs", func() {
m.Get("", reqToken(), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser,
auth_model.AccessTokenScopeCategoryOrganization),
context_service.UserAssignmentAPI())
```
## Future improvements
- [ ] Add required scopes to swagger documentation
- [ ] Redesign `reqToken()` to be opt-out rather than opt-in
- [ ] Subdivide scopes like `repository`
- [ ] Once a token is created, if it has no scopes, we should display
text instead of an empty bullet point
- [ ] If the 'public repos only' option is selected, should read
categories be selected by default
Closes #24501
Closes #24799
Co-authored-by: Jonathan Tran <jon@allspice.io>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
This commit is contained in:
Jack Hay
@ -21,7 +21,7 @@ import (
|
||||
func TestAPIAdminOrgCreate(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeSudo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteAdmin)
|
||||
|
||||
org := api.CreateOrgOption{
|
||||
UserName: "user2_org",
|
||||
@ -55,7 +55,7 @@ func TestAPIAdminOrgCreate(t *testing.T) {
|
||||
func TestAPIAdminOrgCreateBadVisibility(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeSudo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteAdmin)
|
||||
|
||||
org := api.CreateOrgOption{
|
||||
UserName: "user2_org",
|
||||
|
||||
@ -25,7 +25,7 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
|
||||
session := loginUser(t, "user1")
|
||||
keyOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
|
||||
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeSudo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteAdmin)
|
||||
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
|
||||
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
|
||||
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",
|
||||
@ -52,7 +52,7 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
// user1 is an admin user
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeWriteAdmin)
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", unittest.NonexistentID, token)
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
}
|
||||
@ -61,7 +61,7 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
normalUsername := "user2"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)
|
||||
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
|
||||
@ -82,7 +82,7 @@ func TestAPISudoUser(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
normalUsername := "user2"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)
|
||||
req := NewRequest(t, "GET", urlStr)
|
||||
@ -98,7 +98,7 @@ func TestAPISudoUserForbidden(t *testing.T) {
|
||||
adminUsername := "user1"
|
||||
normalUsername := "user2"
|
||||
|
||||
token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeReadAdmin)
|
||||
urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)
|
||||
req := NewRequest(t, "GET", urlStr)
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
@ -107,7 +107,7 @@ func TestAPISudoUserForbidden(t *testing.T) {
|
||||
func TestAPIListUsers(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
|
||||
req := NewRequest(t, "GET", urlStr)
|
||||
@ -143,7 +143,7 @@ func TestAPIListUsersNonAdmin(t *testing.T) {
|
||||
func TestAPICreateUserInvalidEmail(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
|
||||
urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
|
||||
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
|
||||
"email": "invalid_email@domain.com\r\n",
|
||||
@ -161,7 +161,7 @@ func TestAPICreateUserInvalidEmail(t *testing.T) {
|
||||
func TestAPICreateAndDeleteUser(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
|
||||
|
||||
req := NewRequestWithValues(
|
||||
t,
|
||||
@ -187,7 +187,7 @@ func TestAPICreateAndDeleteUser(t *testing.T) {
|
||||
func TestAPIEditUser(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
|
||||
urlStr := fmt.Sprintf("/api/v1/admin/users/%s?token=%s", "user2", token)
|
||||
|
||||
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
|
||||
@ -229,7 +229,7 @@ func TestAPIEditUser(t *testing.T) {
|
||||
func TestAPICreateRepoForUser(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
|
||||
|
||||
req := NewRequestWithJSON(
|
||||
t,
|
||||
@ -245,7 +245,7 @@ func TestAPICreateRepoForUser(t *testing.T) {
|
||||
func TestAPIRenameUser(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeSudo)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)
|
||||
urlStr := fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "user2", token)
|
||||
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
|
||||
// required
|
||||
|
||||
@ -16,7 +16,7 @@ import (
|
||||
)
|
||||
|
||||
func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
|
||||
resp := MakeRequest(t, req, NoExpectedStatus)
|
||||
if !exists {
|
||||
@ -32,7 +32,7 @@ func testAPIGetBranch(t *testing.T, branchName string, exists bool) {
|
||||
}
|
||||
|
||||
func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
|
||||
resp := MakeRequest(t, req, expectedHTTPStatus)
|
||||
|
||||
@ -44,7 +44,7 @@ func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPSta
|
||||
}
|
||||
|
||||
func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branch_protections?token="+token, &api.BranchProtection{
|
||||
RuleName: branchName,
|
||||
})
|
||||
@ -58,7 +58,7 @@ func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTP
|
||||
}
|
||||
|
||||
func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.BranchProtection, expectedHTTPStatus int) {
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, "PATCH", "/api/v1/repos/user2/repo1/branch_protections/"+branchName+"?token="+token, body)
|
||||
resp := MakeRequest(t, req, expectedHTTPStatus)
|
||||
|
||||
@ -70,13 +70,13 @@ func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.Bran
|
||||
}
|
||||
|
||||
func testAPIDeleteBranchProtection(t *testing.T, branchName string, expectedHTTPStatus int) {
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
|
||||
MakeRequest(t, req, expectedHTTPStatus)
|
||||
}
|
||||
|
||||
func testAPIDeleteBranch(t *testing.T, branchName string, expectedHTTPStatus int) {
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/user2/repo1/branches/%s?token=%s", branchName, token)
|
||||
MakeRequest(t, req, expectedHTTPStatus)
|
||||
}
|
||||
@ -102,7 +102,7 @@ func TestAPICreateBranch(t *testing.T) {
|
||||
|
||||
func testAPICreateBranches(t *testing.T, giteaURL *url.URL) {
|
||||
username := "user2"
|
||||
ctx := NewAPITestContext(t, username, "my-noo-repo", auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, username, "my-noo-repo", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
giteaURL.Path = ctx.GitPath()
|
||||
|
||||
t.Run("CreateRepo", doAPICreateRepository(ctx, false))
|
||||
@ -149,7 +149,7 @@ func testAPICreateBranches(t *testing.T, giteaURL *url.URL) {
|
||||
}
|
||||
|
||||
func testAPICreateBranch(t testing.TB, session *TestSession, user, repo, oldBranch, newBranch string, status int) bool {
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/"+user+"/"+repo+"/branches?token="+token, &api.CreateBranchRepoOption{
|
||||
BranchName: newBranch,
|
||||
OldBranchName: oldBranch,
|
||||
|
||||
@ -36,8 +36,8 @@ func TestAPIGetCommentAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d", repoOwner.Name, repo.Name, comment.ID, attachment.ID)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
|
||||
session.MakeRequest(t, req, http.StatusOK)
|
||||
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
@ -61,8 +61,9 @@ func TestAPIListCommentAttachments(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets",
|
||||
repoOwner.Name, repo.Name, comment.ID)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d/assets?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
var apiAttachments []*api.Attachment
|
||||
@ -82,7 +83,7 @@ func TestAPICreateCommentAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, token)
|
||||
|
||||
@ -121,7 +122,7 @@ func TestAPIEditCommentAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
|
||||
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
|
||||
@ -144,7 +145,7 @@ func TestAPIDeleteCommentAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d/assets/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, attachment.ID, token)
|
||||
|
||||
|
||||
@ -76,7 +76,7 @@ func TestAPIListIssueComments(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeReadIssue)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -96,7 +96,7 @@ func TestAPICreateComment(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/comments?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
|
||||
@ -118,7 +118,7 @@ func TestAPIGetComment(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: comment.Issue.RepoID})
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeReadIssue)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d", repoOwner.Name, repo.Name, comment.ID)
|
||||
MakeRequest(t, req, http.StatusOK)
|
||||
req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s", repoOwner.Name, repo.Name, comment.ID, token)
|
||||
@ -146,7 +146,7 @@ func TestAPIEditComment(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, token)
|
||||
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
|
||||
@ -170,7 +170,7 @@ func TestAPIDeleteComment(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, repoOwner.Name, auth_model.AccessTokenScopeWriteIssue)
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/comments/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, comment.ID, token)
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
|
||||
@ -21,8 +21,8 @@ type makeRequestFunc func(testing.TB, *http.Request, int) *httptest.ResponseReco
|
||||
func TestGPGKeys(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
tokenWithGPGKeyScope := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminGPGKey, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
tokenWithGPGKeyScope := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
tt := []struct {
|
||||
name string
|
||||
@ -36,7 +36,7 @@ func TestGPGKeys(t *testing.T) {
|
||||
},
|
||||
{
|
||||
name: "LoggedAsUser2", makeRequest: session.MakeRequest, token: token,
|
||||
results: []int{http.StatusForbidden, http.StatusOK, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden},
|
||||
results: []int{http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden, http.StatusForbidden},
|
||||
},
|
||||
{
|
||||
name: "LoggedAsUser2WithScope", makeRequest: session.MakeRequest, token: tokenWithGPGKeyScope,
|
||||
|
||||
@ -53,7 +53,7 @@ func TestHTTPSigPubKey(t *testing.T) {
|
||||
// Add our public key to user1
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
session := loginUser(t, "user1")
|
||||
token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminPublicKey, auth_model.AccessTokenScopeSudo))
|
||||
token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser))
|
||||
keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
|
||||
keyType := "ssh-rsa"
|
||||
keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABAQCqOZB5vkRvXFXups1/0StDRdG8plbNSwsWEnNnP4Bvurxa0+z3W9B8GLKnDiLw5MbpbMNyBlpXw13GfuIeciy10DWTz0xUbiy3J3KabCaT36asIw2y7k6Z0jL0UBnrVENwq5/lUbZYqSZ4rRU744wkhh8TULpzM14npQCZwg6aEbG+MwjzddQ72fR+3BPBrKn5dTmmu8rH99O+U+Nuto81Tg7PA+NUupcHOmhdiEGq49plgVFXK98Vks5tiybL4GuzFyWgyX73Dg/QBMn2eMHt1EMv5Gs3i6GFhKKGo4rjDi9qI6PX5oDR4LTNe6cR8td8YhVD8WFZwLLl/vaYyIqd"
|
||||
@ -69,7 +69,8 @@ func TestHTTPSigPubKey(t *testing.T) {
|
||||
keyID := ssh.FingerprintSHA256(sshSigner.PublicKey())
|
||||
|
||||
// create the request
|
||||
req = NewRequest(t, "GET", "/api/v1/admin/users")
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadAdmin)
|
||||
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/admin/users?token=%s", token))
|
||||
|
||||
signer, _, err := httpsig.NewSSHSigner(sshSigner, httpsig.DigestSha512, []string{httpsig.RequestTarget, "(created)", "(expires)"}, httpsig.Signature, 10)
|
||||
if err != nil {
|
||||
|
||||
@ -32,7 +32,7 @@ func TestAPIGetIssueAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, attachment.ID, token)
|
||||
|
||||
@ -53,7 +53,7 @@ func TestAPIListIssueAttachments(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
|
||||
@ -73,7 +73,7 @@ func TestAPICreateIssueAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, token)
|
||||
|
||||
@ -111,7 +111,7 @@ func TestAPIEditIssueAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, attachment.ID, token)
|
||||
req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{
|
||||
@ -133,7 +133,7 @@ func TestAPIDeleteIssueAttachment(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/assets/%d?token=%s",
|
||||
repoOwner.Name, repo.Name, issue.Index, attachment.ID, token)
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ func TestAPIModifyLabels(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 2})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/labels?token=%s", owner.Name, repo.Name, token)
|
||||
|
||||
// CreateLabel
|
||||
@ -97,7 +97,7 @@ func TestAPIAddIssueLabels(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
|
||||
repo.OwnerName, repo.Name, issue.Index, token)
|
||||
req := NewRequestWithJSON(t, "POST", urlStr, &api.IssueLabelsOption{
|
||||
@ -120,7 +120,7 @@ func TestAPIReplaceIssueLabels(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/labels?token=%s",
|
||||
owner.Name, repo.Name, issue.Index, token)
|
||||
req := NewRequestWithJSON(t, "PUT", urlStr, &api.IssueLabelsOption{
|
||||
@ -144,7 +144,7 @@ func TestAPIModifyOrgLabels(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
user := "user1"
|
||||
session := loginUser(t, user)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo, auth_model.AccessTokenScopeAdminOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteOrganization)
|
||||
urlStr := fmt.Sprintf("/api/v1/orgs/%s/labels?token=%s", owner.Name, token)
|
||||
|
||||
// CreateLabel
|
||||
|
||||
@ -29,7 +29,7 @@ func TestAPIIssuesMilestone(t *testing.T) {
|
||||
assert.Equal(t, structs.StateOpen, milestone.State())
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// update values of issue
|
||||
milestoneState := "closed"
|
||||
|
||||
@ -29,7 +29,7 @@ func TestAPIPinIssue(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// Pin the Issue
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
|
||||
@ -56,7 +56,7 @@ func TestAPIUnpinIssue(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// Pin the Issue
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
|
||||
@ -97,7 +97,7 @@ func TestAPIMoveIssuePin(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// Pin the first Issue
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
|
||||
@ -152,7 +152,7 @@ func TestAPIListPinnedIssues(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// Pin the Issue
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/pin?token=%s",
|
||||
|
||||
@ -29,7 +29,7 @@ func TestAPIIssuesReactions(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: issue.Repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/reactions?token=%s",
|
||||
@ -88,7 +88,7 @@ func TestAPICommentReactions(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: issue.Repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
user1 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
@ -26,7 +26,7 @@ func TestAPIListStopWatches(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository, auth_model.AccessTokenScopeReadUser)
|
||||
req := NewRequestf(t, "GET", "/api/v1/user/stopwatches?token=%s", token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var apiWatches []*api.StopWatch
|
||||
@ -52,7 +52,7 @@ func TestAPIStopStopWatches(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/stop?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
|
||||
MakeRequest(t, req, http.StatusCreated)
|
||||
@ -68,7 +68,7 @@ func TestAPICancelStopWatches(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/stopwatch/delete?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
@ -84,7 +84,7 @@ func TestAPIStartStopWatches(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/issues/%d/stopwatch/start?token=%s", owner.Name, issue.Repo.Name, issue.Index, token)
|
||||
MakeRequest(t, req, http.StatusCreated)
|
||||
|
||||
@ -31,7 +31,7 @@ func TestAPIIssueSubscriptions(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: issue1.PosterID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
testSubscription := func(issue *issues_model.Issue, isWatching bool) {
|
||||
issueRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: issue.RepoID})
|
||||
|
||||
@ -30,7 +30,7 @@ func TestAPIListIssues(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
||||
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/issues", owner.Name, repo.Name))
|
||||
|
||||
link.RawQuery = url.Values{"token": {token}, "state": {"all"}}.Encode()
|
||||
@ -81,7 +81,7 @@ func TestAPICreateIssue(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repoBefore.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
|
||||
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
|
||||
Body: body,
|
||||
@ -117,7 +117,7 @@ func TestAPIEditIssue(t *testing.T) {
|
||||
assert.Equal(t, api.StateOpen, issueBefore.State())
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// update values of issue
|
||||
issueState := "closed"
|
||||
@ -171,7 +171,7 @@ func TestAPIEditIssue(t *testing.T) {
|
||||
func TestAPISearchIssues(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
token := getUserToken(t, "user2")
|
||||
token := getUserToken(t, "user2", auth_model.AccessTokenScopeReadIssue)
|
||||
|
||||
// as this API was used in the frontend, it uses UI page size
|
||||
expectedIssueCount := 16 // from the fixtures
|
||||
@ -180,7 +180,7 @@ func TestAPISearchIssues(t *testing.T) {
|
||||
}
|
||||
|
||||
link, _ := url.Parse("/api/v1/repos/issues/search")
|
||||
query := url.Values{"token": {getUserToken(t, "user1")}}
|
||||
query := url.Values{"token": {getUserToken(t, "user1", auth_model.AccessTokenScopeReadIssue)}}
|
||||
var apiIssues []*api.Issue
|
||||
|
||||
link.RawQuery = query.Encode()
|
||||
@ -278,7 +278,7 @@ func TestAPISearchIssuesWithLabels(t *testing.T) {
|
||||
}
|
||||
|
||||
link, _ := url.Parse("/api/v1/repos/issues/search")
|
||||
query := url.Values{"token": {getUserToken(t, "user1")}}
|
||||
query := url.Values{"token": {getUserToken(t, "user1", auth_model.AccessTokenScopeReadIssue)}}
|
||||
var apiIssues []*api.Issue
|
||||
|
||||
link.RawQuery = query.Encode()
|
||||
|
||||
@ -28,7 +28,7 @@ func TestAPIGetTrackedTimes(t *testing.T) {
|
||||
assert.NoError(t, issue2.LoadRepo(db.DefaultContext))
|
||||
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadIssue)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -71,7 +71,7 @@ func TestAPIDeleteTrackedTime(t *testing.T) {
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
// Deletion not allowed
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/issues/%d/times/%d?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, time6.ID, token)
|
||||
@ -106,7 +106,7 @@ func TestAPIAddTrackedTimes(t *testing.T) {
|
||||
admin := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
session := loginUser(t, admin.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues/%d/times?token=%s", user2.Name, issue2.Repo.Name, issue2.Index, token)
|
||||
|
||||
|
||||
@ -54,7 +54,7 @@ func TestCreateReadOnlyDeployKey(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
|
||||
rawKeyBody := api.CreateKeyOption{
|
||||
Title: "read-only",
|
||||
@ -80,7 +80,7 @@ func TestCreateReadWriteDeployKey(t *testing.T) {
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
keysURL := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", repoOwner.Name, repo.Name, token)
|
||||
rawKeyBody := api.CreateKeyOption{
|
||||
Title: "read-write",
|
||||
@ -104,7 +104,7 @@ func TestCreateUserKey(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user1"})
|
||||
|
||||
session := loginUser(t, "user1")
|
||||
token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminPublicKey))
|
||||
token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser))
|
||||
keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
|
||||
keyType := "ssh-rsa"
|
||||
keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM="
|
||||
@ -168,7 +168,7 @@ func TestCreateUserKey(t *testing.T) {
|
||||
|
||||
// Now login as user 2
|
||||
session2 := loginUser(t, "user2")
|
||||
token2 := url.QueryEscape(getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeAdminPublicKey))
|
||||
token2 := url.QueryEscape(getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeWriteUser))
|
||||
|
||||
// Should find key even though not ours, but we shouldn't know whose it is
|
||||
fingerprintURL = fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%s", token2, newPublicKey.Fingerprint)
|
||||
|
||||
@ -28,7 +28,7 @@ func TestAPINotification(t *testing.T) {
|
||||
thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5})
|
||||
assert.NoError(t, thread5.LoadAttributes(db.DefaultContext))
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeNotification)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// -- GET /notifications --
|
||||
// test filter
|
||||
@ -146,7 +146,7 @@ func TestAPINotificationPUT(t *testing.T) {
|
||||
thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5})
|
||||
assert.NoError(t, thread5.LoadAttributes(db.DefaultContext))
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeNotification)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification)
|
||||
|
||||
// Check notifications are as expected
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/notifications?all=true&token=%s", token))
|
||||
|
||||
@ -55,7 +55,7 @@ func testAPICreateOAuth2Application(t *testing.T) {
|
||||
func testAPIListOAuth2Applications(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadApplication)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
existApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
|
||||
UID: user.ID,
|
||||
@ -86,7 +86,7 @@ func testAPIListOAuth2Applications(t *testing.T) {
|
||||
func testAPIDeleteOAuth2Application(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteApplication)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
oldApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
|
||||
UID: user.ID,
|
||||
@ -107,7 +107,7 @@ func testAPIDeleteOAuth2Application(t *testing.T) {
|
||||
func testAPIGetOAuth2Application(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadApplication)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
existApp := unittest.AssertExistsAndLoadBean(t, &auth_model.OAuth2Application{
|
||||
UID: user.ID,
|
||||
|
||||
@ -26,7 +26,7 @@ import (
|
||||
|
||||
func TestAPIOrgCreate(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeWriteOrg)
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeWriteOrganization)
|
||||
|
||||
org := api.CreateOrgOption{
|
||||
UserName: "user1_org",
|
||||
@ -100,7 +100,7 @@ func TestAPIOrgEdit(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
session := loginUser(t, "user1")
|
||||
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
|
||||
org := api.EditOrgOption{
|
||||
FullName: "User3 organization new full name",
|
||||
Description: "A new description",
|
||||
@ -127,7 +127,7 @@ func TestAPIOrgEditBadVisibility(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
session := loginUser(t, "user1")
|
||||
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
|
||||
org := api.EditOrgOption{
|
||||
FullName: "User3 organization new full name",
|
||||
Description: "A new description",
|
||||
@ -162,7 +162,7 @@ func TestAPIOrgDeny(t *testing.T) {
|
||||
func TestAPIGetAll(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrganization)
|
||||
|
||||
// accessing with a token will return all orgs
|
||||
req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
|
||||
@ -186,7 +186,7 @@ func TestAPIGetAll(t *testing.T) {
|
||||
|
||||
func TestAPIOrgSearchEmptyTeam(t *testing.T) {
|
||||
onGiteaRun(t, func(*testing.T, *url.URL) {
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeAdminOrg)
|
||||
token := getUserToken(t, "user1", auth_model.AccessTokenScopeWriteOrganization)
|
||||
orgName := "org_with_empty_team"
|
||||
|
||||
// create org
|
||||
|
||||
@ -28,7 +28,7 @@ func TestPackageNpm(t *testing.T) {
|
||||
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
token := fmt.Sprintf("Bearer %s", getTokenForLoggedInUser(t, loginUser(t, user.Name), auth_model.AccessTokenScopePackage))
|
||||
token := fmt.Sprintf("Bearer %s", getTokenForLoggedInUser(t, loginUser(t, user.Name), auth_model.AccessTokenScopeWritePackage))
|
||||
|
||||
packageName := "@scope/test-package"
|
||||
packageVersion := "1.0.1-pre"
|
||||
|
||||
@ -75,7 +75,7 @@ func TestPackageNuGet(t *testing.T) {
|
||||
}
|
||||
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
token := getUserToken(t, user.Name, auth_model.AccessTokenScopePackage)
|
||||
token := getUserToken(t, user.Name, auth_model.AccessTokenScopeWritePackage)
|
||||
|
||||
packageName := "test.package"
|
||||
packageVersion := "1.0.3"
|
||||
|
||||
@ -31,7 +31,7 @@ func TestPackagePub(t *testing.T) {
|
||||
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
token := "Bearer " + getUserToken(t, user.Name, auth_model.AccessTokenScopePackage)
|
||||
token := "Bearer " + getUserToken(t, user.Name, auth_model.AccessTokenScopeWritePackage)
|
||||
|
||||
packageName := "test_package"
|
||||
packageVersion := "1.0.1"
|
||||
|
||||
@ -34,7 +34,7 @@ func TestPackageAPI(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
||||
session := loginUser(t, user.Name)
|
||||
tokenReadPackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadPackage)
|
||||
tokenDeletePackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeDeletePackage)
|
||||
tokenDeletePackage := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWritePackage)
|
||||
|
||||
packageName := "test-package"
|
||||
packageVersion := "1.0.3"
|
||||
|
||||
@ -28,7 +28,7 @@ func TestPackageVagrant(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
|
||||
token := "Bearer " + getUserToken(t, user.Name, auth_model.AccessTokenScopePackage)
|
||||
token := "Bearer " + getUserToken(t, user.Name, auth_model.AccessTokenScopeWritePackage)
|
||||
|
||||
packageName := "test_package"
|
||||
packageVersion := "1.0.1"
|
||||
|
||||
@ -28,7 +28,7 @@ func TestAPIPullReview(t *testing.T) {
|
||||
|
||||
// test ListPullReviews
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestf(t, http.MethodGet, "/api/v1/repos/%s/%s/pulls/%d/reviews?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
@ -231,7 +231,7 @@ func TestAPIPullReviewRequest(t *testing.T) {
|
||||
|
||||
// Test add Review Request
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token), &api.PullReviewRequestOptions{
|
||||
Reviewers: []string{"user4@example.com", "user8"},
|
||||
})
|
||||
@ -251,7 +251,7 @@ func TestAPIPullReviewRequest(t *testing.T) {
|
||||
|
||||
// Test Remove Review Request
|
||||
session2 := loginUser(t, "user4")
|
||||
token2 := getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
req = NewRequestWithJSON(t, http.MethodDelete, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/requested_reviewers?token=%s", repo.OwnerName, repo.Name, pullIssue.Index, token2), &api.PullReviewRequestOptions{
|
||||
Reviewers: []string{"user4"},
|
||||
|
||||
@ -29,7 +29,7 @@ func TestAPIViewPulls(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
ctx := NewAPITestContext(t, "user2", repo.Name, auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, "user2", repo.Name, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/pulls?state=all&token="+ctx.Token, owner.Name, repo.Name)
|
||||
resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
|
||||
@ -75,7 +75,7 @@ func TestAPIMergePullWIP(t *testing.T) {
|
||||
assert.Contains(t, pr.Issue.Title, setting.Repository.PullRequest.WorkInProgressPrefixes[0])
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d/merge?token=%s", owner.Name, repo.Name, pr.Index, token), &forms.MergePullRequestForm{
|
||||
MergeMessageField: pr.Issue.Title,
|
||||
Do: string(repo_model.MergeStyleMerge),
|
||||
@ -94,7 +94,7 @@ func TestAPICreatePullSuccess(t *testing.T) {
|
||||
owner11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo11.OwnerID})
|
||||
|
||||
session := loginUser(t, owner11.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), &api.CreatePullRequestOption{
|
||||
Head: fmt.Sprintf("%s:master", owner11.Name),
|
||||
Base: "master",
|
||||
@ -114,7 +114,7 @@ func TestAPICreatePullWithFieldsSuccess(t *testing.T) {
|
||||
owner11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo11.OwnerID})
|
||||
|
||||
session := loginUser(t, owner11.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
opts := &api.CreatePullRequestOption{
|
||||
Head: fmt.Sprintf("%s:master", owner11.Name),
|
||||
@ -151,7 +151,7 @@ func TestAPICreatePullWithFieldsFailure(t *testing.T) {
|
||||
owner11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo11.OwnerID})
|
||||
|
||||
session := loginUser(t, owner11.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
opts := &api.CreatePullRequestOption{
|
||||
Head: fmt.Sprintf("%s:master", owner11.Name),
|
||||
@ -181,7 +181,7 @@ func TestAPIEditPull(t *testing.T) {
|
||||
owner10 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo10.OwnerID})
|
||||
|
||||
session := loginUser(t, owner10.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), &api.CreatePullRequestOption{
|
||||
Head: "develop",
|
||||
Base: "master",
|
||||
|
||||
@ -25,7 +25,7 @@ func TestAPIListReleases(t *testing.T) {
|
||||
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
token := getUserToken(t, user2.LowerName, auth_model.AccessTokenScopeRepo)
|
||||
token := getUserToken(t, user2.LowerName, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/releases", user2.Name, repo.Name))
|
||||
link.RawQuery = url.Values{"token": {token}}.Encode()
|
||||
@ -101,7 +101,7 @@ func TestAPICreateAndUpdateRelease(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, owner.LowerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
gitRepo, err := git.OpenRepository(git.DefaultContext, repo.RepoPath())
|
||||
assert.NoError(t, err)
|
||||
@ -153,7 +153,7 @@ func TestAPICreateReleaseToDefaultBranch(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, owner.LowerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
createNewReleaseUsingAPI(t, session, token, owner, repo, "v0.0.1", "", "v0.0.1", "test")
|
||||
}
|
||||
@ -164,7 +164,7 @@ func TestAPICreateReleaseToDefaultBranchOnExistingTag(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, owner.LowerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
gitRepo, err := git.OpenRepository(git.DefaultContext, repo.RepoPath())
|
||||
assert.NoError(t, err)
|
||||
@ -232,7 +232,7 @@ func TestAPIDeleteReleaseByTagName(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, owner.LowerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
createNewReleaseUsingAPI(t, session, token, owner, repo, "release-tag", "", "Release Tag", "test")
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ func TestAPIDownloadArchive(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user2.LowerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
link, _ := url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/archive/master.zip", user2.Name, repo.Name))
|
||||
link.RawQuery = url.Values{"token": {token}}.Encode()
|
||||
|
||||
@ -28,7 +28,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
|
||||
user10 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 10})
|
||||
user11 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 11})
|
||||
|
||||
testCtx := NewAPITestContext(t, repo2Owner.Name, repo2.Name, auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, repo2Owner.Name, repo2.Name, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
t.Run("RepoOwnerShouldBeOwner", func(t *testing.T) {
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, repo2Owner.Name, testCtx.Token)
|
||||
@ -85,7 +85,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
|
||||
t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user5.Name, perm.AccessModeRead))
|
||||
|
||||
_session := loginUser(t, user5.Name)
|
||||
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, auth_model.AccessTokenScopeRepo)
|
||||
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token)
|
||||
resp := _session.MakeRequest(t, req, http.StatusOK)
|
||||
@ -100,7 +100,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
|
||||
t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user5.Name, perm.AccessModeRead))
|
||||
|
||||
_session := loginUser(t, user5.Name)
|
||||
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, auth_model.AccessTokenScopeRepo)
|
||||
_testCtx := NewAPITestContext(t, user5.Name, repo2.Name, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user5.Name, _testCtx.Token)
|
||||
resp := _session.MakeRequest(t, req, http.StatusOK)
|
||||
@ -116,7 +116,7 @@ func TestAPIRepoCollaboratorPermission(t *testing.T) {
|
||||
t.Run("AddUserAsCollaboratorWithReadAccess", doAPIAddCollaborator(testCtx, user11.Name, perm.AccessModeRead))
|
||||
|
||||
_session := loginUser(t, user10.Name)
|
||||
_testCtx := NewAPITestContext(t, user10.Name, repo2.Name, auth_model.AccessTokenScopeRepo)
|
||||
_testCtx := NewAPITestContext(t, user10.Name, repo2.Name, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/collaborators/%s/permission?token=%s", repo2Owner.Name, repo2.Name, user11.Name, _testCtx.Token)
|
||||
resp := _session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
@ -147,10 +147,10 @@ func TestAPIRepoEdit(t *testing.T) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Test editing a repo1 which user2 owns, changing name and many properties
|
||||
origRepoEditOption := getRepoEditOptionFromRepo(repo1)
|
||||
|
||||
@ -151,10 +151,10 @@ func TestAPICreateFile(t *testing.T) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
// Test creating a file in repo1 which user2 owns, try both with branch and empty branch
|
||||
for _, branch := range [...]string{
|
||||
@ -280,7 +280,7 @@ func TestAPICreateFile(t *testing.T) {
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
|
||||
// Test creating a file in an empty repository
|
||||
doAPICreateRepository(NewAPITestContext(t, "user2", "empty-repo", auth_model.AccessTokenScopeRepo), true)(t)
|
||||
doAPICreateRepository(NewAPITestContext(t, "user2", "empty-repo", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser), true)(t)
|
||||
createFileOptions = getCreateFileOptions()
|
||||
fileID++
|
||||
treePath = fmt.Sprintf("new/file%d.txt", fileID)
|
||||
|
||||
@ -49,10 +49,10 @@ func TestAPIDeleteFile(t *testing.T) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Test deleting a file in repo1 which user2 owns, try both with branch and empty branch
|
||||
for _, branch := range [...]string{
|
||||
|
||||
@ -25,7 +25,7 @@ func TestAPIGetRawFileOrLFS(t *testing.T) {
|
||||
|
||||
// Test with LFS
|
||||
onGiteaRun(t, func(t *testing.T, u *url.URL) {
|
||||
httpContext := NewAPITestContext(t, "user2", "repo-lfs-test", auth_model.AccessTokenScopeRepo, auth_model.AccessTokenScopeDeleteRepo)
|
||||
httpContext := NewAPITestContext(t, "user2", "repo-lfs-test", auth_model.AccessTokenScopeWriteRepository)
|
||||
doAPICreateRepository(httpContext, false, func(t *testing.T, repository api.Repository) {
|
||||
u.Path = httpContext.GitPath()
|
||||
dstPath := t.TempDir()
|
||||
|
||||
@ -117,10 +117,10 @@ func TestAPIUpdateFile(t *testing.T) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Test updating a file in repo1 which user2 owns, try both with branch and empty branch
|
||||
for _, branch := range [...]string{
|
||||
|
||||
@ -72,10 +72,10 @@ func TestAPIChangeFiles(t *testing.T) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Test changing files in repo1 which user2 owns, try both with branch and empty branch
|
||||
for _, branch := range [...]string{
|
||||
|
||||
@ -9,6 +9,7 @@ import (
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
@ -64,10 +65,10 @@ func testAPIGetContentsList(t *testing.T, u *url.URL) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Make a new branch in repo1
|
||||
newBranch := "test_branch"
|
||||
|
||||
@ -9,6 +9,7 @@ import (
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
@ -66,10 +67,10 @@ func testAPIGetContents(t *testing.T, u *url.URL) {
|
||||
|
||||
// Get user2's token
|
||||
session := loginUser(t, user2.Name)
|
||||
token2 := getTokenForLoggedInUser(t, session)
|
||||
token2 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
// Get user4's token
|
||||
session = loginUser(t, user4.Name)
|
||||
token4 := getTokenForLoggedInUser(t, session)
|
||||
token4 := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Make a new branch in repo1
|
||||
newBranch := "test_branch"
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
@ -31,7 +32,7 @@ func TestAPIReposGitBlobs(t *testing.T) {
|
||||
|
||||
// Login as User2.
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test a public repo that anyone can GET the blob of
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/git/blobs/%s", user2.Name, repo1.Name, repo1ReadmeSHA)
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
api "code.gitea.io/gitea/modules/structs"
|
||||
@ -28,7 +29,7 @@ func TestAPIReposGitCommits(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// check invalid requests
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/commits/12345?token="+token, user.Name)
|
||||
@ -56,7 +57,7 @@ func TestAPIReposGitCommitList(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test getting commits (Page 1)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo20/commits?token="+token+"¬=master&sha=remove-files-a", user.Name)
|
||||
@ -79,7 +80,7 @@ func TestAPIReposGitCommitListNotMaster(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test getting commits (Page 1)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token, user.Name)
|
||||
@ -104,7 +105,7 @@ func TestAPIReposGitCommitListPage2Empty(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test getting commits (Page=2)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token+"&page=2", user.Name)
|
||||
@ -121,7 +122,7 @@ func TestAPIReposGitCommitListDifferentBranch(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test getting commits (Page=1, Branch=good-sign)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token+"&sha=good-sign", user.Name)
|
||||
@ -140,7 +141,7 @@ func TestAPIReposGitCommitListWithoutSelectFields(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test getting commits without files, verification, and stats
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?token="+token+"&sha=good-sign&stat=false&files=false&verification=false", user.Name)
|
||||
@ -161,7 +162,7 @@ func TestDownloadCommitDiffOrPatch(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test getting diff
|
||||
reqDiff := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/git/commits/f27c2b2b03dcab38beaf89b0ab4ff61f6de63441.diff?token="+token, user.Name)
|
||||
@ -183,7 +184,7 @@ func TestGetFileHistory(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo16/commits?path=readme.md&token="+token+"&sha=good-sign", user.Name)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -203,7 +204,7 @@ func TestGetFileHistoryNotOnMaster(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo20/commits?path=test.csv&token="+token+"&sha=add-csv¬=master", user.Name)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
@ -31,7 +31,7 @@ func TestAPIListGitHooks(t *testing.T) {
|
||||
|
||||
// user1 is an admin user
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -57,7 +57,7 @@ func TestAPIListGitHooksNoHooks(t *testing.T) {
|
||||
|
||||
// user1 is an admin user
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -77,7 +77,7 @@ func TestAPIListGitHooksNoAccess(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
@ -91,7 +91,7 @@ func TestAPIGetGitHook(t *testing.T) {
|
||||
|
||||
// user1 is an admin user
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -108,7 +108,7 @@ func TestAPIGetGitHookNoAccess(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
@ -122,7 +122,7 @@ func TestAPIEditGitHook(t *testing.T) {
|
||||
|
||||
// user1 is an admin user
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
@ -151,7 +151,7 @@ func TestAPIEditGitHookNoAccess(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
req := NewRequestWithJSON(t, "PATCH", urlStr, &api.EditGitHookOption{
|
||||
@ -168,7 +168,7 @@ func TestAPIDeleteGitHook(t *testing.T) {
|
||||
|
||||
// user1 is an admin user
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
@ -190,7 +190,7 @@ func TestAPIDeleteGitHookNoAccess(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
|
||||
session := loginUser(t, owner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/hooks/git/pre-receive?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
api "code.gitea.io/gitea/modules/structs"
|
||||
@ -20,7 +21,7 @@ func TestAPIReposGitNotes(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// check invalid requests
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/notes/12345?token=%s", user.Name, token)
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/tests"
|
||||
@ -17,7 +18,7 @@ func TestAPIReposGitRefs(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
for _, ref := range [...]string{
|
||||
"refs/heads/master", // Branch
|
||||
|
||||
@ -26,7 +26,7 @@ func TestAPIGitTags(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Set up git config for the tagger
|
||||
_ = git.NewCommand(git.DefaultContext, "config", "user.name").AddDynamicArguments(user.Name).Run(&git.RunOpts{Dir: repo.RepoPath()})
|
||||
@ -70,7 +70,7 @@ func TestAPIDeleteTagByName(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, owner.LowerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/tags/delete-tag?token=%s",
|
||||
owner.Name, repo.Name, token)
|
||||
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
repo_model "code.gitea.io/gitea/models/repo"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
@ -28,7 +29,7 @@ func TestAPIReposGitTrees(t *testing.T) {
|
||||
|
||||
// Login as User2.
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
// Test a public repo that anyone can GET the tree of
|
||||
for _, ref := range [...]string{
|
||||
|
||||
@ -26,7 +26,7 @@ func TestAPICreateHook(t *testing.T) {
|
||||
|
||||
// user1 is an admin user
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepoHook)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
completeURL := func(lastSegment string) string {
|
||||
return fmt.Sprintf("/api/v1/repos/%s/%s/%s?token=%s", owner.Name, repo.Name, lastSegment, token)
|
||||
}
|
||||
|
||||
@ -31,7 +31,7 @@ func TestAPIRepoLFSMigrateLocal(t *testing.T) {
|
||||
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOptions{
|
||||
CloneAddr: path.Join(setting.RepoRootPath, "migration/lfs-test.git"),
|
||||
|
||||
@ -60,7 +60,7 @@ func TestAPILFSMediaType(t *testing.T) {
|
||||
}
|
||||
|
||||
func createLFSTestRepository(t *testing.T, name string) *repo_model.Repository {
|
||||
ctx := NewAPITestContext(t, "user2", "lfs-"+name+"-repo", auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, "user2", "lfs-"+name+"-repo", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateRepo", doAPICreateRepository(ctx, false))
|
||||
|
||||
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "lfs-"+name+"-repo")
|
||||
|
||||
@ -20,7 +20,7 @@ func TestAPIReposRaw(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
|
||||
for _, ref := range [...]string{
|
||||
"master", // Branch
|
||||
|
||||
@ -23,7 +23,7 @@ func TestAPIRepoTags(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
// Login as User2.
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
repoName := "repo1"
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ func TestAPIRepoTeams(t *testing.T) {
|
||||
// user4
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// ListTeams
|
||||
url := fmt.Sprintf("/api/v1/repos/%s/teams?token=%s", publicOrgRepo.FullName(), token)
|
||||
@ -68,7 +68,7 @@ func TestAPIRepoTeams(t *testing.T) {
|
||||
// AddTeam with user2
|
||||
user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session = loginUser(t, user.Name)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
url = fmt.Sprintf("/api/v1/repos/%s/teams/%s?token=%s", publicOrgRepo.FullName(), "team1", token)
|
||||
req = NewRequest(t, "PUT", url)
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
|
||||
@ -189,7 +189,7 @@ func TestAPISearchRepo(t *testing.T) {
|
||||
if userToLogin != nil && userToLogin.ID > 0 {
|
||||
testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
|
||||
session := loginUser(t, userToLogin.Name)
|
||||
token = getTokenForLoggedInUser(t, session)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
userID = userToLogin.ID
|
||||
} else {
|
||||
testName = "AnonymousUser"
|
||||
@ -295,7 +295,7 @@ func TestAPIOrgRepos(t *testing.T) {
|
||||
for userToLogin, expected := range expectedResults {
|
||||
testName := fmt.Sprintf("LoggedUser%d", userToLogin.ID)
|
||||
session := loginUser(t, userToLogin.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
|
||||
|
||||
t.Run(testName, func(t *testing.T) {
|
||||
req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
|
||||
@ -317,7 +317,7 @@ func TestAPIGetRepoByIDUnauthorized(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
req := NewRequestf(t, "GET", "/api/v1/repositories/2?token="+token)
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
}
|
||||
@ -341,7 +341,7 @@ func TestAPIRepoMigrate(t *testing.T) {
|
||||
for _, testCase := range testCases {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, "POST", "/api/v1/repos/migrate?token="+token, &api.MigrateRepoOptions{
|
||||
CloneAddr: testCase.cloneURL,
|
||||
RepoOwnerID: testCase.userID,
|
||||
@ -371,7 +371,7 @@ func TestAPIRepoMigrateConflict(t *testing.T) {
|
||||
|
||||
func testAPIRepoMigrateConflict(t *testing.T, u *url.URL) {
|
||||
username := "user2"
|
||||
baseAPITestContext := NewAPITestContext(t, username, "repo1", auth_model.AccessTokenScopeRepo)
|
||||
baseAPITestContext := NewAPITestContext(t, username, "repo1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
u.Path = baseAPITestContext.GitPath()
|
||||
|
||||
@ -406,7 +406,7 @@ func TestAPIMirrorSyncNonMirrorRepo(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
var repo api.Repository
|
||||
req := NewRequest(t, "GET", "/api/v1/repos/user2/repo1")
|
||||
@ -438,7 +438,7 @@ func TestAPIOrgRepoCreate(t *testing.T) {
|
||||
for _, testCase := range testCases {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/org/%s/repos?token="+token, testCase.orgName), &api.CreateRepoOption{
|
||||
Name: testCase.repoName,
|
||||
})
|
||||
@ -452,7 +452,7 @@ func TestAPIRepoCreateConflict(t *testing.T) {
|
||||
|
||||
func testAPIRepoCreateConflict(t *testing.T, u *url.URL) {
|
||||
username := "user2"
|
||||
baseAPITestContext := NewAPITestContext(t, username, "repo1", auth_model.AccessTokenScopeRepo)
|
||||
baseAPITestContext := NewAPITestContext(t, username, "repo1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
u.Path = baseAPITestContext.GitPath()
|
||||
|
||||
@ -502,7 +502,7 @@ func TestAPIRepoTransfer(t *testing.T) {
|
||||
// create repo to move
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
repoName := "moveME"
|
||||
apiRepo := new(api.Repository)
|
||||
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/user/repos?token=%s", token), &api.CreateRepoOption{
|
||||
@ -520,7 +520,7 @@ func TestAPIRepoTransfer(t *testing.T) {
|
||||
user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: testCase.ctxUserID})
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepo.ID})
|
||||
session = loginUser(t, user.Name)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer?token=%s", repo.OwnerName, repo.Name, token), &api.TransferRepoOption{
|
||||
NewOwner: testCase.newOwner,
|
||||
TeamIDs: testCase.teams,
|
||||
@ -537,7 +537,7 @@ func transfer(t *testing.T) *repo_model.Repository {
|
||||
// create repo to move
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
repoName := "moveME"
|
||||
apiRepo := new(api.Repository)
|
||||
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/user/repos?token=%s", token), &api.CreateRepoOption{
|
||||
@ -567,7 +567,7 @@ func TestAPIAcceptTransfer(t *testing.T) {
|
||||
|
||||
// try to accept with not authorized user
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
|
||||
@ -577,7 +577,7 @@ func TestAPIAcceptTransfer(t *testing.T) {
|
||||
|
||||
// accept transfer
|
||||
session = loginUser(t, "user4")
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/accept?token=%s", repo.OwnerName, repo.Name, token))
|
||||
resp := MakeRequest(t, req, http.StatusAccepted)
|
||||
@ -593,7 +593,7 @@ func TestAPIRejectTransfer(t *testing.T) {
|
||||
|
||||
// try to reject with not authorized user
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
|
||||
@ -603,7 +603,7 @@ func TestAPIRejectTransfer(t *testing.T) {
|
||||
|
||||
// reject transfer
|
||||
session = loginUser(t, "user4")
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
req = NewRequest(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/transfer/reject?token=%s", repo.OwnerName, repo.Name, token))
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -617,7 +617,7 @@ func TestAPIGenerateRepo(t *testing.T) {
|
||||
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
templateRepo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 44})
|
||||
|
||||
@ -653,7 +653,7 @@ func TestAPIRepoGetReviewers(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/reviewers?token=%s", user.Name, repo.Name, token)
|
||||
@ -667,7 +667,7 @@ func TestAPIRepoGetAssignees(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/assignees?token=%s", user.Name, repo.Name, token)
|
||||
|
||||
@ -60,7 +60,7 @@ func TestAPIRepoTopic(t *testing.T) {
|
||||
repo3 := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 3})
|
||||
|
||||
// Get user2's token
|
||||
token2 := getUserToken(t, user2.Name, auth_model.AccessTokenScopeRepo)
|
||||
token2 := getUserToken(t, user2.Name, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Test read topics using login
|
||||
url := fmt.Sprintf("/api/v1/repos/%s/%s/topics", user2.Name, repo2.Name)
|
||||
@ -140,7 +140,7 @@ func TestAPIRepoTopic(t *testing.T) {
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
|
||||
// Get user4's token
|
||||
token4 := getUserToken(t, user4.Name, auth_model.AccessTokenScopeRepo)
|
||||
token4 := getUserToken(t, user4.Name, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Test read topics with write access
|
||||
url = fmt.Sprintf("/api/v1/repos/%s/%s/topics?token=%s", user3.Name, repo3.Name, token4)
|
||||
|
||||
@ -33,7 +33,7 @@ func TestAPITeam(t *testing.T) {
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: teamUser.UID})
|
||||
|
||||
session := loginUser(t, user.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
|
||||
req := NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
@ -48,7 +48,7 @@ func TestAPITeam(t *testing.T) {
|
||||
user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: teamUser2.UID})
|
||||
|
||||
session = loginUser(t, user2.Name)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrg)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
|
||||
req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
|
||||
_ = MakeRequest(t, req, http.StatusForbidden)
|
||||
|
||||
@ -58,7 +58,7 @@ func TestAPITeam(t *testing.T) {
|
||||
// Get an admin user able to create, update and delete teams.
|
||||
user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
session = loginUser(t, user.Name)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeAdminOrg)
|
||||
token = getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteOrganization)
|
||||
|
||||
org = unittest.AssertExistsAndLoadBean(t, &organization.Organization{ID: 6})
|
||||
|
||||
@ -262,7 +262,7 @@ func TestAPITeamSearch(t *testing.T) {
|
||||
|
||||
var results TeamSearchResults
|
||||
|
||||
token := getUserToken(t, user.Name, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getUserToken(t, user.Name, auth_model.AccessTokenScopeReadOrganization)
|
||||
req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s&token=%s", org.Name, "_team", token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
DecodeJSON(t, resp, &results)
|
||||
@ -272,7 +272,7 @@ func TestAPITeamSearch(t *testing.T) {
|
||||
|
||||
// no access if not organization member
|
||||
user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
||||
token5 := getUserToken(t, user5.Name, auth_model.AccessTokenScopeReadOrg)
|
||||
token5 := getUserToken(t, user5.Name, auth_model.AccessTokenScopeReadOrganization)
|
||||
|
||||
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s&token=%s", org.Name, "team", token5)
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
@ -287,7 +287,7 @@ func TestAPIGetTeamRepo(t *testing.T) {
|
||||
|
||||
var results api.Repository
|
||||
|
||||
token := getUserToken(t, user.Name, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getUserToken(t, user.Name, auth_model.AccessTokenScopeReadOrganization)
|
||||
req := NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
DecodeJSON(t, resp, &results)
|
||||
@ -295,7 +295,7 @@ func TestAPIGetTeamRepo(t *testing.T) {
|
||||
|
||||
// no access if not organization member
|
||||
user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
||||
token5 := getUserToken(t, user5.Name, auth_model.AccessTokenScopeReadOrg)
|
||||
token5 := getUserToken(t, user5.Name, auth_model.AccessTokenScopeReadOrganization)
|
||||
|
||||
req = NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token5)
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
|
||||
@ -24,7 +24,7 @@ func TestAPITeamUser(t *testing.T) {
|
||||
|
||||
normalUsername := "user2"
|
||||
session := loginUser(t, normalUsername)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization)
|
||||
req := NewRequest(t, "GET", "/api/v1/teams/1/members/user1?token="+token)
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
|
||||
|
||||
@ -4,14 +4,18 @@
|
||||
package integration
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/modules/log"
|
||||
api "code.gitea.io/gitea/modules/structs"
|
||||
"code.gitea.io/gitea/tests"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
// TestAPICreateAndDeleteToken tests that token that was just created can be deleted
|
||||
@ -19,9 +23,518 @@ func TestAPICreateAndDeleteToken(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
req := NewRequestWithJSON(t, "POST", "/api/v1/users/user1/tokens", map[string]string{
|
||||
"name": "test-key-1",
|
||||
newAccessToken := createAPIAccessTokenWithoutCleanUp(t, "test-key-1", user, nil)
|
||||
deleteAPIAccessToken(t, newAccessToken, user)
|
||||
|
||||
newAccessToken = createAPIAccessTokenWithoutCleanUp(t, "test-key-2", user, nil)
|
||||
deleteAPIAccessToken(t, newAccessToken, user)
|
||||
}
|
||||
|
||||
// TestAPIDeleteMissingToken ensures that error is thrown when token not found
|
||||
func TestAPIDeleteMissingToken(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", unittest.NonexistentID)
|
||||
req = AddBasicAuthHeader(req, user.Name)
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
}
|
||||
|
||||
type permission struct {
|
||||
category auth_model.AccessTokenScopeCategory
|
||||
level auth_model.AccessTokenScopeLevel
|
||||
}
|
||||
|
||||
type requiredScopeTestCase struct {
|
||||
url string
|
||||
method string
|
||||
requiredPermissions []permission
|
||||
}
|
||||
|
||||
func (c *requiredScopeTestCase) Name() string {
|
||||
return fmt.Sprintf("%v %v", c.method, c.url)
|
||||
}
|
||||
|
||||
// TestAPIDeniesPermissionBasedOnTokenScope tests that API routes forbid access
|
||||
// when the correct token scope is not included.
|
||||
func TestAPIDeniesPermissionBasedOnTokenScope(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
// We'll assert that each endpoint, when fetched with a token with all
|
||||
// scopes *except* the ones specified, a forbidden status code is returned.
|
||||
//
|
||||
// This is to protect against endpoints having their access check copied
|
||||
// from other endpoints and not updated.
|
||||
//
|
||||
// Test cases are in alphabetical order by URL.
|
||||
//
|
||||
// Note: query parameters are not currently supported since the token is
|
||||
// appended with `?=token=<token>`.
|
||||
testCases := []requiredScopeTestCase{
|
||||
{
|
||||
"/api/v1/admin/emails",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/admin/users",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/admin/users",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/admin/users/user2",
|
||||
"PATCH",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/admin/users/user2/orgs",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/admin/users/user2/orgs",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/admin/orgs",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryAdmin,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/markdown",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryMisc,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/markdown/raw",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryMisc,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/notifications",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryNotification,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/notifications",
|
||||
"PUT",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryNotification,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/org/org1/repos",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryOrganization,
|
||||
auth_model.Write,
|
||||
},
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/packages/user1/type/name/1",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryPackage,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/packages/user1/type/name/1",
|
||||
"DELETE",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryPackage,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1",
|
||||
"PATCH",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1",
|
||||
"DELETE",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/branches",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/archive/foo",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/issues",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryIssue,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/media/foo",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/raw/foo",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/teams",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/teams/team1",
|
||||
"PUT",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/repos/user1/repo1/transfer",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
// Private repo
|
||||
{
|
||||
"/api/v1/repos/user2/repo2",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
// Private repo
|
||||
{
|
||||
"/api/v1/repos/user2/repo2",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryRepository,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/settings/api",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryMisc,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/user",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/user/emails",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/user/emails",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/user/emails",
|
||||
"DELETE",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/user/applications/oauth2",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/user/applications/oauth2",
|
||||
"POST",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Write,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"/api/v1/users/search",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
// Private user
|
||||
{
|
||||
"/api/v1/users/user31",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
// Private user
|
||||
{
|
||||
"/api/v1/users/user31/gpg_keys",
|
||||
"GET",
|
||||
[]permission{
|
||||
{
|
||||
auth_model.AccessTokenScopeCategoryUser,
|
||||
auth_model.Read,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// User needs to be admin so that we can verify that tokens without admin
|
||||
// scopes correctly deny access.
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
assert.True(t, user.IsAdmin, "User needs to be admin")
|
||||
|
||||
for _, testCase := range testCases {
|
||||
runTestCase(t, &testCase, user)
|
||||
}
|
||||
}
|
||||
|
||||
// runTestCase Helper function to run a single test case.
|
||||
func runTestCase(t *testing.T, testCase *requiredScopeTestCase, user *user_model.User) {
|
||||
t.Run(testCase.Name(), func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
// Create a token with all scopes NOT required by the endpoint.
|
||||
var unauthorizedScopes []auth_model.AccessTokenScope
|
||||
for _, category := range auth_model.AllAccessTokenScopeCategories {
|
||||
// For permissions, Write > Read > NoAccess. So we need to
|
||||
// find the minimum required, and only grant permission up to but
|
||||
// not including the minimum required.
|
||||
minRequiredLevel := auth_model.Write
|
||||
categoryIsRequired := false
|
||||
for _, requiredPermission := range testCase.requiredPermissions {
|
||||
if requiredPermission.category != category {
|
||||
continue
|
||||
}
|
||||
categoryIsRequired = true
|
||||
if requiredPermission.level < minRequiredLevel {
|
||||
minRequiredLevel = requiredPermission.level
|
||||
}
|
||||
}
|
||||
unauthorizedLevel := auth_model.Write
|
||||
if categoryIsRequired {
|
||||
if minRequiredLevel == auth_model.Read {
|
||||
unauthorizedLevel = auth_model.NoAccess
|
||||
} else if minRequiredLevel == auth_model.Write {
|
||||
unauthorizedLevel = auth_model.Read
|
||||
} else {
|
||||
assert.Failf(t, "Invalid test case", "Unknown access token scope level: %v", minRequiredLevel)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if unauthorizedLevel == auth_model.NoAccess {
|
||||
continue
|
||||
}
|
||||
cateogoryUnauthorizedScopes := auth_model.GetRequiredScopes(
|
||||
unauthorizedLevel,
|
||||
category)
|
||||
unauthorizedScopes = append(unauthorizedScopes, cateogoryUnauthorizedScopes...)
|
||||
}
|
||||
|
||||
accessToken := createAPIAccessTokenWithoutCleanUp(t, "test-token", user, &unauthorizedScopes)
|
||||
defer deleteAPIAccessToken(t, accessToken, user)
|
||||
|
||||
// Add API access token to the URL.
|
||||
url := fmt.Sprintf("%s?token=%s", testCase.url, accessToken.Token)
|
||||
|
||||
// Request the endpoint. Verify that permission is denied.
|
||||
req := NewRequestf(t, testCase.method, url)
|
||||
MakeRequest(t, req, http.StatusForbidden)
|
||||
})
|
||||
}
|
||||
|
||||
// createAPIAccessTokenWithoutCleanUp Create an API access token and assert that
|
||||
// creation succeeded. The caller is responsible for deleting the token.
|
||||
func createAPIAccessTokenWithoutCleanUp(t *testing.T, tokenName string, user *user_model.User, scopes *[]auth_model.AccessTokenScope) api.AccessToken {
|
||||
payload := map[string]interface{}{
|
||||
"name": tokenName,
|
||||
}
|
||||
if scopes != nil {
|
||||
for _, scope := range *scopes {
|
||||
scopes, scopesExists := payload["scopes"].([]string)
|
||||
if !scopesExists {
|
||||
scopes = make([]string, 0)
|
||||
}
|
||||
scopes = append(scopes, string(scope))
|
||||
payload["scopes"] = scopes
|
||||
}
|
||||
}
|
||||
log.Debug("Requesting creation of token with scopes: %v", scopes)
|
||||
req := NewRequestWithJSON(t, "POST", "/api/v1/users/user1/tokens", payload)
|
||||
|
||||
req = AddBasicAuthHeader(req, user.Name)
|
||||
resp := MakeRequest(t, req, http.StatusCreated)
|
||||
|
||||
@ -34,32 +547,15 @@ func TestAPICreateAndDeleteToken(t *testing.T) {
|
||||
UID: user.ID,
|
||||
})
|
||||
|
||||
req = NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", newAccessToken.ID)
|
||||
return newAccessToken
|
||||
}
|
||||
|
||||
// createAPIAccessTokenWithoutCleanUp Delete an API access token and assert that
|
||||
// deletion succeeded.
|
||||
func deleteAPIAccessToken(t *testing.T, accessToken api.AccessToken, user *user_model.User) {
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", accessToken.ID)
|
||||
req = AddBasicAuthHeader(req, user.Name)
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
|
||||
unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: newAccessToken.ID})
|
||||
|
||||
req = NewRequestWithJSON(t, "POST", "/api/v1/users/user1/tokens", map[string]string{
|
||||
"name": "test-key-2",
|
||||
})
|
||||
req = AddBasicAuthHeader(req, user.Name)
|
||||
resp = MakeRequest(t, req, http.StatusCreated)
|
||||
DecodeJSON(t, resp, &newAccessToken)
|
||||
|
||||
req = NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%s", newAccessToken.Name)
|
||||
req = AddBasicAuthHeader(req, user.Name)
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
|
||||
unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: newAccessToken.ID})
|
||||
}
|
||||
|
||||
// TestAPIDeleteMissingToken ensures that error is thrown when token not found
|
||||
func TestAPIDeleteMissingToken(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
|
||||
|
||||
req := NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", unittest.NonexistentID)
|
||||
req = AddBasicAuthHeader(req, user.Name)
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
unittest.AssertNotExistsBean(t, &auth_model.AccessToken{ID: accessToken.ID})
|
||||
}
|
||||
|
||||
@ -46,7 +46,7 @@ func TestAPIAddEmail(t *testing.T) {
|
||||
|
||||
normalUsername := "user2"
|
||||
session := loginUser(t, normalUsername)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeUser)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
opts := api.CreateEmailOption{
|
||||
Emails: []string{"user101@example.com"},
|
||||
@ -83,7 +83,7 @@ func TestAPIDeleteEmail(t *testing.T) {
|
||||
|
||||
normalUsername := "user2"
|
||||
session := loginUser(t, normalUsername)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeUser)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
opts := api.DeleteEmailOption{
|
||||
Emails: []string{"user2-3@example.com"},
|
||||
|
||||
@ -22,10 +22,10 @@ func TestAPIFollow(t *testing.T) {
|
||||
user2 := "user1"
|
||||
|
||||
session1 := loginUser(t, user1)
|
||||
token1 := getTokenForLoggedInUser(t, session1)
|
||||
token1 := getTokenForLoggedInUser(t, session1, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
session2 := loginUser(t, user2)
|
||||
token2 := getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeUserFollow)
|
||||
token2 := getTokenForLoggedInUser(t, session2, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
t.Run("Follow", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
@ -10,6 +10,7 @@ import (
|
||||
"time"
|
||||
|
||||
activities_model "code.gitea.io/gitea/models/activities"
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/modules/timeutil"
|
||||
"code.gitea.io/gitea/tests"
|
||||
|
||||
@ -20,7 +21,7 @@ func TestUserHeatmap(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
normalUsername := "user2"
|
||||
token := getUserToken(t, adminUsername)
|
||||
token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
fakeNow := time.Date(2011, 10, 20, 0, 0, 0, 0, time.Local)
|
||||
timeutil.Set(fakeNow)
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
api "code.gitea.io/gitea/modules/structs"
|
||||
"code.gitea.io/gitea/tests"
|
||||
|
||||
@ -21,7 +22,7 @@ func TestAPIUserInfo(t *testing.T) {
|
||||
user2 := "user31"
|
||||
|
||||
session := loginUser(t, user)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
t.Run("GetInfo", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
@ -33,7 +33,7 @@ func sampleTest(t *testing.T, auoptc apiUserOrgPermTestCase) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, auoptc.LoginUser)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrganization, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions?token=%s", auoptc.User, auoptc.Organization, token))
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -126,7 +126,7 @@ func TestUnknowUser(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadOrganization)
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/unknow/orgs/org25/permissions?token=%s", token))
|
||||
resp := MakeRequest(t, req, http.StatusNotFound)
|
||||
@ -140,7 +140,7 @@ func TestUnknowOrganization(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopeReadOrganization)
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/user1/orgs/unknow/permissions?token=%s", token))
|
||||
resp := MakeRequest(t, req, http.StatusNotFound)
|
||||
|
||||
@ -70,7 +70,7 @@ func TestUserOrgs(t *testing.T) {
|
||||
func getUserOrgs(t *testing.T, userDoer, userCheck string) (orgs []*api.Organization) {
|
||||
token := ""
|
||||
if len(userDoer) != 0 {
|
||||
token = getUserToken(t, userDoer, auth_model.AccessTokenScopeReadOrg)
|
||||
token = getUserToken(t, userDoer, auth_model.AccessTokenScopeReadOrganization, auth_model.AccessTokenScopeReadUser)
|
||||
}
|
||||
urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", userCheck, token)
|
||||
req := NewRequest(t, "GET", urlStr)
|
||||
@ -92,7 +92,7 @@ func TestMyOrgs(t *testing.T) {
|
||||
MakeRequest(t, req, http.StatusUnauthorized)
|
||||
|
||||
normalUsername := "user2"
|
||||
token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeReadOrg)
|
||||
token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeReadOrganization, auth_model.AccessTokenScopeReadUser)
|
||||
req = NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var orgs []*api.Organization
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
auth_model "code.gitea.io/gitea/models/auth"
|
||||
"code.gitea.io/gitea/models/unittest"
|
||||
user_model "code.gitea.io/gitea/models/user"
|
||||
"code.gitea.io/gitea/modules/setting"
|
||||
@ -26,7 +27,7 @@ func TestAPIUserSearchLoggedIn(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
session := loginUser(t, adminUsername)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
query := "user2"
|
||||
req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
@ -65,7 +66,7 @@ func TestAPIUserSearchAdminLoggedInUserHidden(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
adminUsername := "user1"
|
||||
session := loginUser(t, adminUsername)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
query := "user31"
|
||||
req := NewRequestf(t, "GET", "/api/v1/users/search?token=%s&q=%s", token, query)
|
||||
req.SetBasicAuth(token, "x-oauth-basic")
|
||||
|
||||
@ -22,13 +22,13 @@ func TestAPIStar(t *testing.T) {
|
||||
repo := "user2/repo1"
|
||||
|
||||
session := loginUser(t, user)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
tokenWithRepoScope := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
tokenWithUserScope := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
t.Run("Star", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithRepoScope))
|
||||
req := NewRequest(t, "PUT", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithUserScope))
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
})
|
||||
|
||||
@ -49,7 +49,7 @@ func TestAPIStar(t *testing.T) {
|
||||
t.Run("GetMyStarredRepos", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred?token=%s", tokenWithRepoScope))
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred?token=%s", tokenWithUserScope))
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
assert.Equal(t, "1", resp.Header().Get("X-Total-Count"))
|
||||
@ -63,17 +63,17 @@ func TestAPIStar(t *testing.T) {
|
||||
t.Run("IsStarring", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithRepoScope))
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithUserScope))
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
|
||||
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo+"notexisting", tokenWithRepoScope))
|
||||
req = NewRequest(t, "GET", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo+"notexisting", tokenWithUserScope))
|
||||
MakeRequest(t, req, http.StatusNotFound)
|
||||
})
|
||||
|
||||
t.Run("Unstar", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithRepoScope))
|
||||
req := NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/user/starred/%s?token=%s", repo, tokenWithUserScope))
|
||||
MakeRequest(t, req, http.StatusNoContent)
|
||||
})
|
||||
}
|
||||
|
||||
@ -22,8 +22,8 @@ func TestAPIWatch(t *testing.T) {
|
||||
repo := "user2/repo1"
|
||||
|
||||
session := loginUser(t, user)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
tokenWithRepoScope := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
tokenWithRepoScope := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
t.Run("Watch", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
@ -180,7 +180,7 @@ func TestAPINewWikiPage(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
username := "user2"
|
||||
session := loginUser(t, username)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/new?token=%s", username, "repo1", token)
|
||||
|
||||
@ -197,7 +197,7 @@ func TestAPIEditWikiPage(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
username := "user2"
|
||||
session := loginUser(t, username)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/wiki/page/Page-With-Spaced-Name?token=%s", username, "repo1", token)
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ func TestDumpRestore(t *testing.T) {
|
||||
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{Name: reponame})
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
||||
session := loginUser(t, repoOwner.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeReadMisc)
|
||||
|
||||
//
|
||||
// Phase 1: dump repo1 from the Gitea instance to the filesystem
|
||||
|
||||
@ -117,7 +117,7 @@ func TestEmptyRepoAddFileByAPI(t *testing.T) {
|
||||
assert.NoError(t, err)
|
||||
|
||||
session := loginUser(t, "user30")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
url := fmt.Sprintf("/api/v1/repos/user30/empty/contents/new-file.txt?token=%s", token)
|
||||
req := NewRequestWithJSON(t, "POST", url, &api.CreateFileOptions{
|
||||
|
||||
@ -60,7 +60,7 @@ func TestEventSourceManagerRun(t *testing.T) {
|
||||
thread5 := unittest.AssertExistsAndLoadBean(t, &activities_model.Notification{ID: 5})
|
||||
assert.NoError(t, thread5.LoadAttributes(db.DefaultContext))
|
||||
session := loginUser(t, user2.Name)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeNotification)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteNotification, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
var apiNL []api.NotificationThread
|
||||
|
||||
|
||||
@ -44,11 +44,11 @@ func TestGit(t *testing.T) {
|
||||
|
||||
func testGit(t *testing.T, u *url.URL) {
|
||||
username := "user2"
|
||||
baseAPITestContext := NewAPITestContext(t, username, "repo1", auth_model.AccessTokenScopeRepo, auth_model.AccessTokenScopeWritePublicKey, auth_model.AccessTokenScopeDeleteRepo)
|
||||
baseAPITestContext := NewAPITestContext(t, username, "repo1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
u.Path = baseAPITestContext.GitPath()
|
||||
|
||||
forkedUserCtx := NewAPITestContext(t, "user4", "repo1", auth_model.AccessTokenScopeRepo)
|
||||
forkedUserCtx := NewAPITestContext(t, "user4", "repo1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
t.Run("HTTP", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
@ -359,7 +359,7 @@ func doBranchProtectPRMerge(baseCtx *APITestContext, dstPath string) func(t *tes
|
||||
t.Run("CreateBranchProtected", doGitCreateBranch(dstPath, "protected"))
|
||||
t.Run("PushProtectedBranch", doGitPushTestRepository(dstPath, "origin", "protected"))
|
||||
|
||||
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, auth_model.AccessTokenScopeWriteRepository)
|
||||
t.Run("ProtectProtectedBranchNoWhitelist", doProtectBranch(ctx, "protected", "", ""))
|
||||
t.Run("GenerateCommit", func(t *testing.T) {
|
||||
_, err := generateCommitWithNewData(littleSize, dstPath, "user2@example.com", "User Two", "branch-data-file-")
|
||||
@ -603,7 +603,7 @@ func doAutoPRMerge(baseCtx *APITestContext, dstPath string) func(t *testing.T) {
|
||||
return func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
|
||||
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, baseCtx.Username, baseCtx.Reponame, auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
t.Run("CheckoutProtected", doGitCheckoutBranch(dstPath, "protected"))
|
||||
t.Run("PullProtected", doGitPull(dstPath, "origin", "protected"))
|
||||
|
||||
@ -70,7 +70,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("Unsigned-Initial", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateRepository", doAPICreateRepository(testCtx, false))
|
||||
t.Run("CheckMasterBranchUnsigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {
|
||||
assert.NotNil(t, branch.Commit)
|
||||
@ -94,7 +94,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(
|
||||
t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {
|
||||
assert.False(t, response.Verification.Verified)
|
||||
@ -111,7 +111,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("Unsigned-Initial-CRUD-Never", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateCRUDFile-Never", crudActionCreateFile(
|
||||
t, testCtx, user, "parentsigned", "parentsigned-never", "unsigned-never2.txt", func(t *testing.T, response api.FileResponse) {
|
||||
assert.False(t, response.Verification.Verified)
|
||||
@ -124,7 +124,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("Unsigned-Initial-CRUD-Always", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateCRUDFile-Always", crudActionCreateFile(
|
||||
t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {
|
||||
assert.NotNil(t, response.Verification)
|
||||
@ -161,7 +161,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("Unsigned-Initial-CRUD-ParentSigned", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateCRUDFile-Always-ParentSigned", crudActionCreateFile(
|
||||
t, testCtx, user, "always", "always-parentsigned", "signed-always-parentsigned.txt", func(t *testing.T, response api.FileResponse) {
|
||||
assert.NotNil(t, response.Verification)
|
||||
@ -184,7 +184,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("AlwaysSign-Initial", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-always", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-always", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateRepository", doAPICreateRepository(testCtx, false))
|
||||
t.Run("CheckMasterBranchSigned", doAPIGetBranch(testCtx, "master", func(t *testing.T, branch api.Branch) {
|
||||
assert.NotNil(t, branch.Commit)
|
||||
@ -212,7 +212,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("AlwaysSign-Initial-CRUD-Never", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-always-never", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-always-never", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateRepository", doAPICreateRepository(testCtx, false))
|
||||
t.Run("CreateCRUDFile-Never", crudActionCreateFile(
|
||||
t, testCtx, user, "master", "never", "unsigned-never.txt", func(t *testing.T, response api.FileResponse) {
|
||||
@ -225,7 +225,7 @@ func TestGPGGit(t *testing.T) {
|
||||
u.Path = baseAPITestContext.GitPath()
|
||||
t.Run("AlwaysSign-Initial-CRUD-ParentSigned-On-Always", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-always-parent", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-always-parent", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateRepository", doAPICreateRepository(testCtx, false))
|
||||
t.Run("CreateCRUDFile-ParentSigned", crudActionCreateFile(
|
||||
t, testCtx, user, "master", "parentsigned", "signed-parent.txt", func(t *testing.T, response api.FileResponse) {
|
||||
@ -244,7 +244,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("AlwaysSign-Initial-CRUD-Always", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-always-always", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-always-always", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
t.Run("CreateRepository", doAPICreateRepository(testCtx, false))
|
||||
t.Run("CreateCRUDFile-Always", crudActionCreateFile(
|
||||
t, testCtx, user, "master", "always", "signed-always.txt", func(t *testing.T, response api.FileResponse) {
|
||||
@ -264,7 +264,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("UnsignedMerging", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
var err error
|
||||
t.Run("CreatePullRequest", func(t *testing.T) {
|
||||
pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "never2")(t)
|
||||
@ -285,7 +285,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("BaseSignedMerging", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
var err error
|
||||
t.Run("CreatePullRequest", func(t *testing.T) {
|
||||
pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "parentsigned2")(t)
|
||||
@ -306,7 +306,7 @@ func TestGPGGit(t *testing.T) {
|
||||
|
||||
t.Run("CommitsSignedMerging", func(t *testing.T) {
|
||||
defer tests.PrintCurrentTest(t)()
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, username, "initial-unsigned", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
var err error
|
||||
t.Run("CreatePullRequest", func(t *testing.T) {
|
||||
pr, err = doAPICreatePullRequest(testCtx, testCtx.Username, testCtx.Reponame, "master", "always-parentsigned")(t)
|
||||
|
||||
@ -41,13 +41,13 @@ func storeObjectInRepo(t *testing.T, repositoryID int64, content *[]byte) string
|
||||
return pointer.Oid
|
||||
}
|
||||
|
||||
func storeAndGetLfsToken(t *testing.T, ts auth.AccessTokenScope, content *[]byte, extraHeader *http.Header, expectedStatus int) *httptest.ResponseRecorder {
|
||||
func storeAndGetLfsToken(t *testing.T, content *[]byte, extraHeader *http.Header, expectedStatus int, ts ...auth.AccessTokenScope) *httptest.ResponseRecorder {
|
||||
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, "user2", "repo1")
|
||||
assert.NoError(t, err)
|
||||
oid := storeObjectInRepo(t, repo.ID, content)
|
||||
defer git_model.RemoveLFSMetaObjectByOid(db.DefaultContext, repo.ID, oid)
|
||||
|
||||
token := getUserToken(t, "user2", ts)
|
||||
token := getUserToken(t, "user2", ts...)
|
||||
|
||||
// Request OID
|
||||
req := NewRequest(t, "GET", "/user2/repo1.git/info/lfs/objects/"+oid+"/test")
|
||||
@ -119,7 +119,7 @@ func TestGetLFSSmallToken(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
content := []byte("A very small file\n")
|
||||
|
||||
resp := storeAndGetLfsToken(t, auth.AccessTokenScopePublicRepo, &content, nil, http.StatusOK)
|
||||
resp := storeAndGetLfsToken(t, &content, nil, http.StatusOK, auth.AccessTokenScopePublicOnly, auth.AccessTokenScopeReadRepository)
|
||||
checkResponseTestContentEncoding(t, &content, resp, false)
|
||||
}
|
||||
|
||||
@ -127,7 +127,7 @@ func TestGetLFSSmallTokenFail(t *testing.T) {
|
||||
defer tests.PrepareTestEnv(t)()
|
||||
content := []byte("A very small file\n")
|
||||
|
||||
storeAndGetLfsToken(t, auth.AccessTokenScopeNotification, &content, nil, http.StatusForbidden)
|
||||
storeAndGetLfsToken(t, &content, nil, http.StatusForbidden, auth.AccessTokenScopeReadNotification)
|
||||
}
|
||||
|
||||
func TestGetLFSLarge(t *testing.T) {
|
||||
|
||||
@ -67,7 +67,7 @@ func TestMigrateGiteaForm(t *testing.T) {
|
||||
repoName := "repo1"
|
||||
repoOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: ownerName})
|
||||
session := loginUser(t, ownerName)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeReadMisc)
|
||||
|
||||
// Step 0: verify the repo is available
|
||||
req := NewRequestf(t, "GET", fmt.Sprintf("/%s/%s", ownerName, repoName))
|
||||
|
||||
@ -25,7 +25,7 @@ func testOrgCounts(t *testing.T, u *url.URL) {
|
||||
orgOwner := "user2"
|
||||
orgName := "testOrg"
|
||||
orgCollaborator := "user4"
|
||||
ctx := NewAPITestContext(t, orgOwner, "repo1", auth_model.AccessTokenScopeAdminOrg)
|
||||
ctx := NewAPITestContext(t, orgOwner, "repo1", auth_model.AccessTokenScopeWriteOrganization)
|
||||
|
||||
var ownerCountRepos map[string]int
|
||||
var collabCountRepos map[string]int
|
||||
|
||||
@ -159,7 +159,7 @@ func TestOrgRestrictedUser(t *testing.T) {
|
||||
|
||||
// Therefore create a read-only team
|
||||
adminSession := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, adminSession, auth_model.AccessTokenScopeAdminOrg)
|
||||
token := getTokenForLoggedInUser(t, adminSession, auth_model.AccessTokenScopeWriteOrganization)
|
||||
|
||||
teamToCreate := &api.CreateTeamOption{
|
||||
Name: "codereader",
|
||||
|
||||
@ -34,7 +34,7 @@ func testPrivateActivityDoSomethingForActionEntries(t *testing.T) {
|
||||
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repoBefore.OwnerID})
|
||||
|
||||
session := loginUser(t, privateActivityTestUser)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteIssue)
|
||||
urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/issues?state=all&token=%s", owner.Name, repoBefore.Name, token)
|
||||
req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateIssueOption{
|
||||
Body: "test",
|
||||
@ -125,7 +125,7 @@ func testPrivateActivityHelperHasHeatmapContentFromPublic(t *testing.T) bool {
|
||||
}
|
||||
|
||||
func testPrivateActivityHelperHasHeatmapContentFromSession(t *testing.T, session *TestSession) bool {
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
||||
|
||||
req := NewRequestf(t, "GET", "/api/v1/users/%s/heatmap?token=%s", privateActivityTestUser, token)
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
@ -218,7 +218,7 @@ func TestCantMergeConflict(t *testing.T) {
|
||||
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "base", "README.md", "Hello, World (Edited Twice)\n")
|
||||
|
||||
// Use API to create a conflicting pr
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
|
||||
Head: "conflict",
|
||||
Base: "base",
|
||||
@ -326,7 +326,7 @@ func TestCantMergeUnrelated(t *testing.T) {
|
||||
testEditFileToNewBranch(t, session, "user1", "repo1", "master", "conflict", "README.md", "Hello, World (Edited Once)\n")
|
||||
|
||||
// Use API to create a conflicting pr
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", "user1", "repo1", token), &api.CreatePullRequestOption{
|
||||
Head: "unrelated",
|
||||
Base: "base",
|
||||
|
||||
@ -64,7 +64,7 @@ func TestPullCreate_CommitStatus(t *testing.T) {
|
||||
api.CommitStatusWarning: "gitea-exclamation",
|
||||
}
|
||||
|
||||
testCtx := NewAPITestContext(t, "user1", "repo1", auth_model.AccessTokenScopeRepo)
|
||||
testCtx := NewAPITestContext(t, "user1", "repo1", auth_model.AccessTokenScopeWriteRepository)
|
||||
|
||||
// Update commit status, and check if icon is updated as well
|
||||
for _, status := range statusList {
|
||||
|
||||
@ -39,7 +39,7 @@ func TestAPIPullUpdate(t *testing.T) {
|
||||
assert.NoError(t, pr.LoadIssue(db.DefaultContext))
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?token="+token, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index)
|
||||
session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
@ -67,7 +67,7 @@ func TestAPIPullUpdateByRebase(t *testing.T) {
|
||||
assert.NoError(t, pr.LoadIssue(db.DefaultContext))
|
||||
|
||||
session := loginUser(t, "user2")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeRepo)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
||||
req := NewRequestf(t, "POST", "/api/v1/repos/%s/%s/pulls/%d/update?style=rebase&token="+token, pr.BaseRepo.OwnerName, pr.BaseRepo.Name, pr.Issue.Index)
|
||||
session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
|
||||
@ -52,7 +52,7 @@ func doTestRepoCommitWithStatus(t *testing.T, state string, classes ...string) {
|
||||
assert.NotEmpty(t, commitURL)
|
||||
|
||||
// Call API to add status for commit
|
||||
ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeWriteRepository)
|
||||
t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
|
||||
State: api.CommitStatusState(state),
|
||||
TargetURL: "http://test.ci/",
|
||||
@ -157,7 +157,7 @@ func TestRepoCommitsStatusParallel(t *testing.T) {
|
||||
wg.Add(1)
|
||||
go func(parentT *testing.T, i int) {
|
||||
parentT.Run(fmt.Sprintf("ParallelCreateStatus_%d", i), func(t *testing.T) {
|
||||
ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeRepoStatus)
|
||||
ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeWriteRepository)
|
||||
runBody := doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
|
||||
State: api.CommitStatusPending,
|
||||
TargetURL: "http://test.ci/",
|
||||
@ -188,7 +188,7 @@ func TestRepoCommitsStatusMultiple(t *testing.T) {
|
||||
assert.NotEmpty(t, commitURL)
|
||||
|
||||
// Call API to add status for commit
|
||||
ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeRepo)
|
||||
ctx := NewAPITestContext(t, "user2", "repo1", auth_model.AccessTokenScopeWriteRepository)
|
||||
t.Run("CreateStatus", doAPICreateCommitStatus(ctx, path.Base(commitURL), api.CreateStatusOption{
|
||||
State: api.CommitStatusSuccess,
|
||||
TargetURL: "http://test.ci/",
|
||||
|
||||
@ -48,8 +48,8 @@ func TestPushDeployKeyOnEmptyRepo(t *testing.T) {
|
||||
|
||||
func testPushDeployKeyOnEmptyRepo(t *testing.T, u *url.URL) {
|
||||
// OK login
|
||||
ctx := NewAPITestContext(t, "user2", "deploy-key-empty-repo-1", auth_model.AccessTokenScopeRepo)
|
||||
ctxWithDeleteRepo := NewAPITestContext(t, "user2", "deploy-key-empty-repo-1", auth_model.AccessTokenScopeRepo, auth_model.AccessTokenScopeDeleteRepo)
|
||||
ctx := NewAPITestContext(t, "user2", "deploy-key-empty-repo-1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
ctxWithDeleteRepo := NewAPITestContext(t, "user2", "deploy-key-empty-repo-1", auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
keyname := fmt.Sprintf("%s-push", ctx.Reponame)
|
||||
u.Path = ctx.GitPath()
|
||||
@ -92,8 +92,8 @@ func testKeyOnlyOneType(t *testing.T, u *url.URL) {
|
||||
keyname := fmt.Sprintf("%s-push", reponame)
|
||||
|
||||
// OK login
|
||||
ctx := NewAPITestContext(t, username, reponame, auth_model.AccessTokenScopeRepo, auth_model.AccessTokenScopeAdminPublicKey)
|
||||
ctxWithDeleteRepo := NewAPITestContext(t, username, reponame, auth_model.AccessTokenScopeRepo, auth_model.AccessTokenScopeAdminPublicKey, auth_model.AccessTokenScopeDeleteRepo)
|
||||
ctx := NewAPITestContext(t, username, reponame, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
ctxWithDeleteRepo := NewAPITestContext(t, username, reponame, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
|
||||
|
||||
otherCtx := ctx
|
||||
otherCtx.Reponame = "ssh-key-test-repo-2"
|
||||
|
||||
@ -166,7 +166,7 @@ Note: This user hasn't uploaded any GPG keys.
|
||||
// Import key
|
||||
// User1 <user1@example.com>
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteGPGKey)
|
||||
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
||||
testCreateGPGKey(t, session.MakeRequest, token, http.StatusCreated, `-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQENBFyy/VUBCADJ7zbM20Z1RWmFoVgp5WkQfI2rU1Vj9cQHes9i42wVLLtcbPeo
|
||||
|
||||
Reference in New Issue
Block a user