Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Deletion Endpoint Ignores Specified Account #27598

Closed
evantobin opened this issue Oct 13, 2023 · 0 comments · Fixed by #27610
Closed

Token Deletion Endpoint Ignores Specified Account #27598

evantobin opened this issue Oct 13, 2023 · 0 comments · Fixed by #27610
Labels
type/bug

Comments

@evantobin
Copy link
Contributor

evantobin commented Oct 13, 2023
edited
Loading

Description

Reproduction:

Created a token for the user evan with the POST /api/v1/users/evan/tokens/ endpoint using credentials for user admin. Token is assigned id 5.

Attempt to delete token using DELETE /api/v1/users/evan/tokens/5 as user admin. Nothing is deleted

Attempt to delete a token in account admin with ID 6 using DELETE /api/v1/users/evan/tokens/6. Token in admin account is deleted even though evan account is specified in path.

The changes in #26234 were done to the GET endpoints, but a line of code in the DELETE endpoint was missed and is using the ctx.Doer.ID instead of ctx.ContextUser.ID on line 196 of routers/api/v1/user/app.go

Gitea Version

v1.21.0-rc1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker

Database

PostgreSQL
@evantobin evantobin mentioned this issue Oct 13, 2023
Merged
6543 pushed a commit that referenced this issue Oct 14, 2023
@evantobin
Fix permissions for Token DELETE endpoint to match GET and POST (#27610)
ae419fa 
Fixes #27598

In #27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds unit tests
@dapepin dapepin mentioned this issue Nov 16, 2023
Closed
@GiteaBot GiteaBot mentioned this issue Nov 17, 2023
Merged
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Nov 17, 2023
@evantobin @GiteaBot
Fix permissions for Token DELETE endpoint to match GET and POST (go-g…
99b18f8 
…itea#27610)

Fixes go-gitea#27598

In go-gitea#27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds unit tests
lunny pushed a commit that referenced this issue Nov 17, 2023
@GiteaBot @evantobin
Fix permissions for Token DELETE endpoint to match GET and POST (#27610
93ede4b 
…) (#28099)

Backport #27610 by @evantobin

Fixes #27598

In #27080, the logic for the tokens endpoints were updated to allow
admins to create and view tokens in other accounts. However, the same
functionality was not added to the DELETE endpoint. This PR makes the
DELETE endpoint function the same as the other token endpoints and adds
unit tests

Co-authored-by: Evan Tobin <me@evantob.in>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 29, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix permissions for Token DELETE endpoint to match GET and POST evantobin/gitea
1 participant
@evantobin