Fix token endpoints ignore specified account (#27080)

Fix #26234 close #26323 close #27040 --------- Co-authored-by: silverwind <me@silverwind.io>
2023-09-18 08:21:15 +08:00 · 2023-09-18 08:21:15 +08:00 · f93ee5937b
commit f93ee5937b
parent 8531ca0837
4 changed files with 52 additions and 4 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -367,6 +367,16 @@ func reqOwner() func(ctx *context.APIContext) {
 	}
 }

+// reqSelfOrAdmin doer should be the same as the contextUser or site admin
+func reqSelfOrAdmin() func(ctx *context.APIContext) {
+	return func(ctx *context.APIContext) {
+		if !ctx.IsUserSiteAdmin() && ctx.ContextUser != ctx.Doer {
+			ctx.Error(http.StatusForbidden, "reqSelfOrAdmin", "doer should be the site admin or be same as the contextUser")
+			return
+		}
+	}
+}
+
 // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin
 func reqAdmin() func(ctx *context.APIContext) {
 	return func(ctx *context.APIContext) {
@ -910,7 +920,7 @@ func Routes() *web.Route {
 					m.Combo("").Get(user.ListAccessTokens).
 						Post(bind(api.CreateAccessTokenOption{}), reqToken(), user.CreateAccessToken)
 					m.Combo("/{id}").Delete(reqToken(), user.DeleteAccessToken)
-				}, reqBasicOrRevProxyAuth())
+				}, reqSelfOrAdmin(), reqBasicOrRevProxyAuth())

 				m.Get("/activities/feeds", user.ListUserActivityFeeds)
 			}, context_service.UserAssignmentAPI())