From 3e9c41cfc6ae28edcd0589359015b9aa418822f3 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 13 Oct 2024 16:02:53 +0200 Subject: [PATCH] fix(api): allow api tokens to retrieve the user who created the token Resolves https://kolaente.dev/vikunja/vikunja/issues/2644 --- pkg/models/api_routes.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/models/api_routes.go b/pkg/models/api_routes.go index 28609e0e5..18a09e2a6 100644 --- a/pkg/models/api_routes.go +++ b/pkg/models/api_routes.go @@ -120,8 +120,7 @@ func CollectRoutesForAPITokenUsage(route echo.Route, middlewares []echo.Middlewa routeGroupName, routeParts := getRouteGroupName(route.Path) - if routeGroupName == "user" || - routeGroupName == "tokenTest" || + if routeGroupName == "tokenTest" || routeGroupName == "subscriptions" || routeGroupName == "tokens" || routeGroupName == "*" || @@ -230,6 +229,10 @@ func CanDoAPIRoute(c echo.Context, token *APIToken) (can bool) { routeGroupName = strings.TrimSuffix(routeGroupName, "_bulk") + if routeGroupName == "user" { + routeGroupName = "other" + } + group, hasGroup := token.Permissions[routeGroupName] if !hasGroup { group, hasGroup = token.Permissions[routeParts[0]]