go-gitea · silverwind · Sep 18, 2023 · Sep 14, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/tests/integration/api_token_test.go b/tests/integration/api_token_test.go
@@ -40,6 +40,29 @@ func TestAPIDeleteMissingToken(t *testing.T) {
 	MakeRequest(t, req, http.StatusNotFound)
 }
 
+// TestAPIGetTokensPermission ensures that Only admin can create token for other users
+func TestAPIGetTokensPermission(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// admin can get tokens for other users
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+	req := NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
+	req = AddBasicAuthHeader(req, user.Name)
+	MakeRequest(t, req, http.StatusOK)
+
+	// non-admin can get tokens for himself
+	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
+	req = AddBasicAuthHeader(req, user.Name)
+	MakeRequest(t, req, http.StatusOK)
+
+	// non-admin can't get tokens for other users
+	user = unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 4})
+	req = NewRequestf(t, "GET", "/api/v1/users/user2/tokens")
+	req = AddBasicAuthHeader(req, user.Name)
+	MakeRequest(t, req, http.StatusForbidden)
+}
+
 type permission struct {
 	category auth_model.AccessTokenScopeCategory
 	level    auth_model.AccessTokenScopeLevel