From a13ea44f1d59880fe343f11f6ad2ee6c4cd8de27 Mon Sep 17 00:00:00 2001
From: harryzcy <harry@harryzheng.com>
Date: Tue, 18 Apr 2023 14:33:17 -0400
Subject: [PATCH 1/4] Don't require token for `GET /orgs`

---
 routers/api/v1/api.go             | 2 +-
 tests/integration/api_org_test.go | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 9510b17e2df0d..971b245701fae 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1200,7 +1200,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 			m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)
 		}, context_service.UserAssignmentAPI())
 		m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
-		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)
+		m.Get("/orgs", org.GetAll)
 		m.Group("/orgs/{org}", func() {
 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).
 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
diff --git a/tests/integration/api_org_test.go b/tests/integration/api_org_test.go
index 84166861a727e..7cadefd274902 100644
--- a/tests/integration/api_org_test.go
+++ b/tests/integration/api_org_test.go
@@ -144,9 +144,7 @@ func TestAPIOrgDeny(t *testing.T) {
 func TestAPIGetAll(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
-
-	req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
+	req := NewRequestf(t, "GET", "/api/v1/orgs") // token not required
 	resp := MakeRequest(t, req, http.StatusOK)
 
 	var apiOrgList []*api.Organization

From 6ce50dd64426235ffe501ed1da5cd446f1adbb10 Mon Sep 17 00:00:00 2001
From: harryzcy <harry@harryzheng.com>
Date: Tue, 18 Apr 2023 15:06:37 -0400
Subject: [PATCH 2/4] Test non-public orgs

---
 tests/integration/api_org_test.go | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/tests/integration/api_org_test.go b/tests/integration/api_org_test.go
index 7cadefd274902..95498e0210c33 100644
--- a/tests/integration/api_org_test.go
+++ b/tests/integration/api_org_test.go
@@ -144,16 +144,26 @@ func TestAPIOrgDeny(t *testing.T) {
 func TestAPIGetAll(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
-	req := NewRequestf(t, "GET", "/api/v1/orgs") // token not required
-	resp := MakeRequest(t, req, http.StatusOK)
+	token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
 
+	// accessing with a token will return all orgs
+	req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
+	resp := MakeRequest(t, req, http.StatusOK)
 	var apiOrgList []*api.Organization
-	DecodeJSON(t, resp, &apiOrgList)
 
-	// accessing with a token will return all orgs
+	DecodeJSON(t, resp, &apiOrgList)
 	assert.Len(t, apiOrgList, 9)
 	assert.Equal(t, "org25", apiOrgList[1].FullName)
 	assert.Equal(t, "public", apiOrgList[1].Visibility)
+
+	// accessing without a token will return only public orgs
+	req = NewRequestf(t, "GET", "/api/v1/orgs")
+	resp = MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &apiOrgList)
+	assert.Len(t, apiOrgList, 7)
+	assert.Equal(t, "org25", apiOrgList[0].FullName)
+	assert.Equal(t, "public", apiOrgList[0].Visibility)
 }
 
 func TestAPIOrgSearchEmptyTeam(t *testing.T) {

From b6081a56d2fdf6146508eb73335ebe790d519533 Mon Sep 17 00:00:00 2001
From: harryzcy <harry@harryzheng.com>
Date: Tue, 18 Apr 2023 19:13:57 -0400
Subject: [PATCH 3/4] Fix more token issue

---
 routers/api/v1/api.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 971b245701fae..82a5972ab909a 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -1202,10 +1202,10 @@ func Routes(ctx gocontext.Context) *web.Route {
 		m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
 		m.Get("/orgs", org.GetAll)
 		m.Group("/orgs/{org}", func() {
-			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).
+			m.Combo("").Get(org.Get).
 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)
-			m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).
+			m.Combo("/repos").Get(user.ListOrgRepos).
 				Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
 			m.Group("/members", func() {
 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)
@@ -1213,8 +1213,8 @@ func Routes(ctx gocontext.Context) *web.Route {
 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)
 			})
 			m.Group("/public_members", func() {
-				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)
-				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).
+				m.Get("", org.ListPublicMembers)
+				m.Combo("/{username}").Get(org.IsPublicMember).
 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).
 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)
 			})
@@ -1224,7 +1224,7 @@ func Routes(ctx gocontext.Context) *web.Route {
 				m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)
 			}, reqOrgMembership())
 			m.Group("/labels", func() {
-				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)
+				m.Get("", org.ListLabels)
 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).
 					Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

From a30375869aeeff0f72f7bf8306f3673bb11d2d53 Mon Sep 17 00:00:00 2001
From: harryzcy <harry@harryzheng.com>
Date: Wed, 19 Apr 2023 20:33:11 -0400
Subject: [PATCH 4/4] Update integration tests

---
 tests/integration/api_org_test.go | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/tests/integration/api_org_test.go b/tests/integration/api_org_test.go
index 95498e0210c33..67ba0de0f81fc 100644
--- a/tests/integration/api_org_test.go
+++ b/tests/integration/api_org_test.go
@@ -127,16 +127,14 @@ func TestAPIOrgDeny(t *testing.T) {
 			setting.Service.RequireSignInView = false
 		}()
 
-		token := getUserToken(t, "user1", auth_model.AccessTokenScopeReadOrg)
-
 		orgName := "user1_org"
-		req := NewRequestf(t, "GET", "/api/v1/orgs/%s?token=%s", orgName, token)
+		req := NewRequestf(t, "GET", "/api/v1/orgs/%s", orgName)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token=%s", orgName, token)
+		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", orgName)
 		MakeRequest(t, req, http.StatusNotFound)
 
-		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members?token=%s", orgName, token)
+		req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", orgName)
 		MakeRequest(t, req, http.StatusNotFound)
 	})
 }