From 2d9c8a3af2c424e62ccc0ec9efd4f30052acd077 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Fri, 18 Jun 2021 21:00:29 +0100
Subject: [PATCH 1/3] reqOrgMembership calls need to be preceded by reqToken

Fix #16192

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/api/v1/api.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 34cf80e0721c3..2cb9c44efa748 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -992,7 +992,7 @@ func Routes() *web.Route {
 				m.Combo("", reqToken()).Get(org.ListTeams).
 					Post(reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
 				m.Get("/search", org.SearchTeam)
-			}, reqOrgMembership())
+			}, reqToken(), reqOrgMembership())
 			m.Group("/labels", func() {
 				m.Get("", org.ListLabels)
 				m.Post("", reqToken(), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)

From df2a41b2da72b70bb2782aaadfb0cd72aa538d12 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Sun, 20 Jun 2021 21:00:33 +0100
Subject: [PATCH 2/3] Add csrf to TestAPITeamSearch

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 integrations/api_team_test.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index 8b202862a159c..0b77dc3be700b 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -144,7 +144,9 @@ func TestAPITeamSearch(t *testing.T) {
 	var results TeamSearchResults
 
 	session := loginUser(t, user.Name)
+	csrf := GetCSRF(t, session, "/"+org.Name)
 	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "_team")
+	req.Header.Add("X-Csrf-Token", csrf)
 	resp := session.MakeRequest(t, req, http.StatusOK)
 	DecodeJSON(t, resp, &results)
 	assert.NotEmpty(t, results.Data)
@@ -154,7 +156,9 @@ func TestAPITeamSearch(t *testing.T) {
 	// no access if not organization member
 	user5 := models.AssertExistsAndLoadBean(t, &models.User{ID: 5}).(*models.User)
 	session = loginUser(t, user5.Name)
+	csrf = GetCSRF(t, session, "/"+org.Name)
 	req = NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s", org.Name, "team")
+	req.Header.Add("X-Csrf-Token", csrf)
 	resp = session.MakeRequest(t, req, http.StatusForbidden)
 
 }

From 1918cc776d7b1571c688127b9f059c108029a3b8 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Mon, 21 Jun 2021 09:36:08 +0100
Subject: [PATCH 3/3] Apply suggestions from code review

Co-authored-by: 6543 <6543@obermui.de>
---
 routers/api/v1/api.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 2cb9c44efa748..9efc2af2441fa 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -989,8 +989,8 @@ func Routes() *web.Route {
 					Delete(reqToken(), reqOrgMembership(), org.ConcealMember)
 			})
 			m.Group("/teams", func() {
-				m.Combo("", reqToken()).Get(org.ListTeams).
-					Post(reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
+				m.Get("", org.ListTeams)
+				m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
 				m.Get("/search", org.SearchTeam)
 			}, reqToken(), reqOrgMembership())
 			m.Group("/labels", func() {