third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix team members API (#6714)

Browse Source
tokarchuk/v1.17
Lunny Xiao 6 years ago committed by techknowlogick
parent e0172f0db7
commit 59be704efb
2 changed files with 51 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 13
      integrations/api_team_test.go
  2. 39
      routers/api/v1/api.go

13
integrations/api_team_test.go
Unescape View File

@ -16,6 +16,7 @@ import (
func TestAPITeam(t *testing.T) {
prepareTestEnv(t)
teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) {
DecodeJSON(t, resp, &apiTeam)
assert.EqualValues(t, team.ID, apiTeam.ID)
assert.Equal(t, team.Name, apiTeam.Name)
// non team member user will not access the teams details
teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser)
user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User)
session = loginUser(t, user2.Name)
token = getTokenForLoggedInUser(t, session)
req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
resp = session.MakeRequest(t, req, http.StatusForbidden)
req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
resp = session.MakeRequest(t, req, http.StatusUnauthorized)
}

39
routers/api/v1/api.go
Unescape View File

@ -286,6 +286,43 @@ func reqOrgOwnership() macaron.Handler {
}
}
// reqTeamMembership user should be an team member, or a site admin
func reqTeamMembership() macaron.Handler {
return func(ctx *context.APIContext) {
if ctx.Context.IsUserSiteAdmin() {
return
}
if ctx.Org.Team == nil {
ctx.Error(500, "", "reqTeamMembership: unprepared context")
return
}
var orgID = ctx.Org.Team.OrgID
isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
if err != nil {
ctx.Error(500, "IsOrganizationOwner", err)
return
} else if isOwner {
return
}
if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {
ctx.Error(500, "IsTeamMember", err)
return
} else if !isTeamMember {
isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)
if err != nil {
ctx.Error(500, "IsOrganizationMember", err)
} else if isOrgMember {
ctx.Error(403, "", "Must be a team member")
} else {
ctx.NotFound()
}
return
}
}
}
// reqOrgMembership user should be an organization member, or a site admin
func reqOrgMembership() macaron.Handler {
return func(ctx *context.APIContext) {
@ -775,7 +812,7 @@ func RegisterRoutes(m *macaron.Macaron) {
Put(org.AddTeamRepository).
Delete(org.RemoveTeamRepository)
})
}, orgAssignment(false, true), reqToken(), reqOrgMembership())
}, orgAssignment(false, true), reqToken(), reqTeamMembership())
m.Any("/*", func(ctx *context.APIContext) {
ctx.NotFound()

Write Preview
Loading…
Cancel
Save