mirror of
1
Fork 0

Use handlers for API authorization (#723)

This commit is contained in:
Ethan Koenig 2017-01-26 06:54:04 -05:00 committed by Lunny Xiao
parent 067ae5d96e
commit d1b5498cc0
5 changed files with 100 additions and 131 deletions

View File

@ -1,52 +0,0 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package admin
import (
"code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/context"
)
// GetRepositoryByParams api for getting repository by orgnizition ID and repo name
func GetRepositoryByParams(ctx *context.APIContext) *models.Repository {
repo, err := models.GetRepositoryByName(ctx.Org.Team.OrgID, ctx.Params(":reponame"))
if err != nil {
if models.IsErrRepoNotExist(err) {
ctx.Status(404)
} else {
ctx.Error(500, "GetRepositoryByName", err)
}
return nil
}
return repo
}
// AddTeamRepository api for adding a repository to a team
func AddTeamRepository(ctx *context.APIContext) {
repo := GetRepositoryByParams(ctx)
if ctx.Written() {
return
}
if err := ctx.Org.Team.AddRepository(repo); err != nil {
ctx.Error(500, "AddRepository", err)
return
}
ctx.Status(204)
}
// RemoveTeamRepository api for removing a repository from a team
func RemoveTeamRepository(ctx *context.APIContext) {
repo := GetRepositoryByParams(ctx)
if ctx.Written() {
return
}
if err := ctx.Org.Team.RemoveRepository(repo.ID); err != nil {
ctx.Error(500, "RemoveRepository", err)
return
}
ctx.Status(204)
}

View File

@ -132,7 +132,11 @@ func reqOrgMembership() macaron.Handler {
} }
if !models.IsOrganizationMember(orgID, ctx.User.ID) { if !models.IsOrganizationMember(orgID, ctx.User.ID) {
if ctx.Org.Organization != nil {
ctx.Error(403, "", "Must be an organization member") ctx.Error(403, "", "Must be an organization member")
} else {
ctx.Status(404)
}
return return
} }
} }
@ -151,7 +155,11 @@ func reqOrgOwnership() macaron.Handler {
} }
if !models.IsOrganizationOwner(orgID, ctx.User.ID) { if !models.IsOrganizationOwner(orgID, ctx.User.ID) {
ctx.Error(403, "", "Must be an organization member") if ctx.Org.Organization != nil {
ctx.Error(403, "", "Must be an organization owner")
} else {
ctx.Status(404)
}
return return
} }
} }
@ -394,18 +402,20 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Get("/user/orgs", reqToken(), org.ListMyOrgs) m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
m.Get("/users/:username/orgs", org.ListUserOrgs) m.Get("/users/:username/orgs", org.ListUserOrgs)
m.Group("/orgs/:orgname", func() { m.Group("/orgs/:orgname", func() {
m.Combo("").Get(org.Get).Patch(bind(api.EditOrgOption{}), org.Edit) m.Combo("").Get(org.Get).
Patch(reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
m.Group("/members", func() { m.Group("/members", func() {
m.Get("", org.ListMembers) m.Get("", org.ListMembers)
m.Combo("/:username").Get(org.IsMember).Delete(org.DeleteMember) m.Combo("/:username").Get(org.IsMember).
Delete(reqOrgOwnership(), org.DeleteMember)
}) })
m.Group("/public_members", func() { m.Group("/public_members", func() {
m.Get("", org.ListPublicMembers) m.Get("", org.ListPublicMembers)
m.Combo("/:username").Get(org.IsPublicMember). m.Combo("/:username").Get(org.IsPublicMember).
Put(org.PublicizeMember). Put(reqOrgMembership(), org.PublicizeMember).
Delete(org.ConcealMember) Delete(reqOrgMembership(), org.ConcealMember)
}) })
m.Combo("/teams").Get(org.ListTeams). m.Combo("/teams", reqOrgMembership()).Get(org.ListTeams).
Post(bind(api.CreateTeamOption{}), org.CreateTeam) Post(bind(api.CreateTeamOption{}), org.CreateTeam)
m.Group("/hooks", func() { m.Group("/hooks", func() {
m.Combo("").Get(org.ListHooks). m.Combo("").Get(org.ListHooks).
@ -417,19 +427,21 @@ func RegisterRoutes(m *macaron.Macaron) {
}, orgAssignment(true)) }, orgAssignment(true))
m.Group("/teams/:teamid", func() { m.Group("/teams/:teamid", func() {
m.Combo("").Get(org.GetTeam). m.Combo("").Get(org.GetTeam).
Patch(bind(api.EditTeamOption{}), org.EditTeam). Patch(reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).
Delete(org.DeleteTeam) Delete(reqOrgOwnership(), org.DeleteTeam)
m.Group("/members", func() { m.Group("/members", func() {
m.Get("", org.GetTeamMembers) m.Get("", org.GetTeamMembers)
m.Combo("/:username").Put(org.AddTeamMember). m.Combo("/:username").
Delete(org.RemoveTeamMember) Put(reqOrgOwnership(), org.AddTeamMember).
Delete(reqOrgOwnership(), org.RemoveTeamMember)
}) })
m.Group("/repos", func() { m.Group("/repos", func() {
m.Get("", org.GetTeamRepos) m.Get("", org.GetTeamRepos)
m.Combo("/:reponame").Put(admin.AddTeamRepository). m.Combo(":orgname/:reponame").
Delete(admin.RemoveTeamRepository) Put(org.AddTeamRepository).
Delete(org.RemoveTeamRepository)
}) })
}, orgAssignment(false, true)) }, reqOrgMembership(), orgAssignment(false, true))
m.Any("/*", func(ctx *context.Context) { m.Any("/*", func(ctx *context.Context) {
ctx.Error(404) ctx.Error(404)

View File

@ -97,9 +97,6 @@ func PublicizeMember(ctx *context.APIContext) {
if userToPublicize.ID != ctx.User.ID { if userToPublicize.ID != ctx.User.ID {
ctx.Error(403, "", "Cannot publicize another member") ctx.Error(403, "", "Cannot publicize another member")
return return
} else if !ctx.Org.Organization.IsOrgMember(userToPublicize.ID) {
ctx.Error(403, "", "Must be a member of the organization")
return
} }
err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToPublicize.ID, true) err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToPublicize.ID, true)
if err != nil { if err != nil {
@ -115,9 +112,6 @@ func ConcealMember(ctx *context.APIContext) {
if userToConceal.ID != ctx.User.ID { if userToConceal.ID != ctx.User.ID {
ctx.Error(403, "", "Cannot conceal another member") ctx.Error(403, "", "Cannot conceal another member")
return return
} else if !ctx.Org.Organization.IsOrgMember(userToConceal.ID) {
ctx.Error(403, "", "Must be a member of the organization")
return
} }
err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToConceal.ID, false) err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToConceal.ID, false)
if err != nil { if err != nil {
@ -130,11 +124,8 @@ func ConcealMember(ctx *context.APIContext) {
// DeleteMember remove a member from an organization // DeleteMember remove a member from an organization
func DeleteMember(ctx *context.APIContext) { func DeleteMember(ctx *context.APIContext) {
org := ctx.Org.Organization org := ctx.Org.Organization
if !org.IsOwnedBy(ctx.User.ID) { memberID := user.GetUserByParams(ctx).ID
ctx.Error(403, "", "You must be an owner of the organization.") if err := org.RemoveMember(memberID); err != nil {
return
}
if err := org.RemoveMember(user.GetUserByParams(ctx).ID); err != nil {
ctx.Error(500, "RemoveMember", err) ctx.Error(500, "RemoveMember", err)
} }
ctx.Status(204) ctx.Status(204)

View File

@ -52,11 +52,6 @@ func Get(ctx *context.APIContext) {
// see https://github.com/gogits/go-gogs-client/wiki/Organizations#edit-an-organization // see https://github.com/gogits/go-gogs-client/wiki/Organizations#edit-an-organization
func Edit(ctx *context.APIContext, form api.EditOrgOption) { func Edit(ctx *context.APIContext, form api.EditOrgOption) {
org := ctx.Org.Organization org := ctx.Org.Organization
if !org.IsOwnedBy(ctx.User.ID) {
ctx.Status(403)
return
}
org.FullName = form.FullName org.FullName = form.FullName
org.Description = form.Description org.Description = form.Description
org.Website = form.Website org.Website = form.Website

View File

@ -16,10 +16,6 @@ import (
// ListTeams list all the teams of an organization // ListTeams list all the teams of an organization
func ListTeams(ctx *context.APIContext) { func ListTeams(ctx *context.APIContext) {
org := ctx.Org.Organization org := ctx.Org.Organization
if !org.IsOrgMember(ctx.User.ID) {
ctx.Error(403, "", "Must be a member of the organization")
return
}
if err := org.GetTeams(); err != nil { if err := org.GetTeams(); err != nil {
ctx.Error(500, "GetTeams", err) ctx.Error(500, "GetTeams", err)
return return
@ -34,40 +30,11 @@ func ListTeams(ctx *context.APIContext) {
// GetTeam api for get a team // GetTeam api for get a team
func GetTeam(ctx *context.APIContext) { func GetTeam(ctx *context.APIContext) {
if !models.IsOrganizationMember(ctx.Org.Team.OrgID, ctx.User.ID) {
ctx.Status(404)
return
}
ctx.JSON(200, convert.ToTeam(ctx.Org.Team)) ctx.JSON(200, convert.ToTeam(ctx.Org.Team))
} }
// GetTeamRepos api for get a team's repos
func GetTeamRepos(ctx *context.APIContext) {
team := ctx.Org.Team
if !models.IsOrganizationMember(team.OrgID, ctx.User.ID) {
ctx.Status(404)
return
}
if err := team.GetRepositories(); err != nil {
ctx.Error(500, "GetTeamRepos", err)
}
repos := make([]*api.Repository, len(team.Repos))
for i, repo := range team.Repos {
access, err := models.AccessLevel(ctx.User, repo)
if err != nil {
ctx.Error(500, "GetTeamRepos", err)
return
}
repos[i] = repo.APIFormat(access)
}
ctx.JSON(200, repos)
}
// CreateTeam api for create a team // CreateTeam api for create a team
func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) { func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
if !ctx.Org.Organization.IsOrgMember(ctx.User.ID) {
ctx.Error(403, "", "Must be an organization member")
}
team := &models.Team{ team := &models.Team{
OrgID: ctx.Org.Organization.ID, OrgID: ctx.Org.Organization.ID,
Name: form.Name, Name: form.Name,
@ -88,10 +55,6 @@ func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
// EditTeam api for edit a team // EditTeam api for edit a team
func EditTeam(ctx *context.APIContext, form api.EditTeamOption) { func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
ctx.Error(403, "", "Must be an organization owner")
return
}
team := &models.Team{ team := &models.Team{
ID: ctx.Org.Team.ID, ID: ctx.Org.Team.ID,
OrgID: ctx.Org.Team.OrgID, OrgID: ctx.Org.Team.OrgID,
@ -108,10 +71,6 @@ func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
// DeleteTeam api for delete a team // DeleteTeam api for delete a team
func DeleteTeam(ctx *context.APIContext) { func DeleteTeam(ctx *context.APIContext) {
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
ctx.Error(403, "", "Must be an organization owner")
return
}
if err := models.DeleteTeam(ctx.Org.Team); err != nil { if err := models.DeleteTeam(ctx.Org.Team); err != nil {
ctx.Error(500, "DeleteTeam", err) ctx.Error(500, "DeleteTeam", err)
return return
@ -139,10 +98,6 @@ func GetTeamMembers(ctx *context.APIContext) {
// AddTeamMember api for add a member to a team // AddTeamMember api for add a member to a team
func AddTeamMember(ctx *context.APIContext) { func AddTeamMember(ctx *context.APIContext) {
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
ctx.Error(403, "", "Must be an organization owner")
return
}
u := user.GetUserByParams(ctx) u := user.GetUserByParams(ctx)
if ctx.Written() { if ctx.Written() {
return return
@ -156,10 +111,6 @@ func AddTeamMember(ctx *context.APIContext) {
// RemoveTeamMember api for remove one member from a team // RemoveTeamMember api for remove one member from a team
func RemoveTeamMember(ctx *context.APIContext) { func RemoveTeamMember(ctx *context.APIContext) {
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
ctx.Error(403, "", "Must be an organization owner")
return
}
u := user.GetUserByParams(ctx) u := user.GetUserByParams(ctx)
if ctx.Written() { if ctx.Written() {
return return
@ -171,3 +122,75 @@ func RemoveTeamMember(ctx *context.APIContext) {
} }
ctx.Status(204) ctx.Status(204)
} }
// GetTeamRepos api for get a team's repos
func GetTeamRepos(ctx *context.APIContext) {
team := ctx.Org.Team
if err := team.GetRepositories(); err != nil {
ctx.Error(500, "GetTeamRepos", err)
}
repos := make([]*api.Repository, len(team.Repos))
for i, repo := range team.Repos {
access, err := models.AccessLevel(ctx.User, repo)
if err != nil {
ctx.Error(500, "GetTeamRepos", err)
return
}
repos[i] = repo.APIFormat(access)
}
ctx.JSON(200, repos)
}
// getRepositoryByParams get repository by a team's organization ID and repo name
func getRepositoryByParams(ctx *context.APIContext) *models.Repository {
repo, err := models.GetRepositoryByName(ctx.Org.Team.OrgID, ctx.Params(":reponame"))
if err != nil {
if models.IsErrRepoNotExist(err) {
ctx.Status(404)
} else {
ctx.Error(500, "GetRepositoryByName", err)
}
return nil
}
return repo
}
// AddTeamRepository api for adding a repository to a team
func AddTeamRepository(ctx *context.APIContext) {
repo := getRepositoryByParams(ctx)
if ctx.Written() {
return
}
if access, err := models.AccessLevel(ctx.User, repo); err != nil {
ctx.Error(500, "AccessLevel", err)
return
} else if access < models.AccessModeAdmin {
ctx.Error(403, "", "Must have admin-level access to the repository")
return
}
if err := ctx.Org.Team.AddRepository(repo); err != nil {
ctx.Error(500, "AddRepository", err)
return
}
ctx.Status(204)
}
// RemoveTeamRepository api for removing a repository from a team
func RemoveTeamRepository(ctx *context.APIContext) {
repo := getRepositoryByParams(ctx)
if ctx.Written() {
return
}
if access, err := models.AccessLevel(ctx.User, repo); err != nil {
ctx.Error(500, "AccessLevel", err)
return
} else if access < models.AccessModeAdmin {
ctx.Error(403, "", "Must have admin-level access to the repository")
return
}
if err := ctx.Org.Team.RemoveRepository(repo.ID); err != nil {
ctx.Error(500, "RemoveRepository", err)
return
}
ctx.Status(204)
}