mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-21 12:44:49 -05:00
Use handlers for API authorization (#723)
This commit is contained in:
parent
067ae5d96e
commit
d1b5498cc0
5 changed files with 100 additions and 131 deletions
|
@ -1,52 +0,0 @@
|
||||||
// Copyright 2016 The Gogs Authors. All rights reserved.
|
|
||||||
// Use of this source code is governed by a MIT-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package admin
|
|
||||||
|
|
||||||
import (
|
|
||||||
"code.gitea.io/gitea/models"
|
|
||||||
"code.gitea.io/gitea/modules/context"
|
|
||||||
)
|
|
||||||
|
|
||||||
// GetRepositoryByParams api for getting repository by orgnizition ID and repo name
|
|
||||||
func GetRepositoryByParams(ctx *context.APIContext) *models.Repository {
|
|
||||||
repo, err := models.GetRepositoryByName(ctx.Org.Team.OrgID, ctx.Params(":reponame"))
|
|
||||||
if err != nil {
|
|
||||||
if models.IsErrRepoNotExist(err) {
|
|
||||||
ctx.Status(404)
|
|
||||||
} else {
|
|
||||||
ctx.Error(500, "GetRepositoryByName", err)
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
return repo
|
|
||||||
}
|
|
||||||
|
|
||||||
// AddTeamRepository api for adding a repository to a team
|
|
||||||
func AddTeamRepository(ctx *context.APIContext) {
|
|
||||||
repo := GetRepositoryByParams(ctx)
|
|
||||||
if ctx.Written() {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err := ctx.Org.Team.AddRepository(repo); err != nil {
|
|
||||||
ctx.Error(500, "AddRepository", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx.Status(204)
|
|
||||||
}
|
|
||||||
|
|
||||||
// RemoveTeamRepository api for removing a repository from a team
|
|
||||||
func RemoveTeamRepository(ctx *context.APIContext) {
|
|
||||||
repo := GetRepositoryByParams(ctx)
|
|
||||||
if ctx.Written() {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err := ctx.Org.Team.RemoveRepository(repo.ID); err != nil {
|
|
||||||
ctx.Error(500, "RemoveRepository", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
ctx.Status(204)
|
|
||||||
}
|
|
|
@ -132,7 +132,11 @@ func reqOrgMembership() macaron.Handler {
|
||||||
}
|
}
|
||||||
|
|
||||||
if !models.IsOrganizationMember(orgID, ctx.User.ID) {
|
if !models.IsOrganizationMember(orgID, ctx.User.ID) {
|
||||||
ctx.Error(403, "", "Must be an organization member")
|
if ctx.Org.Organization != nil {
|
||||||
|
ctx.Error(403, "", "Must be an organization member")
|
||||||
|
} else {
|
||||||
|
ctx.Status(404)
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -151,7 +155,11 @@ func reqOrgOwnership() macaron.Handler {
|
||||||
}
|
}
|
||||||
|
|
||||||
if !models.IsOrganizationOwner(orgID, ctx.User.ID) {
|
if !models.IsOrganizationOwner(orgID, ctx.User.ID) {
|
||||||
ctx.Error(403, "", "Must be an organization member")
|
if ctx.Org.Organization != nil {
|
||||||
|
ctx.Error(403, "", "Must be an organization owner")
|
||||||
|
} else {
|
||||||
|
ctx.Status(404)
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -394,18 +402,20 @@ func RegisterRoutes(m *macaron.Macaron) {
|
||||||
m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
|
m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
|
||||||
m.Get("/users/:username/orgs", org.ListUserOrgs)
|
m.Get("/users/:username/orgs", org.ListUserOrgs)
|
||||||
m.Group("/orgs/:orgname", func() {
|
m.Group("/orgs/:orgname", func() {
|
||||||
m.Combo("").Get(org.Get).Patch(bind(api.EditOrgOption{}), org.Edit)
|
m.Combo("").Get(org.Get).
|
||||||
|
Patch(reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
|
||||||
m.Group("/members", func() {
|
m.Group("/members", func() {
|
||||||
m.Get("", org.ListMembers)
|
m.Get("", org.ListMembers)
|
||||||
m.Combo("/:username").Get(org.IsMember).Delete(org.DeleteMember)
|
m.Combo("/:username").Get(org.IsMember).
|
||||||
|
Delete(reqOrgOwnership(), org.DeleteMember)
|
||||||
})
|
})
|
||||||
m.Group("/public_members", func() {
|
m.Group("/public_members", func() {
|
||||||
m.Get("", org.ListPublicMembers)
|
m.Get("", org.ListPublicMembers)
|
||||||
m.Combo("/:username").Get(org.IsPublicMember).
|
m.Combo("/:username").Get(org.IsPublicMember).
|
||||||
Put(org.PublicizeMember).
|
Put(reqOrgMembership(), org.PublicizeMember).
|
||||||
Delete(org.ConcealMember)
|
Delete(reqOrgMembership(), org.ConcealMember)
|
||||||
})
|
})
|
||||||
m.Combo("/teams").Get(org.ListTeams).
|
m.Combo("/teams", reqOrgMembership()).Get(org.ListTeams).
|
||||||
Post(bind(api.CreateTeamOption{}), org.CreateTeam)
|
Post(bind(api.CreateTeamOption{}), org.CreateTeam)
|
||||||
m.Group("/hooks", func() {
|
m.Group("/hooks", func() {
|
||||||
m.Combo("").Get(org.ListHooks).
|
m.Combo("").Get(org.ListHooks).
|
||||||
|
@ -417,19 +427,21 @@ func RegisterRoutes(m *macaron.Macaron) {
|
||||||
}, orgAssignment(true))
|
}, orgAssignment(true))
|
||||||
m.Group("/teams/:teamid", func() {
|
m.Group("/teams/:teamid", func() {
|
||||||
m.Combo("").Get(org.GetTeam).
|
m.Combo("").Get(org.GetTeam).
|
||||||
Patch(bind(api.EditTeamOption{}), org.EditTeam).
|
Patch(reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).
|
||||||
Delete(org.DeleteTeam)
|
Delete(reqOrgOwnership(), org.DeleteTeam)
|
||||||
m.Group("/members", func() {
|
m.Group("/members", func() {
|
||||||
m.Get("", org.GetTeamMembers)
|
m.Get("", org.GetTeamMembers)
|
||||||
m.Combo("/:username").Put(org.AddTeamMember).
|
m.Combo("/:username").
|
||||||
Delete(org.RemoveTeamMember)
|
Put(reqOrgOwnership(), org.AddTeamMember).
|
||||||
|
Delete(reqOrgOwnership(), org.RemoveTeamMember)
|
||||||
})
|
})
|
||||||
m.Group("/repos", func() {
|
m.Group("/repos", func() {
|
||||||
m.Get("", org.GetTeamRepos)
|
m.Get("", org.GetTeamRepos)
|
||||||
m.Combo("/:reponame").Put(admin.AddTeamRepository).
|
m.Combo(":orgname/:reponame").
|
||||||
Delete(admin.RemoveTeamRepository)
|
Put(org.AddTeamRepository).
|
||||||
|
Delete(org.RemoveTeamRepository)
|
||||||
})
|
})
|
||||||
}, orgAssignment(false, true))
|
}, reqOrgMembership(), orgAssignment(false, true))
|
||||||
|
|
||||||
m.Any("/*", func(ctx *context.Context) {
|
m.Any("/*", func(ctx *context.Context) {
|
||||||
ctx.Error(404)
|
ctx.Error(404)
|
||||||
|
|
|
@ -97,9 +97,6 @@ func PublicizeMember(ctx *context.APIContext) {
|
||||||
if userToPublicize.ID != ctx.User.ID {
|
if userToPublicize.ID != ctx.User.ID {
|
||||||
ctx.Error(403, "", "Cannot publicize another member")
|
ctx.Error(403, "", "Cannot publicize another member")
|
||||||
return
|
return
|
||||||
} else if !ctx.Org.Organization.IsOrgMember(userToPublicize.ID) {
|
|
||||||
ctx.Error(403, "", "Must be a member of the organization")
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToPublicize.ID, true)
|
err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToPublicize.ID, true)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -115,9 +112,6 @@ func ConcealMember(ctx *context.APIContext) {
|
||||||
if userToConceal.ID != ctx.User.ID {
|
if userToConceal.ID != ctx.User.ID {
|
||||||
ctx.Error(403, "", "Cannot conceal another member")
|
ctx.Error(403, "", "Cannot conceal another member")
|
||||||
return
|
return
|
||||||
} else if !ctx.Org.Organization.IsOrgMember(userToConceal.ID) {
|
|
||||||
ctx.Error(403, "", "Must be a member of the organization")
|
|
||||||
return
|
|
||||||
}
|
}
|
||||||
err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToConceal.ID, false)
|
err := models.ChangeOrgUserStatus(ctx.Org.Organization.ID, userToConceal.ID, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -130,11 +124,8 @@ func ConcealMember(ctx *context.APIContext) {
|
||||||
// DeleteMember remove a member from an organization
|
// DeleteMember remove a member from an organization
|
||||||
func DeleteMember(ctx *context.APIContext) {
|
func DeleteMember(ctx *context.APIContext) {
|
||||||
org := ctx.Org.Organization
|
org := ctx.Org.Organization
|
||||||
if !org.IsOwnedBy(ctx.User.ID) {
|
memberID := user.GetUserByParams(ctx).ID
|
||||||
ctx.Error(403, "", "You must be an owner of the organization.")
|
if err := org.RemoveMember(memberID); err != nil {
|
||||||
return
|
|
||||||
}
|
|
||||||
if err := org.RemoveMember(user.GetUserByParams(ctx).ID); err != nil {
|
|
||||||
ctx.Error(500, "RemoveMember", err)
|
ctx.Error(500, "RemoveMember", err)
|
||||||
}
|
}
|
||||||
ctx.Status(204)
|
ctx.Status(204)
|
||||||
|
|
|
@ -52,11 +52,6 @@ func Get(ctx *context.APIContext) {
|
||||||
// see https://github.com/gogits/go-gogs-client/wiki/Organizations#edit-an-organization
|
// see https://github.com/gogits/go-gogs-client/wiki/Organizations#edit-an-organization
|
||||||
func Edit(ctx *context.APIContext, form api.EditOrgOption) {
|
func Edit(ctx *context.APIContext, form api.EditOrgOption) {
|
||||||
org := ctx.Org.Organization
|
org := ctx.Org.Organization
|
||||||
if !org.IsOwnedBy(ctx.User.ID) {
|
|
||||||
ctx.Status(403)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
org.FullName = form.FullName
|
org.FullName = form.FullName
|
||||||
org.Description = form.Description
|
org.Description = form.Description
|
||||||
org.Website = form.Website
|
org.Website = form.Website
|
||||||
|
|
|
@ -16,10 +16,6 @@ import (
|
||||||
// ListTeams list all the teams of an organization
|
// ListTeams list all the teams of an organization
|
||||||
func ListTeams(ctx *context.APIContext) {
|
func ListTeams(ctx *context.APIContext) {
|
||||||
org := ctx.Org.Organization
|
org := ctx.Org.Organization
|
||||||
if !org.IsOrgMember(ctx.User.ID) {
|
|
||||||
ctx.Error(403, "", "Must be a member of the organization")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err := org.GetTeams(); err != nil {
|
if err := org.GetTeams(); err != nil {
|
||||||
ctx.Error(500, "GetTeams", err)
|
ctx.Error(500, "GetTeams", err)
|
||||||
return
|
return
|
||||||
|
@ -34,40 +30,11 @@ func ListTeams(ctx *context.APIContext) {
|
||||||
|
|
||||||
// GetTeam api for get a team
|
// GetTeam api for get a team
|
||||||
func GetTeam(ctx *context.APIContext) {
|
func GetTeam(ctx *context.APIContext) {
|
||||||
if !models.IsOrganizationMember(ctx.Org.Team.OrgID, ctx.User.ID) {
|
|
||||||
ctx.Status(404)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ctx.JSON(200, convert.ToTeam(ctx.Org.Team))
|
ctx.JSON(200, convert.ToTeam(ctx.Org.Team))
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetTeamRepos api for get a team's repos
|
|
||||||
func GetTeamRepos(ctx *context.APIContext) {
|
|
||||||
team := ctx.Org.Team
|
|
||||||
if !models.IsOrganizationMember(team.OrgID, ctx.User.ID) {
|
|
||||||
ctx.Status(404)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err := team.GetRepositories(); err != nil {
|
|
||||||
ctx.Error(500, "GetTeamRepos", err)
|
|
||||||
}
|
|
||||||
repos := make([]*api.Repository, len(team.Repos))
|
|
||||||
for i, repo := range team.Repos {
|
|
||||||
access, err := models.AccessLevel(ctx.User, repo)
|
|
||||||
if err != nil {
|
|
||||||
ctx.Error(500, "GetTeamRepos", err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
repos[i] = repo.APIFormat(access)
|
|
||||||
}
|
|
||||||
ctx.JSON(200, repos)
|
|
||||||
}
|
|
||||||
|
|
||||||
// CreateTeam api for create a team
|
// CreateTeam api for create a team
|
||||||
func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
|
func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
|
||||||
if !ctx.Org.Organization.IsOrgMember(ctx.User.ID) {
|
|
||||||
ctx.Error(403, "", "Must be an organization member")
|
|
||||||
}
|
|
||||||
team := &models.Team{
|
team := &models.Team{
|
||||||
OrgID: ctx.Org.Organization.ID,
|
OrgID: ctx.Org.Organization.ID,
|
||||||
Name: form.Name,
|
Name: form.Name,
|
||||||
|
@ -88,10 +55,6 @@ func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) {
|
||||||
|
|
||||||
// EditTeam api for edit a team
|
// EditTeam api for edit a team
|
||||||
func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
|
func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
|
||||||
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
|
|
||||||
ctx.Error(403, "", "Must be an organization owner")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
team := &models.Team{
|
team := &models.Team{
|
||||||
ID: ctx.Org.Team.ID,
|
ID: ctx.Org.Team.ID,
|
||||||
OrgID: ctx.Org.Team.OrgID,
|
OrgID: ctx.Org.Team.OrgID,
|
||||||
|
@ -108,10 +71,6 @@ func EditTeam(ctx *context.APIContext, form api.EditTeamOption) {
|
||||||
|
|
||||||
// DeleteTeam api for delete a team
|
// DeleteTeam api for delete a team
|
||||||
func DeleteTeam(ctx *context.APIContext) {
|
func DeleteTeam(ctx *context.APIContext) {
|
||||||
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
|
|
||||||
ctx.Error(403, "", "Must be an organization owner")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if err := models.DeleteTeam(ctx.Org.Team); err != nil {
|
if err := models.DeleteTeam(ctx.Org.Team); err != nil {
|
||||||
ctx.Error(500, "DeleteTeam", err)
|
ctx.Error(500, "DeleteTeam", err)
|
||||||
return
|
return
|
||||||
|
@ -139,10 +98,6 @@ func GetTeamMembers(ctx *context.APIContext) {
|
||||||
|
|
||||||
// AddTeamMember api for add a member to a team
|
// AddTeamMember api for add a member to a team
|
||||||
func AddTeamMember(ctx *context.APIContext) {
|
func AddTeamMember(ctx *context.APIContext) {
|
||||||
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
|
|
||||||
ctx.Error(403, "", "Must be an organization owner")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
u := user.GetUserByParams(ctx)
|
u := user.GetUserByParams(ctx)
|
||||||
if ctx.Written() {
|
if ctx.Written() {
|
||||||
return
|
return
|
||||||
|
@ -156,10 +111,6 @@ func AddTeamMember(ctx *context.APIContext) {
|
||||||
|
|
||||||
// RemoveTeamMember api for remove one member from a team
|
// RemoveTeamMember api for remove one member from a team
|
||||||
func RemoveTeamMember(ctx *context.APIContext) {
|
func RemoveTeamMember(ctx *context.APIContext) {
|
||||||
if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) {
|
|
||||||
ctx.Error(403, "", "Must be an organization owner")
|
|
||||||
return
|
|
||||||
}
|
|
||||||
u := user.GetUserByParams(ctx)
|
u := user.GetUserByParams(ctx)
|
||||||
if ctx.Written() {
|
if ctx.Written() {
|
||||||
return
|
return
|
||||||
|
@ -171,3 +122,75 @@ func RemoveTeamMember(ctx *context.APIContext) {
|
||||||
}
|
}
|
||||||
ctx.Status(204)
|
ctx.Status(204)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetTeamRepos api for get a team's repos
|
||||||
|
func GetTeamRepos(ctx *context.APIContext) {
|
||||||
|
team := ctx.Org.Team
|
||||||
|
if err := team.GetRepositories(); err != nil {
|
||||||
|
ctx.Error(500, "GetTeamRepos", err)
|
||||||
|
}
|
||||||
|
repos := make([]*api.Repository, len(team.Repos))
|
||||||
|
for i, repo := range team.Repos {
|
||||||
|
access, err := models.AccessLevel(ctx.User, repo)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(500, "GetTeamRepos", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
repos[i] = repo.APIFormat(access)
|
||||||
|
}
|
||||||
|
ctx.JSON(200, repos)
|
||||||
|
}
|
||||||
|
|
||||||
|
// getRepositoryByParams get repository by a team's organization ID and repo name
|
||||||
|
func getRepositoryByParams(ctx *context.APIContext) *models.Repository {
|
||||||
|
repo, err := models.GetRepositoryByName(ctx.Org.Team.OrgID, ctx.Params(":reponame"))
|
||||||
|
if err != nil {
|
||||||
|
if models.IsErrRepoNotExist(err) {
|
||||||
|
ctx.Status(404)
|
||||||
|
} else {
|
||||||
|
ctx.Error(500, "GetRepositoryByName", err)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return repo
|
||||||
|
}
|
||||||
|
|
||||||
|
// AddTeamRepository api for adding a repository to a team
|
||||||
|
func AddTeamRepository(ctx *context.APIContext) {
|
||||||
|
repo := getRepositoryByParams(ctx)
|
||||||
|
if ctx.Written() {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if access, err := models.AccessLevel(ctx.User, repo); err != nil {
|
||||||
|
ctx.Error(500, "AccessLevel", err)
|
||||||
|
return
|
||||||
|
} else if access < models.AccessModeAdmin {
|
||||||
|
ctx.Error(403, "", "Must have admin-level access to the repository")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err := ctx.Org.Team.AddRepository(repo); err != nil {
|
||||||
|
ctx.Error(500, "AddRepository", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ctx.Status(204)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RemoveTeamRepository api for removing a repository from a team
|
||||||
|
func RemoveTeamRepository(ctx *context.APIContext) {
|
||||||
|
repo := getRepositoryByParams(ctx)
|
||||||
|
if ctx.Written() {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if access, err := models.AccessLevel(ctx.User, repo); err != nil {
|
||||||
|
ctx.Error(500, "AccessLevel", err)
|
||||||
|
return
|
||||||
|
} else if access < models.AccessModeAdmin {
|
||||||
|
ctx.Error(403, "", "Must have admin-level access to the repository")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err := ctx.Org.Team.RemoveRepository(repo.ID); err != nil {
|
||||||
|
ctx.Error(500, "RemoveRepository", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
ctx.Status(204)
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue