13
3
Fork 0
Wiki Issues 89 resources competences Projects 8 Code Pull Requests Releases Activity
Browse Source

Fix team members API (#6714) (#6729)

tags/v1.8.1
Lunny Xiao 6 years ago committed by GitHub
parent
b1cb52e477
commit
5f6b118007
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 13
      integrations/api_team_test.go
  2. 39
      routers/api/v1/api.go

13
integrations/api_team_test.go
Unescape View File

@ -16,6 +16,7 @@ import (
func TestAPITeam(t *testing.T) { func TestAPITeam(t *testing.T) {
prepareTestEnv(t) prepareTestEnv(t)
teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser) teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team) team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User) user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) {
DecodeJSON(t, resp, &apiTeam) DecodeJSON(t, resp, &apiTeam)
assert.EqualValues(t, team.ID, apiTeam.ID) assert.EqualValues(t, team.ID, apiTeam.ID)
assert.Equal(t, team.Name, apiTeam.Name) assert.Equal(t, team.Name, apiTeam.Name)
// non team member user will not access the teams details
teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser)
user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User)
session = loginUser(t, user2.Name)
token = getTokenForLoggedInUser(t, session)
req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
resp = session.MakeRequest(t, req, http.StatusForbidden)
req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
resp = session.MakeRequest(t, req, http.StatusUnauthorized)
} }

39
routers/api/v1/api.go
Unescape View File

@ -280,6 +280,43 @@ func reqOrgMembership() macaron.Handler {
} }
} }
// reqTeamMembership user should be an team member, or a site admin
func reqTeamMembership() macaron.Handler {
return func(ctx *context.APIContext) {
if ctx.User.IsAdmin {
return
}
if ctx.Org.Team == nil {
ctx.Error(500, "", "reqTeamMembership: unprepared context")
return
}
var orgID = ctx.Org.Team.OrgID
isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
if err != nil {
ctx.Error(500, "IsOrganizationOwner", err)
return
} else if isOwner {
return
}
if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {
ctx.Error(500, "IsTeamMember", err)
return
} else if !isTeamMember {
isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)
if err != nil {
ctx.Error(500, "IsOrganizationMember", err)
} else if isOrgMember {
ctx.Error(403, "", "Must be a team member")
} else {
ctx.Status(404)
}
return
}
}
}
func reqOrgOwnership() macaron.Handler { func reqOrgOwnership() macaron.Handler {
return func(ctx *context.APIContext) { return func(ctx *context.APIContext) {
var orgID int64 var orgID int64
@ -686,7 +723,7 @@ func RegisterRoutes(m *macaron.Macaron) {
Put(org.AddTeamRepository). Put(org.AddTeamRepository).
Delete(org.RemoveTeamRepository) Delete(org.RemoveTeamRepository)
}) })
}, orgAssignment(false, true), reqToken(), reqOrgMembership()) }, orgAssignment(false, true), reqToken(), reqTeamMembership())
m.Any("/*", func(ctx *context.Context) { m.Any("/*", func(ctx *context.Context) {
ctx.Error(404) ctx.Error(404)

Write Preview
Loading…
Cancel
Save