mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14964 Commits
17 Branches
Tree: 17f23182ff
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '17f23182ff'
${ noResults }
gitea/routers/api/v1/api.go

api.go 54KB
Raw Blame History

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315 
  1. // Copyright 2015 The Gogs Authors. All rights reserved.

  2. // Copyright 2016 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. // Package v1 Gitea API.

  6. //

  7. // This documentation describes the Gitea API.

  8. //

  9. //	Schemes: http, https

  10. //	BasePath: /api/v1

  11. //	Version: {{AppVer | JSEscape | Safe}}

  12. //	License: MIT http://opensource.org/licenses/MIT

  13. //

  14. //	Consumes:

  15. //	- application/json

  16. //	- text/plain

  17. //

  18. //	Produces:

  19. //	- application/json

  20. //	- text/html

  21. //

  22. //	Security:

  23. //	- BasicAuth :

  24. //	- Token :

  25. //	- AccessToken :

  26. //	- AuthorizationHeaderToken :

  27. //	- SudoParam :

  28. //	- SudoHeader :

  29. //	- TOTPHeader :

  30. //

  31. //	SecurityDefinitions:

  32. //	BasicAuth:

  33. //	     type: basic

  34. //	Token:

  35. //	     type: apiKey

  36. //	     name: token

  37. //	     in: query

  38. //	AccessToken:

  39. //	     type: apiKey

  40. //	     name: access_token

  41. //	     in: query

  42. //	AuthorizationHeaderToken:

  43. //	     type: apiKey

  44. //	     name: Authorization

  45. //	     in: header

  46. //	     description: API tokens must be prepended with "token" followed by a space.

  47. //	SudoParam:

  48. //	     type: apiKey

  49. //	     name: sudo

  50. //	     in: query

  51. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  52. //	SudoHeader:

  53. //	     type: apiKey

  54. //	     name: Sudo

  55. //	     in: header

  56. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  57. //	TOTPHeader:

  58. //	     type: apiKey

  59. //	     name: X-GITEA-OTP

  60. //	     in: header

  61. //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.

  62. //

  63. // swagger:meta

  64. package v1

  65. 

  66. import (

  67. 	gocontext "context"

  68. 	"fmt"

  69. 	"net/http"

  70. 	"strings"

  71. 

  72. 	actions_model "code.gitea.io/gitea/models/actions"

  73. 	auth_model "code.gitea.io/gitea/models/auth"

  74. 	"code.gitea.io/gitea/models/organization"

  75. 	"code.gitea.io/gitea/models/perm"

  76. 	access_model "code.gitea.io/gitea/models/perm/access"

  77. 	repo_model "code.gitea.io/gitea/models/repo"

  78. 	"code.gitea.io/gitea/models/unit"

  79. 	user_model "code.gitea.io/gitea/models/user"

  80. 	"code.gitea.io/gitea/modules/context"

  81. 	"code.gitea.io/gitea/modules/log"

  82. 	"code.gitea.io/gitea/modules/setting"

  83. 	api "code.gitea.io/gitea/modules/structs"

  84. 	"code.gitea.io/gitea/modules/web"

  85. 	"code.gitea.io/gitea/routers/api/v1/activitypub"

  86. 	"code.gitea.io/gitea/routers/api/v1/admin"

  87. 	"code.gitea.io/gitea/routers/api/v1/misc"

  88. 	"code.gitea.io/gitea/routers/api/v1/notify"

  89. 	"code.gitea.io/gitea/routers/api/v1/org"

  90. 	"code.gitea.io/gitea/routers/api/v1/packages"

  91. 	"code.gitea.io/gitea/routers/api/v1/repo"

  92. 	"code.gitea.io/gitea/routers/api/v1/settings"

  93. 	"code.gitea.io/gitea/routers/api/v1/user"

  94. 	"code.gitea.io/gitea/services/auth"

  95. 	context_service "code.gitea.io/gitea/services/context"

  96. 	"code.gitea.io/gitea/services/forms"

  97. 

  98. 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation

  99. 

  100. 	"gitea.com/go-chi/binding"

  101. 	"github.com/go-chi/cors"

  102. )

  103. 

  104. func sudo() func(ctx *context.APIContext) {

  105. 	return func(ctx *context.APIContext) {

  106. 		sudo := ctx.FormString("sudo")

  107. 		if len(sudo) == 0 {

  108. 			sudo = ctx.Req.Header.Get("Sudo")

  109. 		}

  110. 

  111. 		if len(sudo) > 0 {

  112. 			if ctx.IsSigned && ctx.Doer.IsAdmin {

  113. 				user, err := user_model.GetUserByName(ctx, sudo)

  114. 				if err != nil {

  115. 					if user_model.IsErrUserNotExist(err) {

  116. 						ctx.NotFound()

  117. 					} else {

  118. 						ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  119. 					}

  120. 					return

  121. 				}

  122. 				log.Trace("Sudo from (%s) to: %s", ctx.Doer.Name, user.Name)

  123. 				ctx.Doer = user

  124. 			} else {

  125. 				ctx.JSON(http.StatusForbidden, map[string]string{

  126. 					"message": "Only administrators allowed to sudo.",

  127. 				})

  128. 				return

  129. 			}

  130. 		}

  131. 	}

  132. }

  133. 

  134. func repoAssignment() func(ctx *context.APIContext) {

  135. 	return func(ctx *context.APIContext) {

  136. 		userName := ctx.Params("username")

  137. 		repoName := ctx.Params("reponame")

  138. 

  139. 		var (

  140. 			owner *user_model.User

  141. 			err   error

  142. 		)

  143. 

  144. 		// Check if the user is the same as the repository owner.

  145. 		if ctx.IsSigned && ctx.Doer.LowerName == strings.ToLower(userName) {

  146. 			owner = ctx.Doer

  147. 		} else {

  148. 			owner, err = user_model.GetUserByName(ctx, userName)

  149. 			if err != nil {

  150. 				if user_model.IsErrUserNotExist(err) {

  151. 					if redirectUserID, err := user_model.LookupUserRedirect(userName); err == nil {

  152. 						context.RedirectToUser(ctx.Context, userName, redirectUserID)

  153. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  154. 						ctx.NotFound("GetUserByName", err)

  155. 					} else {

  156. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  157. 					}

  158. 				} else {

  159. 					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  160. 				}

  161. 				return

  162. 			}

  163. 		}

  164. 		ctx.Repo.Owner = owner

  165. 		ctx.ContextUser = owner

  166. 

  167. 		// Get repository.

  168. 		repo, err := repo_model.GetRepositoryByName(owner.ID, repoName)

  169. 		if err != nil {

  170. 			if repo_model.IsErrRepoNotExist(err) {

  171. 				redirectRepoID, err := repo_model.LookupRedirect(owner.ID, repoName)

  172. 				if err == nil {

  173. 					context.RedirectToRepo(ctx.Context, redirectRepoID)

  174. 				} else if repo_model.IsErrRedirectNotExist(err) {

  175. 					ctx.NotFound()

  176. 				} else {

  177. 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

  178. 				}

  179. 			} else {

  180. 				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)

  181. 			}

  182. 			return

  183. 		}

  184. 

  185. 		repo.Owner = owner

  186. 		ctx.Repo.Repository = repo

  187. 

  188. 		if ctx.Doer != nil && ctx.Doer.ID == user_model.ActionsUserID {

  189. 			taskID := ctx.Data["ActionsTaskID"].(int64)

  190. 			task, err := actions_model.GetTaskByID(ctx, taskID)

  191. 			if err != nil {

  192. 				ctx.Error(http.StatusInternalServerError, "actions_model.GetTaskByID", err)

  193. 				return

  194. 			}

  195. 			if task.RepoID != repo.ID {

  196. 				ctx.NotFound()

  197. 				return

  198. 			}

  199. 

  200. 			if task.IsForkPullRequest {

  201. 				ctx.Repo.Permission.AccessMode = perm.AccessModeRead

  202. 			} else {

  203. 				ctx.Repo.Permission.AccessMode = perm.AccessModeWrite

  204. 			}

  205. 

  206. 			if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {

  207. 				ctx.Error(http.StatusInternalServerError, "LoadUnits", err)

  208. 				return

  209. 			}

  210. 			ctx.Repo.Permission.Units = ctx.Repo.Repository.Units

  211. 			ctx.Repo.Permission.UnitsMode = make(map[unit.Type]perm.AccessMode)

  212. 			for _, u := range ctx.Repo.Repository.Units {

  213. 				ctx.Repo.Permission.UnitsMode[u.Type] = ctx.Repo.Permission.AccessMode

  214. 			}

  215. 		} else {

  216. 			ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)

  217. 			if err != nil {

  218. 				ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)

  219. 				return

  220. 			}

  221. 		}

  222. 

  223. 		if !ctx.Repo.HasAccess() {

  224. 			ctx.NotFound()

  225. 			return

  226. 		}

  227. 	}

  228. }

  229. 

  230. func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.APIContext) {

  231. 	return func(ctx *context.APIContext) {

  232. 		if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {

  233. 			ctx.Error(http.StatusForbidden, "reqPackageAccess", "user should have specific permission or be a site admin")

  234. 			return

  235. 		}

  236. 	}

  237. }

  238. 

  239. // Contexter middleware already checks token for user sign in process.

  240. func reqToken(requiredScope auth_model.AccessTokenScope) func(ctx *context.APIContext) {

  241. 	return func(ctx *context.APIContext) {

  242. 		// If actions token is present

  243. 		if true == ctx.Data["IsActionsToken"] {

  244. 			return

  245. 		}

  246. 

  247. 		// If OAuth2 token is present

  248. 		if _, ok := ctx.Data["ApiTokenScope"]; ctx.Data["IsApiToken"] == true && ok {

  249. 			// no scope required

  250. 			if requiredScope == "" {

  251. 				return

  252. 			}

  253. 

  254. 			// check scope

  255. 			scope := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)

  256. 			allow, err := scope.HasScope(requiredScope)

  257. 			if err != nil {

  258. 				ctx.Error(http.StatusForbidden, "reqToken", "parsing token failed: "+err.Error())

  259. 				return

  260. 			}

  261. 			if allow {

  262. 				return

  263. 			}

  264. 

  265. 			// if requires 'repo' scope, but only has 'public_repo' scope, allow it only if the repo is public

  266. 			if requiredScope == auth_model.AccessTokenScopeRepo {

  267. 				if allowPublicRepo, err := scope.HasScope(auth_model.AccessTokenScopePublicRepo); err == nil && allowPublicRepo {

  268. 					if ctx.Repo.Repository != nil && !ctx.Repo.Repository.IsPrivate {

  269. 						return

  270. 					}

  271. 				}

  272. 			}

  273. 

  274. 			ctx.Error(http.StatusForbidden, "reqToken", "token does not have required scope: "+requiredScope)

  275. 			return

  276. 		}

  277. 		if ctx.Context.IsBasicAuth {

  278. 			ctx.CheckForOTP()

  279. 			return

  280. 		}

  281. 		if ctx.IsSigned {

  282. 			return

  283. 		}

  284. 		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")

  285. 	}

  286. }

  287. 

  288. func reqExploreSignIn() func(ctx *context.APIContext) {

  289. 	return func(ctx *context.APIContext) {

  290. 		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {

  291. 			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")

  292. 		}

  293. 	}

  294. }

  295. 

  296. func reqBasicAuth() func(ctx *context.APIContext) {

  297. 	return func(ctx *context.APIContext) {

  298. 		if !ctx.Context.IsBasicAuth {

  299. 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required")

  300. 			return

  301. 		}

  302. 		ctx.CheckForOTP()

  303. 	}

  304. }

  305. 

  306. // reqSiteAdmin user should be the site admin

  307. func reqSiteAdmin() func(ctx *context.APIContext) {

  308. 	return func(ctx *context.APIContext) {

  309. 		if !ctx.IsUserSiteAdmin() {

  310. 			ctx.Error(http.StatusForbidden, "reqSiteAdmin", "user should be the site admin")

  311. 			return

  312. 		}

  313. 	}

  314. }

  315. 

  316. // reqOwner user should be the owner of the repo or site admin.

  317. func reqOwner() func(ctx *context.APIContext) {

  318. 	return func(ctx *context.APIContext) {

  319. 		if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {

  320. 			ctx.Error(http.StatusForbidden, "reqOwner", "user should be the owner of the repo")

  321. 			return

  322. 		}

  323. 	}

  324. }

  325. 

  326. // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin

  327. func reqAdmin() func(ctx *context.APIContext) {

  328. 	return func(ctx *context.APIContext) {

  329. 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  330. 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")

  331. 			return

  332. 		}

  333. 	}

  334. }

  335. 

  336. // reqRepoWriter user should have a permission to write to a repo, or be a site admin

  337. func reqRepoWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {

  338. 	return func(ctx *context.APIContext) {

  339. 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  340. 			ctx.Error(http.StatusForbidden, "reqRepoWriter", "user should have a permission to write to a repo")

  341. 			return

  342. 		}

  343. 	}

  344. }

  345. 

  346. // reqRepoBranchWriter user should have a permission to write to a branch, or be a site admin

  347. func reqRepoBranchWriter(ctx *context.APIContext) {

  348. 	options, ok := web.GetForm(ctx).(api.FileOptionInterface)

  349. 	if !ok || (!ctx.Repo.CanWriteToBranch(ctx.Doer, options.Branch()) && !ctx.IsUserSiteAdmin()) {

  350. 		ctx.Error(http.StatusForbidden, "reqRepoBranchWriter", "user should have a permission to write to this branch")

  351. 		return

  352. 	}

  353. }

  354. 

  355. // reqRepoReader user should have specific read permission or be a repo admin or a site admin

  356. func reqRepoReader(unitType unit.Type) func(ctx *context.APIContext) {

  357. 	return func(ctx *context.APIContext) {

  358. 		if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  359. 			ctx.Error(http.StatusForbidden, "reqRepoReader", "user should have specific read permission or be a repo admin or a site admin")

  360. 			return

  361. 		}

  362. 	}

  363. }

  364. 

  365. // reqAnyRepoReader user should have any permission to read repository or permissions of site admin

  366. func reqAnyRepoReader() func(ctx *context.APIContext) {

  367. 	return func(ctx *context.APIContext) {

  368. 		if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {

  369. 			ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")

  370. 			return

  371. 		}

  372. 	}

  373. }

  374. 

  375. // reqOrgOwnership user should be an organization owner, or a site admin

  376. func reqOrgOwnership() func(ctx *context.APIContext) {

  377. 	return func(ctx *context.APIContext) {

  378. 		if ctx.Context.IsUserSiteAdmin() {

  379. 			return

  380. 		}

  381. 

  382. 		var orgID int64

  383. 		if ctx.Org.Organization != nil {

  384. 			orgID = ctx.Org.Organization.ID

  385. 		} else if ctx.Org.Team != nil {

  386. 			orgID = ctx.Org.Team.OrgID

  387. 		} else {

  388. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")

  389. 			return

  390. 		}

  391. 

  392. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  393. 		if err != nil {

  394. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  395. 			return

  396. 		} else if !isOwner {

  397. 			if ctx.Org.Organization != nil {

  398. 				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")

  399. 			} else {

  400. 				ctx.NotFound()

  401. 			}

  402. 			return

  403. 		}

  404. 	}

  405. }

  406. 

  407. // reqTeamMembership user should be an team member, or a site admin

  408. func reqTeamMembership() func(ctx *context.APIContext) {

  409. 	return func(ctx *context.APIContext) {

  410. 		if ctx.Context.IsUserSiteAdmin() {

  411. 			return

  412. 		}

  413. 		if ctx.Org.Team == nil {

  414. 			ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")

  415. 			return

  416. 		}

  417. 

  418. 		orgID := ctx.Org.Team.OrgID

  419. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  420. 		if err != nil {

  421. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  422. 			return

  423. 		} else if isOwner {

  424. 			return

  425. 		}

  426. 

  427. 		if isTeamMember, err := organization.IsTeamMember(ctx, orgID, ctx.Org.Team.ID, ctx.Doer.ID); err != nil {

  428. 			ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)

  429. 			return

  430. 		} else if !isTeamMember {

  431. 			isOrgMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID)

  432. 			if err != nil {

  433. 				ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  434. 			} else if isOrgMember {

  435. 				ctx.Error(http.StatusForbidden, "", "Must be a team member")

  436. 			} else {

  437. 				ctx.NotFound()

  438. 			}

  439. 			return

  440. 		}

  441. 	}

  442. }

  443. 

  444. // reqOrgMembership user should be an organization member, or a site admin

  445. func reqOrgMembership() func(ctx *context.APIContext) {

  446. 	return func(ctx *context.APIContext) {

  447. 		if ctx.Context.IsUserSiteAdmin() {

  448. 			return

  449. 		}

  450. 

  451. 		var orgID int64

  452. 		if ctx.Org.Organization != nil {

  453. 			orgID = ctx.Org.Organization.ID

  454. 		} else if ctx.Org.Team != nil {

  455. 			orgID = ctx.Org.Team.OrgID

  456. 		} else {

  457. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")

  458. 			return

  459. 		}

  460. 

  461. 		if isMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID); err != nil {

  462. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  463. 			return

  464. 		} else if !isMember {

  465. 			if ctx.Org.Organization != nil {

  466. 				ctx.Error(http.StatusForbidden, "", "Must be an organization member")

  467. 			} else {

  468. 				ctx.NotFound()

  469. 			}

  470. 			return

  471. 		}

  472. 	}

  473. }

  474. 

  475. func reqGitHook() func(ctx *context.APIContext) {

  476. 	return func(ctx *context.APIContext) {

  477. 		if !ctx.Doer.CanEditGitHook() {

  478. 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")

  479. 			return

  480. 		}

  481. 	}

  482. }

  483. 

  484. // reqWebhooksEnabled requires webhooks to be enabled by admin.

  485. func reqWebhooksEnabled() func(ctx *context.APIContext) {

  486. 	return func(ctx *context.APIContext) {

  487. 		if setting.DisableWebhooks {

  488. 			ctx.Error(http.StatusForbidden, "", "webhooks disabled by administrator")

  489. 			return

  490. 		}

  491. 	}

  492. }

  493. 

  494. func orgAssignment(args ...bool) func(ctx *context.APIContext) {

  495. 	var (

  496. 		assignOrg  bool

  497. 		assignTeam bool

  498. 	)

  499. 	if len(args) > 0 {

  500. 		assignOrg = args[0]

  501. 	}

  502. 	if len(args) > 1 {

  503. 		assignTeam = args[1]

  504. 	}

  505. 	return func(ctx *context.APIContext) {

  506. 		ctx.Org = new(context.APIOrganization)

  507. 

  508. 		var err error

  509. 		if assignOrg {

  510. 			ctx.Org.Organization, err = organization.GetOrgByName(ctx, ctx.Params(":org"))

  511. 			if err != nil {

  512. 				if organization.IsErrOrgNotExist(err) {

  513. 					redirectUserID, err := user_model.LookupUserRedirect(ctx.Params(":org"))

  514. 					if err == nil {

  515. 						context.RedirectToUser(ctx.Context, ctx.Params(":org"), redirectUserID)

  516. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  517. 						ctx.NotFound("GetOrgByName", err)

  518. 					} else {

  519. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  520. 					}

  521. 				} else {

  522. 					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)

  523. 				}

  524. 				return

  525. 			}

  526. 			ctx.ContextUser = ctx.Org.Organization.AsUser()

  527. 		}

  528. 

  529. 		if assignTeam {

  530. 			ctx.Org.Team, err = organization.GetTeamByID(ctx, ctx.ParamsInt64(":teamid"))

  531. 			if err != nil {

  532. 				if organization.IsErrTeamNotExist(err) {

  533. 					ctx.NotFound()

  534. 				} else {

  535. 					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)

  536. 				}

  537. 				return

  538. 			}

  539. 		}

  540. 	}

  541. }

  542. 

  543. func mustEnableIssues(ctx *context.APIContext) {

  544. 	if !ctx.Repo.CanRead(unit.TypeIssues) {

  545. 		if log.IsTrace() {

  546. 			if ctx.IsSigned {

  547. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  548. 					"User in Repo has Permissions: %-+v",

  549. 					ctx.Doer,

  550. 					unit.TypeIssues,

  551. 					ctx.Repo.Repository,

  552. 					ctx.Repo.Permission)

  553. 			} else {

  554. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  555. 					"Anonymous user in Repo has Permissions: %-+v",

  556. 					unit.TypeIssues,

  557. 					ctx.Repo.Repository,

  558. 					ctx.Repo.Permission)

  559. 			}

  560. 		}

  561. 		ctx.NotFound()

  562. 		return

  563. 	}

  564. }

  565. 

  566. func mustAllowPulls(ctx *context.APIContext) {

  567. 	if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  568. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  569. 			if ctx.IsSigned {

  570. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  571. 					"User in Repo has Permissions: %-+v",

  572. 					ctx.Doer,

  573. 					unit.TypePullRequests,

  574. 					ctx.Repo.Repository,

  575. 					ctx.Repo.Permission)

  576. 			} else {

  577. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  578. 					"Anonymous user in Repo has Permissions: %-+v",

  579. 					unit.TypePullRequests,

  580. 					ctx.Repo.Repository,

  581. 					ctx.Repo.Permission)

  582. 			}

  583. 		}

  584. 		ctx.NotFound()

  585. 		return

  586. 	}

  587. }

  588. 

  589. func mustEnableIssuesOrPulls(ctx *context.APIContext) {

  590. 	if !ctx.Repo.CanRead(unit.TypeIssues) &&

  591. 		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  592. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  593. 			if ctx.IsSigned {

  594. 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+

  595. 					"User in Repo has Permissions: %-+v",

  596. 					ctx.Doer,

  597. 					unit.TypeIssues,

  598. 					unit.TypePullRequests,

  599. 					ctx.Repo.Repository,

  600. 					ctx.Repo.Permission)

  601. 			} else {

  602. 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+

  603. 					"Anonymous user in Repo has Permissions: %-+v",

  604. 					unit.TypeIssues,

  605. 					unit.TypePullRequests,

  606. 					ctx.Repo.Repository,

  607. 					ctx.Repo.Permission)

  608. 			}

  609. 		}

  610. 		ctx.NotFound()

  611. 		return

  612. 	}

  613. }

  614. 

  615. func mustEnableWiki(ctx *context.APIContext) {

  616. 	if !(ctx.Repo.CanRead(unit.TypeWiki)) {

  617. 		ctx.NotFound()

  618. 		return

  619. 	}

  620. }

  621. 

  622. func mustNotBeArchived(ctx *context.APIContext) {

  623. 	if ctx.Repo.Repository.IsArchived {

  624. 		ctx.NotFound()

  625. 		return

  626. 	}

  627. }

  628. 

  629. func mustEnableAttachments(ctx *context.APIContext) {

  630. 	if !setting.Attachment.Enabled {

  631. 		ctx.NotFound()

  632. 		return

  633. 	}

  634. }

  635. 

  636. // bind binding an obj to a func(ctx *context.APIContext)

  637. func bind[T any](obj T) http.HandlerFunc {

  638. 	return web.Wrap(func(ctx *context.APIContext) {

  639. 		theObj := new(T) // create a new form obj for every request but not use obj directly

  640. 		errs := binding.Bind(ctx.Req, theObj)

  641. 		if len(errs) > 0 {

  642. 			ctx.Error(http.StatusUnprocessableEntity, "validationError", fmt.Sprintf("%s: %s", errs[0].FieldNames, errs[0].Error()))

  643. 			return

  644. 		}

  645. 		web.SetForm(ctx, theObj)

  646. 	})

  647. }

  648. 

  649. // The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored

  650. // in the session (if there is a user id stored in session other plugins might return the user

  651. // object for that id).

  652. //

  653. // The Session plugin is expected to be executed second, in order to skip authentication

  654. // for users that have already signed in.

  655. func buildAuthGroup() *auth.Group {

  656. 	group := auth.NewGroup(

  657. 		&auth.OAuth2{},

  658. 		&auth.HTTPSign{},

  659. 		&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API

  660. 	)

  661. 	specialAdd(group)

  662. 

  663. 	return group

  664. }

  665. 

  666. // Routes registers all v1 APIs routes to web application.

  667. func Routes(ctx gocontext.Context) *web.Route {

  668. 	m := web.NewRoute()

  669. 

  670. 	m.Use(securityHeaders())

  671. 	if setting.CORSConfig.Enabled {

  672. 		m.Use(cors.Handler(cors.Options{

  673. 			// Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option

  674. 			AllowedOrigins: setting.CORSConfig.AllowDomain,

  675. 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option

  676. 			AllowedMethods:   setting.CORSConfig.Methods,

  677. 			AllowCredentials: setting.CORSConfig.AllowCredentials,

  678. 			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),

  679. 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),

  680. 		}))

  681. 	}

  682. 	m.Use(context.APIContexter())

  683. 

  684. 	group := buildAuthGroup()

  685. 	if err := group.Init(ctx); err != nil {

  686. 		log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err)

  687. 	}

  688. 

  689. 	// Get user from session if logged in.

  690. 	m.Use(auth.APIAuth(group))

  691. 

  692. 	m.Use(context.ToggleAPI(&context.ToggleOptions{

  693. 		SignInRequired: setting.Service.RequireSignInView,

  694. 	}))

  695. 

  696. 	m.Group("", func() {

  697. 		// Miscellaneous (no scope required)

  698. 		if setting.API.EnableSwagger {

  699. 			m.Get("/swagger", func(ctx *context.APIContext) {

  700. 				ctx.Redirect(setting.AppSubURL + "/api/swagger")

  701. 			})

  702. 		}

  703. 		m.Get("/version", misc.Version)

  704. 		if setting.Federation.Enabled {

  705. 			m.Get("/nodeinfo", misc.NodeInfo)

  706. 			m.Group("/activitypub", func() {

  707. 				// deprecated, remove in 1.20, use /user-id/{user-id} instead

  708. 				m.Group("/user/{username}", func() {

  709. 					m.Get("", activitypub.Person)

  710. 					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.PersonInbox)

  711. 				}, context_service.UserAssignmentAPI())

  712. 				m.Group("/user-id/{user-id}", func() {

  713. 					m.Get("", activitypub.Person)

  714. 					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.PersonInbox)

  715. 				}, context_service.UserIDAssignmentAPI())

  716. 			})

  717. 		}

  718. 		m.Get("/signing-key.gpg", misc.SigningKey)

  719. 		m.Post("/markup", bind(api.MarkupOption{}), misc.Markup)

  720. 		m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  721. 		m.Post("/markdown/raw", misc.MarkdownRaw)

  722. 		m.Group("/settings", func() {

  723. 			m.Get("/ui", settings.GetGeneralUISettings)

  724. 			m.Get("/api", settings.GetGeneralAPISettings)

  725. 			m.Get("/attachment", settings.GetGeneralAttachmentSettings)

  726. 			m.Get("/repository", settings.GetGeneralRepoSettings)

  727. 		})

  728. 

  729. 		// Notifications (requires 'notification' scope)

  730. 		m.Group("/notifications", func() {

  731. 			m.Combo("").

  732. 				Get(notify.ListNotifications).

  733. 				Put(notify.ReadNotifications)

  734. 			m.Get("/new", notify.NewAvailable)

  735. 			m.Combo("/threads/{id}").

  736. 				Get(notify.GetThread).

  737. 				Patch(notify.ReadThread)

  738. 		}, reqToken(auth_model.AccessTokenScopeNotification))

  739. 

  740. 		// Users (no scope required)

  741. 		m.Group("/users", func() {

  742. 			m.Get("/search", reqExploreSignIn(), user.Search)

  743. 

  744. 			m.Group("/{username}", func() {

  745. 				m.Get("", reqExploreSignIn(), user.GetInfo)

  746. 

  747. 				if setting.Service.EnableUserHeatmap {

  748. 					m.Get("/heatmap", user.GetUserHeatmapData)

  749. 				}

  750. 

  751. 				m.Get("/repos", reqExploreSignIn(), user.ListUserRepos)

  752. 				m.Group("/tokens", func() {

  753. 					m.Combo("").Get(user.ListAccessTokens).

  754. 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)

  755. 					m.Combo("/{id}").Delete(user.DeleteAccessToken)

  756. 				}, reqBasicAuth())

  757. 			}, context_service.UserAssignmentAPI())

  758. 		})

  759. 

  760. 		// (no scope required)

  761. 		m.Group("/users", func() {

  762. 			m.Group("/{username}", func() {

  763. 				m.Get("/keys", user.ListPublicKeys)

  764. 				m.Get("/gpg_keys", user.ListGPGKeys)

  765. 

  766. 				m.Get("/followers", user.ListFollowers)

  767. 				m.Group("/following", func() {

  768. 					m.Get("", user.ListFollowing)

  769. 					m.Get("/{target}", user.CheckFollowing)

  770. 				})

  771. 

  772. 				m.Get("/starred", user.GetStarredRepos)

  773. 

  774. 				m.Get("/subscriptions", user.GetWatchedRepos)

  775. 			}, context_service.UserAssignmentAPI())

  776. 		}, reqToken(""))

  777. 

  778. 		m.Group("/user", func() {

  779. 			m.Get("", user.GetAuthenticatedUser)

  780. 			m.Group("/settings", func() {

  781. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadUser), user.GetUserSettings)

  782. 				m.Patch("", reqToken(auth_model.AccessTokenScopeUser), bind(api.UserSettingsOptions{}), user.UpdateUserSettings)

  783. 			})

  784. 			m.Combo("/emails").Get(reqToken(auth_model.AccessTokenScopeReadUser), user.ListEmails).

  785. 				Post(reqToken(auth_model.AccessTokenScopeUser), bind(api.CreateEmailOption{}), user.AddEmail).

  786. 				Delete(reqToken(auth_model.AccessTokenScopeUser), bind(api.DeleteEmailOption{}), user.DeleteEmail)

  787. 

  788. 			m.Get("/followers", user.ListMyFollowers)

  789. 			m.Group("/following", func() {

  790. 				m.Get("", user.ListMyFollowing)

  791. 				m.Group("/{username}", func() {

  792. 					m.Get("", user.CheckMyFollowing)

  793. 					m.Put("", reqToken(auth_model.AccessTokenScopeUserFollow), user.Follow)      // requires 'user:follow' scope

  794. 					m.Delete("", reqToken(auth_model.AccessTokenScopeUserFollow), user.Unfollow) // requires 'user:follow' scope

  795. 				}, context_service.UserAssignmentAPI())

  796. 			})

  797. 

  798. 			// (admin:public_key scope)

  799. 			m.Group("/keys", func() {

  800. 				m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadPublicKey), user.ListMyPublicKeys).

  801. 					Post(reqToken(auth_model.AccessTokenScopeWritePublicKey), bind(api.CreateKeyOption{}), user.CreatePublicKey)

  802. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadPublicKey), user.GetPublicKey).

  803. 					Delete(reqToken(auth_model.AccessTokenScopeWritePublicKey), user.DeletePublicKey)

  804. 			})

  805. 

  806. 			// (admin:application scope)

  807. 			m.Group("/applications", func() {

  808. 				m.Combo("/oauth2").

  809. 					Get(reqToken(auth_model.AccessTokenScopeReadApplication), user.ListOauth2Applications).

  810. 					Post(reqToken(auth_model.AccessTokenScopeWriteApplication), bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)

  811. 				m.Combo("/oauth2/{id}").

  812. 					Delete(reqToken(auth_model.AccessTokenScopeWriteApplication), user.DeleteOauth2Application).

  813. 					Patch(reqToken(auth_model.AccessTokenScopeWriteApplication), bind(api.CreateOAuth2ApplicationOptions{}), user.UpdateOauth2Application).

  814. 					Get(reqToken(auth_model.AccessTokenScopeReadApplication), user.GetOauth2Application)

  815. 			})

  816. 

  817. 			// (admin:gpg_key scope)

  818. 			m.Group("/gpg_keys", func() {

  819. 				m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadGPGKey), user.ListMyGPGKeys).

  820. 					Post(reqToken(auth_model.AccessTokenScopeWriteGPGKey), bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)

  821. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadGPGKey), user.GetGPGKey).

  822. 					Delete(reqToken(auth_model.AccessTokenScopeWriteGPGKey), user.DeleteGPGKey)

  823. 			})

  824. 			m.Get("/gpg_key_token", reqToken(auth_model.AccessTokenScopeReadGPGKey), user.GetVerificationToken)

  825. 			m.Post("/gpg_key_verify", reqToken(auth_model.AccessTokenScopeReadGPGKey), bind(api.VerifyGPGKeyOption{}), user.VerifyUserGPGKey)

  826. 

  827. 			// (repo scope)

  828. 			m.Combo("/repos", reqToken(auth_model.AccessTokenScopeRepo)).Get(user.ListMyRepos).

  829. 				Post(bind(api.CreateRepoOption{}), repo.Create)

  830. 

  831. 			// (repo scope)

  832. 			m.Group("/starred", func() {

  833. 				m.Get("", user.GetMyStarredRepos)

  834. 				m.Group("/{username}/{reponame}", func() {

  835. 					m.Get("", user.IsStarring)

  836. 					m.Put("", user.Star)

  837. 					m.Delete("", user.Unstar)

  838. 				}, repoAssignment())

  839. 			}, reqToken(auth_model.AccessTokenScopeRepo))

  840. 			m.Get("/times", reqToken(auth_model.AccessTokenScopeRepo), repo.ListMyTrackedTimes)

  841. 			m.Get("/stopwatches", reqToken(auth_model.AccessTokenScopeRepo), repo.GetStopwatches)

  842. 			m.Get("/subscriptions", reqToken(auth_model.AccessTokenScopeRepo), user.GetMyWatchedRepos)

  843. 			m.Get("/teams", reqToken(auth_model.AccessTokenScopeRepo), org.ListUserTeams)

  844. 			m.Group("/hooks", func() {

  845. 				m.Combo("").Get(user.ListHooks).

  846. 					Post(bind(api.CreateHookOption{}), user.CreateHook)

  847. 				m.Combo("/{id}").Get(user.GetHook).

  848. 					Patch(bind(api.EditHookOption{}), user.EditHook).

  849. 					Delete(user.DeleteHook)

  850. 			}, reqToken(auth_model.AccessTokenScopeAdminUserHook), reqWebhooksEnabled())

  851. 		}, reqToken(""))

  852. 

  853. 		// Repositories

  854. 		m.Post("/org/{org}/repos", reqToken(auth_model.AccessTokenScopeAdminOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)

  855. 

  856. 		m.Combo("/repositories/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Get(repo.GetByID)

  857. 

  858. 		m.Group("/repos", func() {

  859. 			m.Get("/search", repo.Search)

  860. 

  861. 			m.Get("/issues/search", repo.SearchIssues)

  862. 

  863. 			// (repo scope)

  864. 			m.Post("/migrate", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MigrateRepoOptions{}), repo.Migrate)

  865. 

  866. 			m.Group("/{username}/{reponame}", func() {

  867. 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).

  868. 					Delete(reqToken(auth_model.AccessTokenScopeDeleteRepo), reqOwner(), repo.Delete).

  869. 					Patch(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.EditRepoOption{}), repo.Edit)

  870. 				m.Post("/generate", reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.GenerateRepoOption{}), repo.Generate)

  871. 				m.Group("/transfer", func() {

  872. 					m.Post("", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)

  873. 					m.Post("/accept", repo.AcceptTransfer)

  874. 					m.Post("/reject", repo.RejectTransfer)

  875. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  876. 				m.Combo("/notifications", reqToken(auth_model.AccessTokenScopeNotification)).

  877. 					Get(notify.ListRepoNotifications).

  878. 					Put(notify.ReadRepoNotifications)

  879. 				m.Group("/hooks/git", func() {

  880. 					m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListGitHooks)

  881. 					m.Group("/{id}", func() {

  882. 						m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetGitHook).

  883. 							Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditGitHookOption{}), repo.EditGitHook).

  884. 							Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteGitHook)

  885. 					})

  886. 				}, reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))

  887. 				m.Group("/hooks", func() {

  888. 					m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListHooks).

  889. 						Post(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.CreateHookOption{}), repo.CreateHook)

  890. 					m.Group("/{id}", func() {

  891. 						m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetHook).

  892. 							Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditHookOption{}), repo.EditHook).

  893. 							Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteHook)

  894. 						m.Post("/tests", reqToken(auth_model.AccessTokenScopeReadRepoHook), context.ReferencesGitRepo(), context.RepoRefForAPI, repo.TestHook)

  895. 					})

  896. 				}, reqAdmin(), reqWebhooksEnabled())

  897. 				m.Group("/collaborators", func() {

  898. 					m.Get("", reqAnyRepoReader(), repo.ListCollaborators)

  899. 					m.Group("/{collaborator}", func() {

  900. 						m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator).

  901. 							Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).

  902. 							Delete(reqAdmin(), repo.DeleteCollaborator)

  903. 						m.Get("/permission", repo.GetRepoPermissions)

  904. 					})

  905. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  906. 				m.Get("/assignees", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetAssignees)

  907. 				m.Get("/reviewers", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetReviewers)

  908. 				m.Group("/teams", func() {

  909. 					m.Get("", reqAnyRepoReader(), repo.ListTeams)

  910. 					m.Combo("/{team}").Get(reqAnyRepoReader(), repo.IsTeam).

  911. 						Put(reqAdmin(), repo.AddTeam).

  912. 						Delete(reqAdmin(), repo.DeleteTeam)

  913. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  914. 				m.Get("/raw/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile)

  915. 				m.Get("/media/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS)

  916. 				m.Get("/archive/*", reqRepoReader(unit.TypeCode), repo.GetArchive)

  917. 				m.Combo("/forks").Get(repo.ListForks).

  918. 					Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork)

  919. 				m.Group("/branches", func() {

  920. 					m.Get("", repo.ListBranches)

  921. 					m.Get("/*", repo.GetBranch)

  922. 					m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.DeleteBranch)

  923. 					m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch)

  924. 				}, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))

  925. 				m.Group("/branch_protections", func() {

  926. 					m.Get("", repo.ListBranchProtections)

  927. 					m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)

  928. 					m.Group("/{name}", func() {

  929. 						m.Get("", repo.GetBranchProtection)

  930. 						m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)

  931. 						m.Delete("", repo.DeleteBranchProtection)

  932. 					})

  933. 				}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())

  934. 				m.Group("/tags", func() {

  935. 					m.Get("", repo.ListTags)

  936. 					m.Get("/*", repo.GetTag)

  937. 					m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateTagOption{}), repo.CreateTag)

  938. 					m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTag)

  939. 				}, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true))

  940. 				m.Group("/keys", func() {

  941. 					m.Combo("").Get(repo.ListDeployKeys).

  942. 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)

  943. 					m.Combo("/{id}").Get(repo.GetDeployKey).

  944. 						Delete(repo.DeleteDeploykey)

  945. 				}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())

  946. 				m.Group("/times", func() {

  947. 					m.Combo("").Get(repo.ListTrackedTimesByRepository)

  948. 					m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)

  949. 				}, mustEnableIssues, reqToken(auth_model.AccessTokenScopeRepo))

  950. 				m.Group("/wiki", func() {

  951. 					m.Combo("/page/{pageName}").

  952. 						Get(repo.GetWikiPage).

  953. 						Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.EditWikiPage).

  954. 						Delete(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), repo.DeleteWikiPage)

  955. 					m.Get("/revisions/{pageName}", repo.ListPageRevisions)

  956. 					m.Post("/new", mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage)

  957. 					m.Get("/pages", repo.ListWikiPages)

  958. 				}, mustEnableWiki)

  959. 				m.Group("/issues", func() {

  960. 					m.Combo("").Get(repo.ListIssues).

  961. 						Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)

  962. 					m.Group("/comments", func() {

  963. 						m.Get("", repo.ListRepoIssueComments)

  964. 						m.Group("/{id}", func() {

  965. 							m.Combo("").

  966. 								Get(repo.GetIssueComment).

  967. 								Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).

  968. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueComment)

  969. 							m.Combo("/reactions").

  970. 								Get(repo.GetIssueCommentReactions).

  971. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).

  972. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)

  973. 							m.Group("/assets", func() {

  974. 								m.Combo("").

  975. 									Get(repo.ListIssueCommentAttachments).

  976. 									Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CreateIssueCommentAttachment)

  977. 								m.Combo("/{asset}").

  978. 									Get(repo.GetIssueCommentAttachment).

  979. 									Patch(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueCommentAttachment).

  980. 									Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.DeleteIssueCommentAttachment)

  981. 							}, mustEnableAttachments)

  982. 						})

  983. 					})

  984. 					m.Group("/{index}", func() {

  985. 						m.Combo("").Get(repo.GetIssue).

  986. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueOption{}), repo.EditIssue).

  987. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), context.ReferencesGitRepo(), repo.DeleteIssue)

  988. 						m.Group("/comments", func() {

  989. 							m.Combo("").Get(repo.ListIssueComments).

  990. 								Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

  991. 							m.Combo("/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).

  992. 								Delete(repo.DeleteIssueCommentDeprecated)

  993. 						})

  994. 						m.Get("/timeline", repo.ListIssueCommentsAndTimeline)

  995. 						m.Group("/labels", func() {

  996. 							m.Combo("").Get(repo.ListIssueLabels).

  997. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).

  998. 								Put(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).

  999. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.ClearIssueLabels)

  1000. 							m.Delete("/{id}", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueLabel)

  1001. 						})

  1002. 						m.Group("/times", func() {

  1003. 							m.Combo("").

  1004. 								Get(repo.ListTrackedTimes).

  1005. 								Post(bind(api.AddTimeOption{}), repo.AddTime).

  1006. 								Delete(repo.ResetIssueTime)

  1007. 							m.Delete("/{id}", repo.DeleteTime)

  1008. 						}, reqToken(auth_model.AccessTokenScopeRepo))

  1009. 						m.Combo("/deadline").Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)

  1010. 						m.Group("/stopwatch", func() {

  1011. 							m.Post("/start", reqToken(auth_model.AccessTokenScopeRepo), repo.StartIssueStopwatch)

  1012. 							m.Post("/stop", reqToken(auth_model.AccessTokenScopeRepo), repo.StopIssueStopwatch)

  1013. 							m.Delete("/delete", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueStopwatch)

  1014. 						})

  1015. 						m.Group("/subscriptions", func() {

  1016. 							m.Get("", repo.GetIssueSubscribers)

  1017. 							m.Get("/check", reqToken(auth_model.AccessTokenScopeRepo), repo.CheckIssueSubscription)

  1018. 							m.Put("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.AddIssueSubscription)

  1019. 							m.Delete("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.DelIssueSubscription)

  1020. 						})

  1021. 						m.Combo("/reactions").

  1022. 							Get(repo.GetIssueReactions).

  1023. 							Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueReaction).

  1024. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueReaction)

  1025. 						m.Group("/assets", func() {

  1026. 							m.Combo("").

  1027. 								Get(repo.ListIssueAttachments).

  1028. 								Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CreateIssueAttachment)

  1029. 							m.Combo("/{asset}").

  1030. 								Get(repo.GetIssueAttachment).

  1031. 								Patch(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueAttachment).

  1032. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.DeleteIssueAttachment)

  1033. 						}, mustEnableAttachments)

  1034. 						m.Combo("/dependencies").

  1035. 							Get(repo.GetIssueDependencies).

  1036. 							Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.IssueMeta{}), repo.CreateIssueDependency).

  1037. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.IssueMeta{}), repo.RemoveIssueDependency)

  1038. 						m.Combo("/blocks").

  1039. 							Get(repo.GetIssueBlocks).

  1040. 							Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueMeta{}), repo.CreateIssueBlocking).

  1041. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueMeta{}), repo.RemoveIssueBlocking)

  1042. 					})

  1043. 				}, mustEnableIssuesOrPulls)

  1044. 				m.Group("/labels", func() {

  1045. 					m.Combo("").Get(repo.ListLabels).

  1046. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)

  1047. 					m.Combo("/{id}").Get(repo.GetLabel).

  1048. 						Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).

  1049. 						Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteLabel)

  1050. 				})

  1051. 				m.Post("/markup", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MarkupOption{}), misc.Markup)

  1052. 				m.Post("/markdown", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MarkdownOption{}), misc.Markdown)

  1053. 				m.Post("/markdown/raw", reqToken(auth_model.AccessTokenScopeRepo), misc.MarkdownRaw)

  1054. 				m.Group("/milestones", func() {

  1055. 					m.Combo("").Get(repo.ListMilestones).

  1056. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)

  1057. 					m.Combo("/{id}").Get(repo.GetMilestone).

  1058. 						Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).

  1059. 						Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteMilestone)

  1060. 				})

  1061. 				m.Get("/stargazers", repo.ListStargazers)

  1062. 				m.Get("/subscribers", repo.ListSubscribers)

  1063. 				m.Group("/subscription", func() {

  1064. 					m.Get("", user.IsWatching)

  1065. 					m.Put("", reqToken(auth_model.AccessTokenScopeRepo), user.Watch)

  1066. 					m.Delete("", reqToken(auth_model.AccessTokenScopeRepo), user.Unwatch)

  1067. 				})

  1068. 				m.Group("/releases", func() {

  1069. 					m.Combo("").Get(repo.ListReleases).

  1070. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.CreateReleaseOption{}), repo.CreateRelease)

  1071. 					m.Combo("/latest").Get(repo.GetLatestRelease)

  1072. 					m.Group("/{id}", func() {

  1073. 						m.Combo("").Get(repo.GetRelease).

  1074. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.EditReleaseOption{}), repo.EditRelease).

  1075. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteRelease)

  1076. 						m.Group("/assets", func() {

  1077. 							m.Combo("").Get(repo.ListReleaseAttachments).

  1078. 								Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.CreateReleaseAttachment)

  1079. 							m.Combo("/{asset}").Get(repo.GetReleaseAttachment).

  1080. 								Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).

  1081. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseAttachment)

  1082. 						})

  1083. 					})

  1084. 					m.Group("/tags", func() {

  1085. 						m.Combo("/{tag}").

  1086. 							Get(repo.GetReleaseByTag).

  1087. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseByTag)

  1088. 					})

  1089. 				}, reqRepoReader(unit.TypeReleases))

  1090. 				m.Post("/mirror-sync", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.MirrorSync)

  1091. 				m.Post("/push_mirrors-sync", reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo), repo.PushMirrorSync)

  1092. 				m.Group("/push_mirrors", func() {

  1093. 					m.Combo("").Get(repo.ListPushMirrors).

  1094. 						Post(bind(api.CreatePushMirrorOption{}), repo.AddPushMirror)

  1095. 					m.Combo("/{name}").

  1096. 						Delete(repo.DeletePushMirrorByRemoteName).

  1097. 						Get(repo.GetPushMirrorByName)

  1098. 				}, reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo))

  1099. 

  1100. 				m.Get("/editorconfig/{filename}", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetEditorconfig)

  1101. 				m.Group("/pulls", func() {

  1102. 					m.Combo("").Get(repo.ListPullRequests).

  1103. 						Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

  1104. 					m.Group("/{index}", func() {

  1105. 						m.Combo("").Get(repo.GetPullRequest).

  1106. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditPullRequestOption{}), repo.EditPullRequest)

  1107. 						m.Get(".{diffType:diff|patch}", repo.DownloadPullDiffOrPatch)

  1108. 						m.Post("/update", reqToken(auth_model.AccessTokenScopeRepo), repo.UpdatePullRequest)

  1109. 						m.Get("/commits", repo.GetPullRequestCommits)

  1110. 						m.Get("/files", repo.GetPullRequestFiles)

  1111. 						m.Combo("/merge").Get(repo.IsPullRequestMerged).

  1112. 							Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest).

  1113. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CancelScheduledAutoMerge)

  1114. 						m.Group("/reviews", func() {

  1115. 							m.Combo("").

  1116. 								Get(repo.ListPullReviews).

  1117. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)

  1118. 							m.Group("/{id}", func() {

  1119. 								m.Combo("").

  1120. 									Get(repo.GetPullReview).

  1121. 									Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeletePullReview).

  1122. 									Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)

  1123. 								m.Combo("/comments").

  1124. 									Get(repo.GetPullReviewComments)

  1125. 								m.Post("/dismissals", reqToken(auth_model.AccessTokenScopeRepo), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)

  1126. 								m.Post("/undismissals", reqToken(auth_model.AccessTokenScopeRepo), repo.UnDismissPullReview)

  1127. 							})

  1128. 						})

  1129. 						m.Combo("/requested_reviewers", reqToken(auth_model.AccessTokenScopeRepo)).

  1130. 							Delete(bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).

  1131. 							Post(bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)

  1132. 					})

  1133. 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())

  1134. 				m.Group("/statuses", func() {

  1135. 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).

  1136. 						Post(reqToken(auth_model.AccessTokenScopeRepoStatus), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)

  1137. 				}, reqRepoReader(unit.TypeCode))

  1138. 				m.Group("/commits", func() {

  1139. 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)

  1140. 					m.Group("/{ref}", func() {

  1141. 						m.Get("/status", repo.GetCombinedCommitStatusByRef)

  1142. 						m.Get("/statuses", repo.GetCommitStatusesByRef)

  1143. 					}, context.ReferencesGitRepo())

  1144. 				}, reqRepoReader(unit.TypeCode))

  1145. 				m.Group("/git", func() {

  1146. 					m.Group("/commits", func() {

  1147. 						m.Get("/{sha}", repo.GetSingleCommit)

  1148. 						m.Get("/{sha}.{diffType:diff|patch}", repo.DownloadCommitDiffOrPatch)

  1149. 					})

  1150. 					m.Get("/refs", repo.GetGitAllRefs)

  1151. 					m.Get("/refs/*", repo.GetGitRefs)

  1152. 					m.Get("/trees/{sha}", repo.GetTree)

  1153. 					m.Get("/blobs/{sha}", repo.GetBlob)

  1154. 					m.Get("/tags/{sha}", repo.GetAnnotatedTag)

  1155. 					m.Get("/notes/{sha}", repo.GetNote)

  1156. 				}, context.ReferencesGitRepo(true), reqRepoReader(unit.TypeCode))

  1157. 				m.Post("/diffpatch", reqRepoWriter(unit.TypeCode), reqToken(auth_model.AccessTokenScopeRepo), bind(api.ApplyDiffPatchFileOptions{}), repo.ApplyDiffPatch)

  1158. 				m.Group("/contents", func() {

  1159. 					m.Get("", repo.GetContentsList)

  1160. 					m.Get("/*", repo.GetContents)

  1161. 					m.Group("/*", func() {

  1162. 						m.Post("", bind(api.CreateFileOptions{}), reqRepoBranchWriter, repo.CreateFile)

  1163. 						m.Put("", bind(api.UpdateFileOptions{}), reqRepoBranchWriter, repo.UpdateFile)

  1164. 						m.Delete("", bind(api.DeleteFileOptions{}), reqRepoBranchWriter, repo.DeleteFile)

  1165. 					}, reqToken(auth_model.AccessTokenScopeRepo))

  1166. 				}, reqRepoReader(unit.TypeCode))

  1167. 				m.Get("/signing-key.gpg", misc.SigningKey)

  1168. 				m.Group("/topics", func() {

  1169. 					m.Combo("").Get(repo.ListTopics).

  1170. 						Put(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)

  1171. 					m.Group("/{topic}", func() {

  1172. 						m.Combo("").Put(reqToken(auth_model.AccessTokenScopeRepo), repo.AddTopic).

  1173. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTopic)

  1174. 					}, reqAdmin())

  1175. 				}, reqAnyRepoReader())

  1176. 				m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)

  1177. 				m.Get("/issue_config", context.ReferencesGitRepo(), repo.GetIssueConfig)

  1178. 				m.Get("/issue_config/validate", context.ReferencesGitRepo(), repo.ValidateIssueConfig)

  1179. 				m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages)

  1180. 			}, repoAssignment())

  1181. 		})

  1182. 

  1183. 		// NOTE: these are Gitea package management API - see packages.CommonRoutes and packages.DockerContainerRoutes for endpoints that implement package manager APIs

  1184. 		m.Group("/packages/{username}", func() {

  1185. 			m.Group("/{type}/{name}/{version}", func() {

  1186. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadPackage), packages.GetPackage)

  1187. 				m.Delete("", reqToken(auth_model.AccessTokenScopeDeletePackage), reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)

  1188. 				m.Get("/files", reqToken(auth_model.AccessTokenScopeReadPackage), packages.ListPackageFiles)

  1189. 			})

  1190. 			m.Get("/", reqToken(auth_model.AccessTokenScopeReadPackage), packages.ListPackages)

  1191. 		}, context_service.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead))

  1192. 

  1193. 		// Organizations

  1194. 		m.Get("/user/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMyOrgs)

  1195. 		m.Group("/users/{username}/orgs", func() {

  1196. 			m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListUserOrgs)

  1197. 			m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)

  1198. 		}, context_service.UserAssignmentAPI())

  1199. 		m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)

  1200. 		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

  1201. 		m.Group("/orgs/{org}", func() {

  1202. 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).

  1203. 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).

  1204. 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)

  1205. 			m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).

  1206. 				Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)

  1207. 			m.Group("/members", func() {

  1208. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)

  1209. 				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsMember).

  1210. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)

  1211. 			})

  1212. 			m.Group("/public_members", func() {

  1213. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)

  1214. 				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).

  1215. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).

  1216. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)

  1217. 			})

  1218. 			m.Group("/teams", func() {

  1219. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListTeams)

  1220. 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)

  1221. 				m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)

  1222. 			}, reqOrgMembership())

  1223. 			m.Group("/labels", func() {

  1224. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)

  1225. 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)

  1226. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).

  1227. 					Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

  1228. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteLabel)

  1229. 			})

  1230. 			m.Group("/hooks", func() {

  1231. 				m.Combo("").Get(org.ListHooks).

  1232. 					Post(bind(api.CreateHookOption{}), org.CreateHook)

  1233. 				m.Combo("/{id}").Get(org.GetHook).

  1234. 					Patch(bind(api.EditHookOption{}), org.EditHook).

  1235. 					Delete(org.DeleteHook)

  1236. 			}, reqToken(auth_model.AccessTokenScopeAdminOrgHook), reqOrgOwnership(), reqWebhooksEnabled())

  1237. 		}, orgAssignment(true))

  1238. 		m.Group("/teams/{teamid}", func() {

  1239. 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeam).

  1240. 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).

  1241. 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteTeam)

  1242. 			m.Group("/members", func() {

  1243. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMembers)

  1244. 				m.Combo("/{username}").

  1245. 					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMember).

  1246. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.AddTeamMember).

  1247. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.RemoveTeamMember)

  1248. 			})

  1249. 			m.Group("/repos", func() {

  1250. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepos)

  1251. 				m.Combo("/{org}/{reponame}").

  1252. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), org.AddTeamRepository).

  1253. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), org.RemoveTeamRepository).

  1254. 					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepo)

  1255. 			})

  1256. 		}, orgAssignment(false, true), reqToken(""), reqTeamMembership())

  1257. 

  1258. 		m.Group("/admin", func() {

  1259. 			m.Group("/cron", func() {

  1260. 				m.Get("", admin.ListCronTasks)

  1261. 				m.Post("/{task}", admin.PostCronTask)

  1262. 			})

  1263. 			m.Get("/orgs", admin.GetAllOrgs)

  1264. 			m.Group("/users", func() {

  1265. 				m.Get("", admin.SearchUsers)

  1266. 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)

  1267. 				m.Group("/{username}", func() {

  1268. 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).

  1269. 						Delete(admin.DeleteUser)

  1270. 					m.Group("/keys", func() {

  1271. 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)

  1272. 						m.Delete("/{id}", admin.DeleteUserPublicKey)

  1273. 					})

  1274. 					m.Get("/orgs", org.ListUserOrgs)

  1275. 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)

  1276. 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)

  1277. 					m.Post("/rename", bind(api.RenameUserOption{}), admin.RenameUser)

  1278. 				}, context_service.UserAssignmentAPI())

  1279. 			})

  1280. 			m.Group("/emails", func() {

  1281. 				m.Get("", admin.GetAllEmails)

  1282. 				m.Get("/search", admin.SearchEmail)

  1283. 			})

  1284. 			m.Group("/unadopted", func() {

  1285. 				m.Get("", admin.ListUnadoptedRepositories)

  1286. 				m.Post("/{username}/{reponame}", admin.AdoptRepository)

  1287. 				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)

  1288. 			})

  1289. 			m.Group("/hooks", func() {

  1290. 				m.Combo("").Get(admin.ListHooks).

  1291. 					Post(bind(api.CreateHookOption{}), admin.CreateHook)

  1292. 				m.Combo("/{id}").Get(admin.GetHook).

  1293. 					Patch(bind(api.EditHookOption{}), admin.EditHook).

  1294. 					Delete(admin.DeleteHook)

  1295. 			})

  1296. 		}, reqToken(auth_model.AccessTokenScopeSudo), reqSiteAdmin())

  1297. 

  1298. 		m.Group("/topics", func() {

  1299. 			m.Get("/search", repo.TopicSearch)

  1300. 		})

  1301. 	}, sudo())

  1302. 

  1303. 	return m

  1304. }

  1305. 

  1306. func securityHeaders() func(http.Handler) http.Handler {

  1307. 	return func(next http.Handler) http.Handler {

  1308. 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {

  1309. 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers

  1310. 			// http://stackoverflow.com/a/3146618/244009

  1311. 			resp.Header().Set("x-content-type-options", "nosniff")

  1312. 			next.ServeHTTP(resp, req)

  1313. 		})

  1314. 	}

  1315. }