diff options
| author | Ethan Koenig <etk39@cornell.edu> | 2017-01-19 22:16:10 -0700 |
|---|---|---|
| committer | Lunny Xiao <xiaolunwen@gmail.com> | 2017-01-20 13:16:10 +0800 |
| commit | 74bbec3bf9f5e306248bf80808f93e116c232306 (patch) | |
| tree | 6d3ec9edd609e5cb2d90dd892f308761633cd2d2 /routers/api/v1/org | |
| parent | fcf02e4961beb98cf1bc0f60537589e41a871369 (diff) | |
| download | gitea-74bbec3bf9f5e306248bf80808f93e116c232306.tar.gz gitea-74bbec3bf9f5e306248bf80808f93e116c232306.zip | |
Fix permission bugs in team API (#647)
Diffstat (limited to 'routers/api/v1/org')
| -rw-r--r-- | routers/api/v1/org/team.go | 134 |
1 files changed, 121 insertions, 13 deletions
diff --git a/routers/api/v1/org/team.go b/routers/api/v1/org/team.go index 2f51518875..f87518e256 100644 --- a/routers/api/v1/org/team.go +++ b/routers/api/v1/org/team.go @@ -10,11 +10,16 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/routers/api/v1/convert" + "code.gitea.io/gitea/routers/api/v1/user" ) // ListTeams list all the teams of an organization func ListTeams(ctx *context.APIContext) { org := ctx.Org.Organization + if !org.IsOrgMember(ctx.User.ID) { + ctx.Error(403, "", "Must be a member of the organization") + return + } if err := org.GetTeams(); err != nil { ctx.Error(500, "GetTeams", err) return @@ -29,26 +34,20 @@ func ListTeams(ctx *context.APIContext) { // GetTeam api for get a team func GetTeam(ctx *context.APIContext) { - ctx.JSON(200, convert.ToTeam(ctx.Org.Team)) -} - -// GetTeamMembers api for get a team's members -func GetTeamMembers(ctx *context.APIContext) { - team := ctx.Org.Team - if err := team.GetMembers(); err != nil { - ctx.Error(500, "GetTeamMembers", err) + if !models.IsOrganizationMember(ctx.Org.Team.OrgID, ctx.User.ID) { + ctx.Status(404) return } - members := make([]*api.User, len(team.Members)) - for i, member := range team.Members { - members[i] = member.APIFormat() - } - ctx.JSON(200, members) + ctx.JSON(200, convert.ToTeam(ctx.Org.Team)) } // GetTeamRepos api for get a team's repos func GetTeamRepos(ctx *context.APIContext) { team := ctx.Org.Team + if !models.IsOrganizationMember(team.OrgID, ctx.User.ID) { + ctx.Status(404) + return + } if err := team.GetRepositories(); err != nil { ctx.Error(500, "GetTeamRepos", err) } @@ -63,3 +62,112 @@ func GetTeamRepos(ctx *context.APIContext) { } ctx.JSON(200, repos) } + +// CreateTeam api for create a team +func CreateTeam(ctx *context.APIContext, form api.CreateTeamOption) { + if !ctx.Org.Organization.IsOrgMember(ctx.User.ID) { + ctx.Error(403, "", "Must be an organization member") + } + team := &models.Team{ + OrgID: ctx.Org.Organization.ID, + Name: form.Name, + Description: form.Description, + Authorize: models.ParseAccessMode(form.Permission), + } + if err := models.NewTeam(team); err != nil { + if models.IsErrTeamAlreadyExist(err) { + ctx.Error(422, "", err) + } else { + ctx.Error(500, "NewTeam", err) + } + return + } + + ctx.JSON(201, convert.ToTeam(team)) +} + +// EditTeam api for edit a team +func EditTeam(ctx *context.APIContext, form api.EditTeamOption) { + if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) { + ctx.Error(403, "", "Must be an organization owner") + return + } + team := &models.Team{ + ID: ctx.Org.Team.ID, + OrgID: ctx.Org.Team.OrgID, + Name: form.Name, + Description: form.Description, + Authorize: models.ParseAccessMode(form.Permission), + } + if err := models.UpdateTeam(team, true); err != nil { + ctx.Error(500, "EditTeam", err) + return + } + ctx.JSON(200, convert.ToTeam(team)) +} + +// DeleteTeam api for delete a team +func DeleteTeam(ctx *context.APIContext) { + if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) { + ctx.Error(403, "", "Must be an organization owner") + return + } + if err := models.DeleteTeam(ctx.Org.Team); err != nil { + ctx.Error(500, "DeleteTeam", err) + return + } + ctx.Status(204) +} + +// GetTeamMembers api for get a team's members +func GetTeamMembers(ctx *context.APIContext) { + if !models.IsOrganizationMember(ctx.Org.Team.OrgID, ctx.User.ID) { + ctx.Status(404) + return + } + team := ctx.Org.Team + if err := team.GetMembers(); err != nil { + ctx.Error(500, "GetTeamMembers", err) + return + } + members := make([]*api.User, len(team.Members)) + for i, member := range team.Members { + members[i] = member.APIFormat() + } + ctx.JSON(200, members) +} + +// AddTeamMember api for add a member to a team +func AddTeamMember(ctx *context.APIContext) { + if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) { + ctx.Error(403, "", "Must be an organization owner") + return + } + u := user.GetUserByParams(ctx) + if ctx.Written() { + return + } + if err := ctx.Org.Team.AddMember(u.ID); err != nil { + ctx.Error(500, "AddMember", err) + return + } + ctx.Status(204) +} + +// RemoveTeamMember api for remove one member from a team +func RemoveTeamMember(ctx *context.APIContext) { + if !ctx.User.IsUserOrgOwner(ctx.Org.Team.OrgID) { + ctx.Error(403, "", "Must be an organization owner") + return + } + u := user.GetUserByParams(ctx) + if ctx.Written() { + return + } + + if err := ctx.Org.Team.RemoveMember(u.ID); err != nil { + ctx.Error(500, "RemoveMember", err) + return + } + ctx.Status(204) +} |