summaryrefslogtreecommitdiffstats
path: root/routers
diff options
context:
space:
mode:
authorVasek Sraier <vakabus@users.noreply.github.com>2019-04-07 22:49:34 +0000
committerLauris BH <lauris@nix.lv>2019-04-08 01:49:34 +0300
commit49b2f45f75960a48676c8dd2555d715da1942bd7 (patch)
treef9b42a22fd8c940783b271464bb144bf512a82d6 /routers
parent592e6c398e6c05776d09822e8663928a947c5b90 (diff)
downloadgitea-49b2f45f75960a48676c8dd2555d715da1942bd7.tar.gz
gitea-49b2f45f75960a48676c8dd2555d715da1942bd7.zip
Cleaned permission checks for API -> site admin can now do anything (#6483)
* cleaned permission checks for API -> site admin can now do anything Signed-off-by: Vasek Sraier <git@vakabus.cz> * PR #6483: helper methods moved to context/context.go, added missing return Signed-off-by: Vasek Sraier <git@vakabus.cz> * PR #6483: added documentation to new exported helper functions in context/context.go Signed-off-by: Vasek Sraier <git@vakabus.cz>
Diffstat (limited to 'routers')
-rw-r--r--routers/api/v1/api.go69
1 files changed, 40 insertions, 29 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 0b5c37a355..02c74e5056 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -192,81 +192,87 @@ func reqBasicAuth() macaron.Handler {
// reqSiteAdmin user should be the site admin
func reqSiteAdmin() macaron.Handler {
return func(ctx *context.Context) {
- if !ctx.IsSigned || !ctx.User.IsAdmin {
+ if !ctx.IsUserSiteAdmin() {
ctx.Error(403)
return
}
}
}
-// reqOwner user should be the owner of the repo.
+// reqOwner user should be the owner of the repo or site admin.
func reqOwner() macaron.Handler {
return func(ctx *context.Context) {
- if !ctx.Repo.IsOwner() {
+ if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {
ctx.Error(403)
return
}
}
}
-// reqAdmin user should be an owner or a collaborator with admin write of a repository
+// reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin
func reqAdmin() macaron.Handler {
return func(ctx *context.Context) {
- if !ctx.Repo.IsAdmin() {
+ if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
ctx.Error(403)
return
}
}
}
-func reqRepoReader(unitType models.UnitType) macaron.Handler {
+// reqRepoWriter user should have a permission to write to a repo, or be a site admin
+func reqRepoWriter(unitTypes ...models.UnitType) macaron.Handler {
return func(ctx *context.Context) {
- if !ctx.Repo.CanRead(unitType) {
+ if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
ctx.Error(403)
return
}
}
}
-func reqAnyRepoReader() macaron.Handler {
+// reqRepoReader user should have specific read permission or be a repo admin or a site admin
+func reqRepoReader(unitType models.UnitType) macaron.Handler {
return func(ctx *context.Context) {
- if !ctx.Repo.HasAccess() {
+ if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {
ctx.Error(403)
return
}
}
}
-func reqRepoWriter(unitTypes ...models.UnitType) macaron.Handler {
+// reqAnyRepoReader user should have any permission to read repository or permissions of site admin
+func reqAnyRepoReader() macaron.Handler {
return func(ctx *context.Context) {
- for _, unitType := range unitTypes {
- if ctx.Repo.CanWrite(unitType) {
- return
- }
+ if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {
+ ctx.Error(403)
+ return
}
-
- ctx.Error(403)
}
}
-func reqOrgMembership() macaron.Handler {
+// reqOrgOwnership user should be an organization owner, or a site admin
+func reqOrgOwnership() macaron.Handler {
return func(ctx *context.APIContext) {
+ if ctx.Context.IsUserSiteAdmin() {
+ return
+ }
+
var orgID int64
if ctx.Org.Organization != nil {
orgID = ctx.Org.Organization.ID
} else if ctx.Org.Team != nil {
orgID = ctx.Org.Team.OrgID
} else {
- ctx.Error(500, "", "reqOrgMembership: unprepared context")
+ ctx.Error(500, "", "reqOrgOwnership: unprepared context")
return
}
- if isMember, err := models.IsOrganizationMember(orgID, ctx.User.ID); err != nil {
- ctx.Error(500, "IsOrganizationMember", err)
+ isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
+ if err != nil {
+ ctx.Error(500, "IsOrganizationOwner", err)
return
- } else if !isMember {
+ } else if !isOwner {
if ctx.Org.Organization != nil {
- ctx.Error(403, "", "Must be an organization member")
+ ctx.Error(403, "", "Must be an organization owner")
} else {
ctx.NotFound()
}
@@ -275,24 +281,29 @@ func reqOrgMembership() macaron.Handler {
}
}
-func reqOrgOwnership() macaron.Handler {
+// reqOrgMembership user should be an organization member, or a site admin
+func reqOrgMembership() macaron.Handler {
return func(ctx *context.APIContext) {
+ if ctx.Context.IsUserSiteAdmin() {
+ return
+ }
+
var orgID int64
if ctx.Org.Organization != nil {
orgID = ctx.Org.Organization.ID
} else if ctx.Org.Team != nil {
orgID = ctx.Org.Team.OrgID
} else {
- ctx.Error(500, "", "reqOrgOwnership: unprepared context")
+ ctx.Error(500, "", "reqOrgMembership: unprepared context")
return
}
- isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
- if err != nil {
- ctx.Error(500, "IsOrganizationOwner", err)
- } else if !isOwner {
+ if isMember, err := models.IsOrganizationMember(orgID, ctx.User.ID); err != nil {
+ ctx.Error(500, "IsOrganizationMember", err)
+ return
+ } else if !isMember {
if ctx.Org.Organization != nil {
- ctx.Error(403, "", "Must be an organization owner")
+ ctx.Error(403, "", "Must be an organization member")
} else {
ctx.NotFound()
}