diff options
| author | Andrey Nering <andrey.nering@gmail.com> | 2017-06-07 16:49:52 -0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-07 16:49:52 -0300 |
| commit | 65cf6cc84873faf5234c99c4013644613a6123db (patch) | |
| tree | 6cdff6686c8adc978549947bb71405b55aeed442 /routers | |
| parent | a70073e76890ed39ae4514ddbfcc70ce08b65765 (diff) | |
| parent | 971e3a35c12da4c31060ad4a652901f9953dcf63 (diff) | |
| download | gitea-65cf6cc84873faf5234c99c4013644613a6123db.tar.gz gitea-65cf6cc84873faf5234c99c4013644613a6123db.zip | |
Merge pull request #1905 from ethantkoenig/fix/org_api_auth
Require token before checking membership/ownership
Diffstat (limited to 'routers')
| -rw-r--r-- | routers/api/v1/api.go | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index f5a301fc8b..aa7d8a5626 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -453,19 +453,19 @@ func RegisterRoutes(m *macaron.Macaron) { m.Get("/users/:username/orgs", org.ListUserOrgs) m.Group("/orgs/:orgname", func() { m.Combo("").Get(org.Get). - Patch(reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit) + Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit) m.Group("/members", func() { m.Get("", org.ListMembers) m.Combo("/:username").Get(org.IsMember). - Delete(reqOrgOwnership(), org.DeleteMember) + Delete(reqToken(), reqOrgOwnership(), org.DeleteMember) }) m.Group("/public_members", func() { m.Get("", org.ListPublicMembers) m.Combo("/:username").Get(org.IsPublicMember). - Put(reqOrgMembership(), org.PublicizeMember). - Delete(reqOrgMembership(), org.ConcealMember) + Put(reqToken(), reqOrgMembership(), org.PublicizeMember). + Delete(reqToken(), reqOrgMembership(), org.ConcealMember) }) - m.Combo("/teams", reqOrgMembership()).Get(org.ListTeams). + m.Combo("/teams", reqToken(), reqOrgMembership()).Get(org.ListTeams). Post(bind(api.CreateTeamOption{}), org.CreateTeam) m.Group("/hooks", func() { m.Combo("").Get(org.ListHooks). @@ -473,7 +473,7 @@ func RegisterRoutes(m *macaron.Macaron) { m.Combo("/:id").Get(org.GetHook). Patch(reqOrgOwnership(), bind(api.EditHookOption{}), org.EditHook). Delete(reqOrgOwnership(), org.DeleteHook) - }, reqOrgMembership()) + }, reqToken(), reqOrgMembership()) }, orgAssignment(true)) m.Group("/teams/:teamid", func() { m.Combo("").Get(org.GetTeam). @@ -491,7 +491,7 @@ func RegisterRoutes(m *macaron.Macaron) { Put(org.AddTeamRepository). Delete(org.RemoveTeamRepository) }) - }, orgAssignment(false, true), reqOrgMembership()) + }, orgAssignment(false, true), reqToken(), reqOrgMembership()) m.Any("/*", func(ctx *context.Context) { ctx.Error(404) |