aboutsummaryrefslogtreecommitdiffstats
path: root/routers/api/v1/org/member.go
diff options
context:
space:
mode:
Diffstat (limited to 'routers/api/v1/org/member.go')
-rw-r--r--routers/api/v1/org/member.go33
1 files changed, 24 insertions, 9 deletions
diff --git a/routers/api/v1/org/member.go b/routers/api/v1/org/member.go
index 2663d78b73..1c12b0cc94 100644
--- a/routers/api/v1/org/member.go
+++ b/routers/api/v1/org/member.go
@@ -8,6 +8,7 @@ import (
"net/url"
"code.gitea.io/gitea/models/organization"
+ user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/setting"
api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/routers/api/v1/user"
@@ -132,7 +133,7 @@ func IsMember(ctx *context.APIContext) {
// required: true
// - name: username
// in: path
- // description: username of the user
+ // description: username of the user to check for an organization membership
// type: string
// required: true
// responses:
@@ -185,7 +186,7 @@ func IsPublicMember(ctx *context.APIContext) {
// required: true
// - name: username
// in: path
- // description: username of the user
+ // description: username of the user to check for a public organization membership
// type: string
// required: true
// responses:
@@ -210,6 +211,20 @@ func IsPublicMember(ctx *context.APIContext) {
}
}
+func checkCanChangeOrgUserStatus(ctx *context.APIContext, targetUser *user_model.User) {
+ // allow user themselves to change their status, and allow admins to change any user
+ if targetUser.ID == ctx.Doer.ID || ctx.Doer.IsAdmin {
+ return
+ }
+ // allow org owners to change status of members
+ isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
+ if err != nil {
+ ctx.APIError(http.StatusInternalServerError, err)
+ } else if !isOwner {
+ ctx.APIError(http.StatusForbidden, "Cannot change member visibility")
+ }
+}
+
// PublicizeMember make a member's membership public
func PublicizeMember(ctx *context.APIContext) {
// swagger:operation PUT /orgs/{org}/public_members/{username} organization orgPublicizeMember
@@ -225,7 +240,7 @@ func PublicizeMember(ctx *context.APIContext) {
// required: true
// - name: username
// in: path
- // description: username of the user
+ // description: username of the user whose membership is to be publicized
// type: string
// required: true
// responses:
@@ -240,8 +255,8 @@ func PublicizeMember(ctx *context.APIContext) {
if ctx.Written() {
return
}
- if userToPublicize.ID != ctx.Doer.ID {
- ctx.APIError(http.StatusForbidden, "Cannot publicize another member")
+ checkCanChangeOrgUserStatus(ctx, userToPublicize)
+ if ctx.Written() {
return
}
err := organization.ChangeOrgUserStatus(ctx, ctx.Org.Organization.ID, userToPublicize.ID, true)
@@ -267,7 +282,7 @@ func ConcealMember(ctx *context.APIContext) {
// required: true
// - name: username
// in: path
- // description: username of the user
+ // description: username of the user whose membership is to be concealed
// type: string
// required: true
// responses:
@@ -282,8 +297,8 @@ func ConcealMember(ctx *context.APIContext) {
if ctx.Written() {
return
}
- if userToConceal.ID != ctx.Doer.ID {
- ctx.APIError(http.StatusForbidden, "Cannot conceal another member")
+ checkCanChangeOrgUserStatus(ctx, userToConceal)
+ if ctx.Written() {
return
}
err := organization.ChangeOrgUserStatus(ctx, ctx.Org.Organization.ID, userToConceal.ID, false)
@@ -309,7 +324,7 @@ func DeleteMember(ctx *context.APIContext) {
// required: true
// - name: username
// in: path
- // description: username of the user
+ // description: username of the user to remove from the organization
// type: string
// required: true
// responses:
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-08 13:50:51 +0000