From 59be704efb3ae9c2c5b41720e5cd1fc86c550608 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Wed, 24 Apr 2019 13:32:35 +0800
Subject: Fix team members API (#6714)

---
 integrations/api_team_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'integrations')

diff --git a/integrations/api_team_test.go b/integrations/api_team_test.go
index f59d95c712..da29dea9f7 100644
--- a/integrations/api_team_test.go
+++ b/integrations/api_team_test.go
@@ -16,6 +16,7 @@ import (
 
 func TestAPITeam(t *testing.T) {
 	prepareTestEnv(t)
+
 	teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
 	team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
 	user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
@@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) {
 	DecodeJSON(t, resp, &apiTeam)
 	assert.EqualValues(t, team.ID, apiTeam.ID)
 	assert.Equal(t, team.Name, apiTeam.Name)
+
+	// non team member user will not access the teams details
+	teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser)
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User)
+
+	session = loginUser(t, user2.Name)
+	token = getTokenForLoggedInUser(t, session)
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
+	resp = session.MakeRequest(t, req, http.StatusForbidden)
+
+	req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
+	resp = session.MakeRequest(t, req, http.StatusUnauthorized)
 }
-- 
cgit v1.2.3