Lunny Xiao
vor 5 Jahren
2 geänderte Dateien mit 51 neuen und 1 gelöschten Zeilen
+ 13
- 0
integrations/api_team_test.go
Datei anzeigen
| @@ -16,6 +16,7 @@ import ( | |||
| func TestAPITeam(t *testing.T) { | |||
| prepareTestEnv(t) | |||
| teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser) | |||
| team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team) | |||
| user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User) | |||
| @@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) { | |||
| DecodeJSON(t, resp, &apiTeam) | |||
| assert.EqualValues(t, team.ID, apiTeam.ID) | |||
| assert.Equal(t, team.Name, apiTeam.Name) | |||
| // non team member user will not access the teams details | |||
| teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser) | |||
| user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User) | |||
| session = loginUser(t, user2.Name) | |||
| token = getTokenForLoggedInUser(t, session) | |||
| req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID) | |||
| resp = session.MakeRequest(t, req, http.StatusForbidden) | |||
| req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID) | |||
| resp = session.MakeRequest(t, req, http.StatusUnauthorized) | |||
| } | |||
+ 38
- 1
routers/api/v1/api.go
Datei anzeigen
| @@ -286,6 +286,43 @@ func reqOrgOwnership() macaron.Handler { | |||
| } | |||
| } | |||
| // reqTeamMembership user should be an team member, or a site admin | |||
| func reqTeamMembership() macaron.Handler { | |||
| return func(ctx *context.APIContext) { | |||
| if ctx.Context.IsUserSiteAdmin() { | |||
| return | |||
| } | |||
| if ctx.Org.Team == nil { | |||
| ctx.Error(500, "", "reqTeamMembership: unprepared context") | |||
| return | |||
| } | |||
| var orgID = ctx.Org.Team.OrgID | |||
| isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID) | |||
| if err != nil { | |||
| ctx.Error(500, "IsOrganizationOwner", err) | |||
| return | |||
| } else if isOwner { | |||
| return | |||
| } | |||
| if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil { | |||
| ctx.Error(500, "IsTeamMember", err) | |||
| return | |||
| } else if !isTeamMember { | |||
| isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID) | |||
| if err != nil { | |||
| ctx.Error(500, "IsOrganizationMember", err) | |||
| } else if isOrgMember { | |||
| ctx.Error(403, "", "Must be a team member") | |||
| } else { | |||
| ctx.NotFound() | |||
| } | |||
| return | |||
| } | |||
| } | |||
| } | |||
| // reqOrgMembership user should be an organization member, or a site admin | |||
| func reqOrgMembership() macaron.Handler { | |||
| return func(ctx *context.APIContext) { | |||
| @@ -775,7 +812,7 @@ func RegisterRoutes(m *macaron.Macaron) { | |||
| Put(org.AddTeamRepository). | |||
| Delete(org.RemoveTeamRepository) | |||
| }) | |||
| }, orgAssignment(false, true), reqToken(), reqOrgMembership()) | |||
| }, orgAssignment(false, true), reqToken(), reqTeamMembership()) | |||
| m.Any("/*", func(ctx *context.APIContext) { | |||
| ctx.NotFound() | |||
Laden…