mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11262 Commits
17 Branches
Tree: 16dea6cebd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '16dea6cebd'
${ noResults }
gitea/routers/api/v1/api.go

api.go 37KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071 
  1. // Copyright 2015 The Gogs Authors. All rights reserved.

  2. // Copyright 2016 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. // Package v1 Gitea API.

  7. //

  8. // This documentation describes the Gitea API.

  9. //

  10. //     Schemes: http, https

  11. //     BasePath: /api/v1

  12. //     Version: {{AppVer | JSEscape | Safe}}

  13. //     License: MIT http://opensource.org/licenses/MIT

  14. //

  15. //     Consumes:

  16. //     - application/json

  17. //     - text/plain

  18. //

  19. //     Produces:

  20. //     - application/json

  21. //     - text/html

  22. //

  23. //     Security:

  24. //     - BasicAuth :

  25. //     - Token :

  26. //     - AccessToken :

  27. //     - AuthorizationHeaderToken :

  28. //     - SudoParam :

  29. //     - SudoHeader :

  30. //     - TOTPHeader :

  31. //

  32. //     SecurityDefinitions:

  33. //     BasicAuth:

  34. //          type: basic

  35. //     Token:

  36. //          type: apiKey

  37. //          name: token

  38. //          in: query

  39. //     AccessToken:

  40. //          type: apiKey

  41. //          name: access_token

  42. //          in: query

  43. //     AuthorizationHeaderToken:

  44. //          type: apiKey

  45. //          name: Authorization

  46. //          in: header

  47. //          description: API tokens must be prepended with "token" followed by a space.

  48. //     SudoParam:

  49. //          type: apiKey

  50. //          name: sudo

  51. //          in: query

  52. //          description: Sudo API request as the user provided as the key. Admin privileges are required.

  53. //     SudoHeader:

  54. //          type: apiKey

  55. //          name: Sudo

  56. //          in: header

  57. //          description: Sudo API request as the user provided as the key. Admin privileges are required.

  58. //     TOTPHeader:

  59. //          type: apiKey

  60. //          name: X-GITEA-OTP

  61. //          in: header

  62. //          description: Must be used in combination with BasicAuth if two-factor authentication is enabled.

  63. //

  64. // swagger:meta

  65. package v1

  66. 

  67. import (

  68. 	"net/http"

  69. 	"reflect"

  70. 	"strings"

  71. 

  72. 	"code.gitea.io/gitea/models"

  73. 	"code.gitea.io/gitea/modules/context"

  74. 	auth "code.gitea.io/gitea/modules/forms"

  75. 	"code.gitea.io/gitea/modules/log"

  76. 	"code.gitea.io/gitea/modules/setting"

  77. 	api "code.gitea.io/gitea/modules/structs"

  78. 	"code.gitea.io/gitea/modules/web"

  79. 	"code.gitea.io/gitea/routers/api/v1/admin"

  80. 	"code.gitea.io/gitea/routers/api/v1/misc"

  81. 	"code.gitea.io/gitea/routers/api/v1/notify"

  82. 	"code.gitea.io/gitea/routers/api/v1/org"

  83. 	"code.gitea.io/gitea/routers/api/v1/repo"

  84. 	"code.gitea.io/gitea/routers/api/v1/settings"

  85. 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation

  86. 	"code.gitea.io/gitea/routers/api/v1/user"

  87. 

  88. 	"gitea.com/go-chi/binding"

  89. 	"gitea.com/go-chi/session"

  90. 	"github.com/go-chi/cors"

  91. )

  92. 

  93. func sudo() func(ctx *context.APIContext) {

  94. 	return func(ctx *context.APIContext) {

  95. 		sudo := ctx.Query("sudo")

  96. 		if len(sudo) == 0 {

  97. 			sudo = ctx.Req.Header.Get("Sudo")

  98. 		}

  99. 

  100. 		if len(sudo) > 0 {

  101. 			if ctx.IsSigned && ctx.User.IsAdmin {

  102. 				user, err := models.GetUserByName(sudo)

  103. 				if err != nil {

  104. 					if models.IsErrUserNotExist(err) {

  105. 						ctx.NotFound()

  106. 					} else {

  107. 						ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  108. 					}

  109. 					return

  110. 				}

  111. 				log.Trace("Sudo from (%s) to: %s", ctx.User.Name, user.Name)

  112. 				ctx.User = user

  113. 			} else {

  114. 				ctx.JSON(http.StatusForbidden, map[string]string{

  115. 					"message": "Only administrators allowed to sudo.",

  116. 				})

  117. 				return

  118. 			}

  119. 		}

  120. 	}

  121. }

  122. 

  123. func repoAssignment() func(ctx *context.APIContext) {

  124. 	return func(ctx *context.APIContext) {

  125. 		userName := ctx.Params("username")

  126. 		repoName := ctx.Params("reponame")

  127. 

  128. 		var (

  129. 			owner *models.User

  130. 			err   error

  131. 		)

  132. 

  133. 		// Check if the user is the same as the repository owner.

  134. 		if ctx.IsSigned && ctx.User.LowerName == strings.ToLower(userName) {

  135. 			owner = ctx.User

  136. 		} else {

  137. 			owner, err = models.GetUserByName(userName)

  138. 			if err != nil {

  139. 				if models.IsErrUserNotExist(err) {

  140. 					if redirectUserID, err := models.LookupUserRedirect(userName); err == nil {

  141. 						context.RedirectToUser(ctx.Context, userName, redirectUserID)

  142. 					} else if models.IsErrUserRedirectNotExist(err) {

  143. 						ctx.NotFound("GetUserByName", err)

  144. 					} else {

  145. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  146. 					}

  147. 				} else {

  148. 					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  149. 				}

  150. 				return

  151. 			}

  152. 		}

  153. 		ctx.Repo.Owner = owner

  154. 

  155. 		// Get repository.

  156. 		repo, err := models.GetRepositoryByName(owner.ID, repoName)

  157. 		if err != nil {

  158. 			if models.IsErrRepoNotExist(err) {

  159. 				redirectRepoID, err := models.LookupRepoRedirect(owner.ID, repoName)

  160. 				if err == nil {

  161. 					context.RedirectToRepo(ctx.Context, redirectRepoID)

  162. 				} else if models.IsErrRepoRedirectNotExist(err) {

  163. 					ctx.NotFound()

  164. 				} else {

  165. 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

  166. 				}

  167. 			} else {

  168. 				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)

  169. 			}

  170. 			return

  171. 		}

  172. 

  173. 		repo.Owner = owner

  174. 		ctx.Repo.Repository = repo

  175. 

  176. 		ctx.Repo.Permission, err = models.GetUserRepoPermission(repo, ctx.User)

  177. 		if err != nil {

  178. 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)

  179. 			return

  180. 		}

  181. 

  182. 		if !ctx.Repo.HasAccess() {

  183. 			ctx.NotFound()

  184. 			return

  185. 		}

  186. 	}

  187. }

  188. 

  189. // Contexter middleware already checks token for user sign in process.

  190. func reqToken() func(ctx *context.APIContext) {

  191. 	return func(ctx *context.APIContext) {

  192. 		if true == ctx.Data["IsApiToken"] {

  193. 			return

  194. 		}

  195. 		if ctx.Context.IsBasicAuth {

  196. 			ctx.CheckForOTP()

  197. 			return

  198. 		}

  199. 		if ctx.IsSigned {

  200. 			ctx.RequireCSRF()

  201. 			return

  202. 		}

  203. 		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")

  204. 	}

  205. }

  206. 

  207. func reqExploreSignIn() func(ctx *context.APIContext) {

  208. 	return func(ctx *context.APIContext) {

  209. 		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {

  210. 			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")

  211. 		}

  212. 	}

  213. }

  214. 

  215. func reqBasicAuth() func(ctx *context.APIContext) {

  216. 	return func(ctx *context.APIContext) {

  217. 		if !ctx.Context.IsBasicAuth {

  218. 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "basic auth required")

  219. 			return

  220. 		}

  221. 		ctx.CheckForOTP()

  222. 	}

  223. }

  224. 

  225. // reqSiteAdmin user should be the site admin

  226. func reqSiteAdmin() func(ctx *context.APIContext) {

  227. 	return func(ctx *context.APIContext) {

  228. 		if !ctx.IsUserSiteAdmin() {

  229. 			ctx.Error(http.StatusForbidden, "reqSiteAdmin", "user should be the site admin")

  230. 			return

  231. 		}

  232. 	}

  233. }

  234. 

  235. // reqOwner user should be the owner of the repo or site admin.

  236. func reqOwner() func(ctx *context.APIContext) {

  237. 	return func(ctx *context.APIContext) {

  238. 		if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {

  239. 			ctx.Error(http.StatusForbidden, "reqOwner", "user should be the owner of the repo")

  240. 			return

  241. 		}

  242. 	}

  243. }

  244. 

  245. // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin

  246. func reqAdmin() func(ctx *context.APIContext) {

  247. 	return func(ctx *context.APIContext) {

  248. 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  249. 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")

  250. 			return

  251. 		}

  252. 	}

  253. }

  254. 

  255. // reqRepoWriter user should have a permission to write to a repo, or be a site admin

  256. func reqRepoWriter(unitTypes ...models.UnitType) func(ctx *context.APIContext) {

  257. 	return func(ctx *context.APIContext) {

  258. 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  259. 			ctx.Error(http.StatusForbidden, "reqRepoWriter", "user should have a permission to write to a repo")

  260. 			return

  261. 		}

  262. 	}

  263. }

  264. 

  265. // reqRepoReader user should have specific read permission or be a repo admin or a site admin

  266. func reqRepoReader(unitType models.UnitType) func(ctx *context.APIContext) {

  267. 	return func(ctx *context.APIContext) {

  268. 		if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  269. 			ctx.Error(http.StatusForbidden, "reqRepoReader", "user should have specific read permission or be a repo admin or a site admin")

  270. 			return

  271. 		}

  272. 	}

  273. }

  274. 

  275. // reqAnyRepoReader user should have any permission to read repository or permissions of site admin

  276. func reqAnyRepoReader() func(ctx *context.APIContext) {

  277. 	return func(ctx *context.APIContext) {

  278. 		if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {

  279. 			ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")

  280. 			return

  281. 		}

  282. 	}

  283. }

  284. 

  285. // reqOrgOwnership user should be an organization owner, or a site admin

  286. func reqOrgOwnership() func(ctx *context.APIContext) {

  287. 	return func(ctx *context.APIContext) {

  288. 		if ctx.Context.IsUserSiteAdmin() {

  289. 			return

  290. 		}

  291. 

  292. 		var orgID int64

  293. 		if ctx.Org.Organization != nil {

  294. 			orgID = ctx.Org.Organization.ID

  295. 		} else if ctx.Org.Team != nil {

  296. 			orgID = ctx.Org.Team.OrgID

  297. 		} else {

  298. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")

  299. 			return

  300. 		}

  301. 

  302. 		isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)

  303. 		if err != nil {

  304. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  305. 			return

  306. 		} else if !isOwner {

  307. 			if ctx.Org.Organization != nil {

  308. 				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")

  309. 			} else {

  310. 				ctx.NotFound()

  311. 			}

  312. 			return

  313. 		}

  314. 	}

  315. }

  316. 

  317. // reqTeamMembership user should be an team member, or a site admin

  318. func reqTeamMembership() func(ctx *context.APIContext) {

  319. 	return func(ctx *context.APIContext) {

  320. 		if ctx.Context.IsUserSiteAdmin() {

  321. 			return

  322. 		}

  323. 		if ctx.Org.Team == nil {

  324. 			ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")

  325. 			return

  326. 		}

  327. 

  328. 		var orgID = ctx.Org.Team.OrgID

  329. 		isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)

  330. 		if err != nil {

  331. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  332. 			return

  333. 		} else if isOwner {

  334. 			return

  335. 		}

  336. 

  337. 		if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {

  338. 			ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)

  339. 			return

  340. 		} else if !isTeamMember {

  341. 			isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)

  342. 			if err != nil {

  343. 				ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  344. 			} else if isOrgMember {

  345. 				ctx.Error(http.StatusForbidden, "", "Must be a team member")

  346. 			} else {

  347. 				ctx.NotFound()

  348. 			}

  349. 			return

  350. 		}

  351. 	}

  352. }

  353. 

  354. // reqOrgMembership user should be an organization member, or a site admin

  355. func reqOrgMembership() func(ctx *context.APIContext) {

  356. 	return func(ctx *context.APIContext) {

  357. 		if ctx.Context.IsUserSiteAdmin() {

  358. 			return

  359. 		}

  360. 

  361. 		var orgID int64

  362. 		if ctx.Org.Organization != nil {

  363. 			orgID = ctx.Org.Organization.ID

  364. 		} else if ctx.Org.Team != nil {

  365. 			orgID = ctx.Org.Team.OrgID

  366. 		} else {

  367. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")

  368. 			return

  369. 		}

  370. 

  371. 		if isMember, err := models.IsOrganizationMember(orgID, ctx.User.ID); err != nil {

  372. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  373. 			return

  374. 		} else if !isMember {

  375. 			if ctx.Org.Organization != nil {

  376. 				ctx.Error(http.StatusForbidden, "", "Must be an organization member")

  377. 			} else {

  378. 				ctx.NotFound()

  379. 			}

  380. 			return

  381. 		}

  382. 	}

  383. }

  384. 

  385. func reqGitHook() func(ctx *context.APIContext) {

  386. 	return func(ctx *context.APIContext) {

  387. 		if !ctx.User.CanEditGitHook() {

  388. 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")

  389. 			return

  390. 		}

  391. 	}

  392. }

  393. 

  394. // reqWebhooksEnabled requires webhooks to be enabled by admin.

  395. func reqWebhooksEnabled() func(ctx *context.APIContext) {

  396. 	return func(ctx *context.APIContext) {

  397. 		if setting.DisableWebhooks {

  398. 			ctx.Error(http.StatusForbidden, "", "webhooks disabled by administrator")

  399. 			return

  400. 		}

  401. 	}

  402. }

  403. 

  404. func orgAssignment(args ...bool) func(ctx *context.APIContext) {

  405. 	var (

  406. 		assignOrg  bool

  407. 		assignTeam bool

  408. 	)

  409. 	if len(args) > 0 {

  410. 		assignOrg = args[0]

  411. 	}

  412. 	if len(args) > 1 {

  413. 		assignTeam = args[1]

  414. 	}

  415. 	return func(ctx *context.APIContext) {

  416. 		ctx.Org = new(context.APIOrganization)

  417. 

  418. 		var err error

  419. 		if assignOrg {

  420. 			ctx.Org.Organization, err = models.GetOrgByName(ctx.Params(":org"))

  421. 			if err != nil {

  422. 				if models.IsErrOrgNotExist(err) {

  423. 					redirectUserID, err := models.LookupUserRedirect(ctx.Params(":org"))

  424. 					if err == nil {

  425. 						context.RedirectToUser(ctx.Context, ctx.Params(":org"), redirectUserID)

  426. 					} else if models.IsErrUserRedirectNotExist(err) {

  427. 						ctx.NotFound("GetOrgByName", err)

  428. 					} else {

  429. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  430. 					}

  431. 				} else {

  432. 					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)

  433. 				}

  434. 				return

  435. 			}

  436. 		}

  437. 

  438. 		if assignTeam {

  439. 			ctx.Org.Team, err = models.GetTeamByID(ctx.ParamsInt64(":teamid"))

  440. 			if err != nil {

  441. 				if models.IsErrTeamNotExist(err) {

  442. 					ctx.NotFound()

  443. 				} else {

  444. 					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)

  445. 				}

  446. 				return

  447. 			}

  448. 		}

  449. 	}

  450. }

  451. 

  452. func mustEnableIssues(ctx *context.APIContext) {

  453. 	if !ctx.Repo.CanRead(models.UnitTypeIssues) {

  454. 		if log.IsTrace() {

  455. 			if ctx.IsSigned {

  456. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  457. 					"User in Repo has Permissions: %-+v",

  458. 					ctx.User,

  459. 					models.UnitTypeIssues,

  460. 					ctx.Repo.Repository,

  461. 					ctx.Repo.Permission)

  462. 			} else {

  463. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  464. 					"Anonymous user in Repo has Permissions: %-+v",

  465. 					models.UnitTypeIssues,

  466. 					ctx.Repo.Repository,

  467. 					ctx.Repo.Permission)

  468. 			}

  469. 		}

  470. 		ctx.NotFound()

  471. 		return

  472. 	}

  473. }

  474. 

  475. func mustAllowPulls(ctx *context.APIContext) {

  476. 	if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) {

  477. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  478. 			if ctx.IsSigned {

  479. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  480. 					"User in Repo has Permissions: %-+v",

  481. 					ctx.User,

  482. 					models.UnitTypePullRequests,

  483. 					ctx.Repo.Repository,

  484. 					ctx.Repo.Permission)

  485. 			} else {

  486. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  487. 					"Anonymous user in Repo has Permissions: %-+v",

  488. 					models.UnitTypePullRequests,

  489. 					ctx.Repo.Repository,

  490. 					ctx.Repo.Permission)

  491. 			}

  492. 		}

  493. 		ctx.NotFound()

  494. 		return

  495. 	}

  496. }

  497. 

  498. func mustEnableIssuesOrPulls(ctx *context.APIContext) {

  499. 	if !ctx.Repo.CanRead(models.UnitTypeIssues) &&

  500. 		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) {

  501. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  502. 			if ctx.IsSigned {

  503. 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+

  504. 					"User in Repo has Permissions: %-+v",

  505. 					ctx.User,

  506. 					models.UnitTypeIssues,

  507. 					models.UnitTypePullRequests,

  508. 					ctx.Repo.Repository,

  509. 					ctx.Repo.Permission)

  510. 			} else {

  511. 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+

  512. 					"Anonymous user in Repo has Permissions: %-+v",

  513. 					models.UnitTypeIssues,

  514. 					models.UnitTypePullRequests,

  515. 					ctx.Repo.Repository,

  516. 					ctx.Repo.Permission)

  517. 			}

  518. 		}

  519. 		ctx.NotFound()

  520. 		return

  521. 	}

  522. }

  523. 

  524. func mustNotBeArchived(ctx *context.APIContext) {

  525. 	if ctx.Repo.Repository.IsArchived {

  526. 		ctx.NotFound()

  527. 		return

  528. 	}

  529. }

  530. 

  531. // bind binding an obj to a func(ctx *context.APIContext)

  532. func bind(obj interface{}) http.HandlerFunc {

  533. 	var tp = reflect.TypeOf(obj)

  534. 	for tp.Kind() == reflect.Ptr {

  535. 		tp = tp.Elem()

  536. 	}

  537. 	return web.Wrap(func(ctx *context.APIContext) {

  538. 		var theObj = reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly

  539. 		errs := binding.Bind(ctx.Req, theObj)

  540. 		if len(errs) > 0 {

  541. 			ctx.Error(http.StatusUnprocessableEntity, "validationError", errs[0].Error())

  542. 			return

  543. 		}

  544. 		web.SetForm(ctx, theObj)

  545. 	})

  546. }

  547. 

  548. // Routes registers all v1 APIs routes to web application.

  549. func Routes() *web.Route {

  550. 	var m = web.NewRoute()

  551. 

  552. 	m.Use(session.Sessioner(session.Options{

  553. 		Provider:       setting.SessionConfig.Provider,

  554. 		ProviderConfig: setting.SessionConfig.ProviderConfig,

  555. 		CookieName:     setting.SessionConfig.CookieName,

  556. 		CookiePath:     setting.SessionConfig.CookiePath,

  557. 		Gclifetime:     setting.SessionConfig.Gclifetime,

  558. 		Maxlifetime:    setting.SessionConfig.Maxlifetime,

  559. 		Secure:         setting.SessionConfig.Secure,

  560. 		Domain:         setting.SessionConfig.Domain,

  561. 	}))

  562. 	m.Use(securityHeaders())

  563. 	if setting.CORSConfig.Enabled {

  564. 		m.Use(cors.Handler(cors.Options{

  565. 			//Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option

  566. 			AllowedOrigins: setting.CORSConfig.AllowDomain,

  567. 			//setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option

  568. 			AllowedMethods:   setting.CORSConfig.Methods,

  569. 			AllowCredentials: setting.CORSConfig.AllowCredentials,

  570. 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),

  571. 		}))

  572. 	}

  573. 	m.Use(context.APIContexter())

  574. 

  575. 	if setting.EnableAccessLog {

  576. 		m.Use(context.AccessLogger())

  577. 	}

  578. 

  579. 	m.Use(context.ToggleAPI(&context.ToggleOptions{

  580. 		SignInRequired: setting.Service.RequireSignInView,

  581. 	}))

  582. 

  583. 	m.Group("", func() {

  584. 		// Miscellaneous

  585. 		if setting.API.EnableSwagger {

  586. 			m.Get("/swagger", func(ctx *context.APIContext) {

  587. 				ctx.Redirect("/api/swagger")

  588. 			})

  589. 		}

  590. 		m.Get("/version", misc.Version)

  591. 		m.Get("/signing-key.gpg", misc.SigningKey)

  592. 		m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  593. 		m.Post("/markdown/raw", misc.MarkdownRaw)

  594. 		m.Group("/settings", func() {

  595. 			m.Get("/ui", settings.GetGeneralUISettings)

  596. 			m.Get("/api", settings.GetGeneralAPISettings)

  597. 			m.Get("/attachment", settings.GetGeneralAttachmentSettings)

  598. 			m.Get("/repository", settings.GetGeneralRepoSettings)

  599. 		})

  600. 

  601. 		// Notifications

  602. 		m.Group("/notifications", func() {

  603. 			m.Combo("").

  604. 				Get(notify.ListNotifications).

  605. 				Put(notify.ReadNotifications)

  606. 			m.Get("/new", notify.NewAvailable)

  607. 			m.Combo("/threads/{id}").

  608. 				Get(notify.GetThread).

  609. 				Patch(notify.ReadThread)

  610. 		}, reqToken())

  611. 

  612. 		// Users

  613. 		m.Group("/users", func() {

  614. 			m.Get("/search", reqExploreSignIn(), user.Search)

  615. 

  616. 			m.Group("/{username}", func() {

  617. 				m.Get("", reqExploreSignIn(), user.GetInfo)

  618. 

  619. 				if setting.Service.EnableUserHeatmap {

  620. 					m.Get("/heatmap", user.GetUserHeatmapData)

  621. 				}

  622. 

  623. 				m.Get("/repos", reqExploreSignIn(), user.ListUserRepos)

  624. 				m.Group("/tokens", func() {

  625. 					m.Combo("").Get(user.ListAccessTokens).

  626. 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)

  627. 					m.Combo("/{id}").Delete(user.DeleteAccessToken)

  628. 				}, reqBasicAuth())

  629. 			})

  630. 		})

  631. 

  632. 		m.Group("/users", func() {

  633. 			m.Group("/{username}", func() {

  634. 				m.Get("/keys", user.ListPublicKeys)

  635. 				m.Get("/gpg_keys", user.ListGPGKeys)

  636. 

  637. 				m.Get("/followers", user.ListFollowers)

  638. 				m.Group("/following", func() {

  639. 					m.Get("", user.ListFollowing)

  640. 					m.Get("/{target}", user.CheckFollowing)

  641. 				})

  642. 

  643. 				m.Get("/starred", user.GetStarredRepos)

  644. 

  645. 				m.Get("/subscriptions", user.GetWatchedRepos)

  646. 			})

  647. 		}, reqToken())

  648. 

  649. 		m.Group("/user", func() {

  650. 			m.Get("", user.GetAuthenticatedUser)

  651. 			m.Combo("/emails").Get(user.ListEmails).

  652. 				Post(bind(api.CreateEmailOption{}), user.AddEmail).

  653. 				Delete(bind(api.DeleteEmailOption{}), user.DeleteEmail)

  654. 

  655. 			m.Get("/followers", user.ListMyFollowers)

  656. 			m.Group("/following", func() {

  657. 				m.Get("", user.ListMyFollowing)

  658. 				m.Combo("/{username}").Get(user.CheckMyFollowing).Put(user.Follow).Delete(user.Unfollow)

  659. 			})

  660. 

  661. 			m.Group("/keys", func() {

  662. 				m.Combo("").Get(user.ListMyPublicKeys).

  663. 					Post(bind(api.CreateKeyOption{}), user.CreatePublicKey)

  664. 				m.Combo("/{id}").Get(user.GetPublicKey).

  665. 					Delete(user.DeletePublicKey)

  666. 			})

  667. 			m.Group("/applications", func() {

  668. 				m.Combo("/oauth2").

  669. 					Get(user.ListOauth2Applications).

  670. 					Post(bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)

  671. 				m.Combo("/oauth2/{id}").

  672. 					Delete(user.DeleteOauth2Application).

  673. 					Patch(bind(api.CreateOAuth2ApplicationOptions{}), user.UpdateOauth2Application).

  674. 					Get(user.GetOauth2Application)

  675. 			}, reqToken())

  676. 

  677. 			m.Group("/gpg_keys", func() {

  678. 				m.Combo("").Get(user.ListMyGPGKeys).

  679. 					Post(bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)

  680. 				m.Combo("/{id}").Get(user.GetGPGKey).

  681. 					Delete(user.DeleteGPGKey)

  682. 			})

  683. 

  684. 			m.Combo("/repos").Get(user.ListMyRepos).

  685. 				Post(bind(api.CreateRepoOption{}), repo.Create)

  686. 

  687. 			m.Group("/starred", func() {

  688. 				m.Get("", user.GetMyStarredRepos)

  689. 				m.Group("/{username}/{reponame}", func() {

  690. 					m.Get("", user.IsStarring)

  691. 					m.Put("", user.Star)

  692. 					m.Delete("", user.Unstar)

  693. 				}, repoAssignment())

  694. 			})

  695. 			m.Get("/times", repo.ListMyTrackedTimes)

  696. 

  697. 			m.Get("/stopwatches", repo.GetStopwatches)

  698. 

  699. 			m.Get("/subscriptions", user.GetMyWatchedRepos)

  700. 

  701. 			m.Get("/teams", org.ListUserTeams)

  702. 		}, reqToken())

  703. 

  704. 		// Repositories

  705. 		m.Post("/org/{org}/repos", reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)

  706. 

  707. 		m.Combo("/repositories/{id}", reqToken()).Get(repo.GetByID)

  708. 

  709. 		m.Group("/repos", func() {

  710. 			m.Get("/search", repo.Search)

  711. 

  712. 			m.Get("/issues/search", repo.SearchIssues)

  713. 

  714. 			m.Post("/migrate", reqToken(), bind(api.MigrateRepoOptions{}), repo.Migrate)

  715. 

  716. 			m.Group("/{username}/{reponame}", func() {

  717. 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).

  718. 					Delete(reqToken(), reqOwner(), repo.Delete).

  719. 					Patch(reqToken(), reqAdmin(), context.RepoRefForAPI, bind(api.EditRepoOption{}), repo.Edit)

  720. 				m.Post("/transfer", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)

  721. 				m.Combo("/notifications").

  722. 					Get(reqToken(), notify.ListRepoNotifications).

  723. 					Put(reqToken(), notify.ReadRepoNotifications)

  724. 				m.Group("/hooks/git", func() {

  725. 					m.Combo("").Get(repo.ListGitHooks)

  726. 					m.Group("/{id}", func() {

  727. 						m.Combo("").Get(repo.GetGitHook).

  728. 							Patch(bind(api.EditGitHookOption{}), repo.EditGitHook).

  729. 							Delete(repo.DeleteGitHook)

  730. 					})

  731. 				}, reqToken(), reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))

  732. 				m.Group("/hooks", func() {

  733. 					m.Combo("").Get(repo.ListHooks).

  734. 						Post(bind(api.CreateHookOption{}), repo.CreateHook)

  735. 					m.Group("/{id}", func() {

  736. 						m.Combo("").Get(repo.GetHook).

  737. 							Patch(bind(api.EditHookOption{}), repo.EditHook).

  738. 							Delete(repo.DeleteHook)

  739. 						m.Post("/tests", context.RepoRefForAPI, repo.TestHook)

  740. 					})

  741. 				}, reqToken(), reqAdmin(), reqWebhooksEnabled())

  742. 				m.Group("/collaborators", func() {

  743. 					m.Get("", reqAnyRepoReader(), repo.ListCollaborators)

  744. 					m.Combo("/{collaborator}").Get(reqAnyRepoReader(), repo.IsCollaborator).

  745. 						Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).

  746. 						Delete(reqAdmin(), repo.DeleteCollaborator)

  747. 				}, reqToken())

  748. 				m.Group("/teams", func() {

  749. 					m.Get("", reqAnyRepoReader(), repo.ListTeams)

  750. 					m.Combo("/{team}").Get(reqAnyRepoReader(), repo.IsTeam).

  751. 						Put(reqAdmin(), repo.AddTeam).

  752. 						Delete(reqAdmin(), repo.DeleteTeam)

  753. 				}, reqToken())

  754. 				m.Get("/raw/*", context.RepoRefForAPI, reqRepoReader(models.UnitTypeCode), repo.GetRawFile)

  755. 				m.Get("/archive/*", reqRepoReader(models.UnitTypeCode), repo.GetArchive)

  756. 				m.Combo("/forks").Get(repo.ListForks).

  757. 					Post(reqToken(), reqRepoReader(models.UnitTypeCode), bind(api.CreateForkOption{}), repo.CreateFork)

  758. 				m.Group("/branches", func() {

  759. 					m.Get("", repo.ListBranches)

  760. 					m.Get("/*", repo.GetBranch)

  761. 					m.Delete("/*", context.ReferencesGitRepo(false), reqRepoWriter(models.UnitTypeCode), repo.DeleteBranch)

  762. 					m.Post("", reqRepoWriter(models.UnitTypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch)

  763. 				}, reqRepoReader(models.UnitTypeCode))

  764. 				m.Group("/branch_protections", func() {

  765. 					m.Get("", repo.ListBranchProtections)

  766. 					m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)

  767. 					m.Group("/{name}", func() {

  768. 						m.Get("", repo.GetBranchProtection)

  769. 						m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)

  770. 						m.Delete("", repo.DeleteBranchProtection)

  771. 					})

  772. 				}, reqToken(), reqAdmin())

  773. 				m.Group("/tags", func() {

  774. 					m.Get("", repo.ListTags)

  775. 					m.Delete("/{tag}", repo.DeleteTag)

  776. 				}, reqRepoReader(models.UnitTypeCode), context.ReferencesGitRepo(true))

  777. 				m.Group("/keys", func() {

  778. 					m.Combo("").Get(repo.ListDeployKeys).

  779. 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)

  780. 					m.Combo("/{id}").Get(repo.GetDeployKey).

  781. 						Delete(repo.DeleteDeploykey)

  782. 				}, reqToken(), reqAdmin())

  783. 				m.Group("/times", func() {

  784. 					m.Combo("").Get(repo.ListTrackedTimesByRepository)

  785. 					m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)

  786. 				}, mustEnableIssues, reqToken())

  787. 				m.Group("/issues", func() {

  788. 					m.Combo("").Get(repo.ListIssues).

  789. 						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)

  790. 					m.Group("/comments", func() {

  791. 						m.Get("", repo.ListRepoIssueComments)

  792. 						m.Group("/{id}", func() {

  793. 							m.Combo("").

  794. 								Get(repo.GetIssueComment).

  795. 								Patch(mustNotBeArchived, reqToken(), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).

  796. 								Delete(reqToken(), repo.DeleteIssueComment)

  797. 							m.Combo("/reactions").

  798. 								Get(repo.GetIssueCommentReactions).

  799. 								Post(reqToken(), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).

  800. 								Delete(reqToken(), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)

  801. 						})

  802. 					})

  803. 					m.Group("/{index}", func() {

  804. 						m.Combo("").Get(repo.GetIssue).

  805. 							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue)

  806. 						m.Group("/comments", func() {

  807. 							m.Combo("").Get(repo.ListIssueComments).

  808. 								Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

  809. 							m.Combo("/{id}", reqToken()).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).

  810. 								Delete(repo.DeleteIssueCommentDeprecated)

  811. 						})

  812. 						m.Group("/labels", func() {

  813. 							m.Combo("").Get(repo.ListIssueLabels).

  814. 								Post(reqToken(), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).

  815. 								Put(reqToken(), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).

  816. 								Delete(reqToken(), repo.ClearIssueLabels)

  817. 							m.Delete("/{id}", reqToken(), repo.DeleteIssueLabel)

  818. 						})

  819. 						m.Group("/times", func() {

  820. 							m.Combo("").

  821. 								Get(repo.ListTrackedTimes).

  822. 								Post(bind(api.AddTimeOption{}), repo.AddTime).

  823. 								Delete(repo.ResetIssueTime)

  824. 							m.Delete("/{id}", repo.DeleteTime)

  825. 						}, reqToken())

  826. 						m.Combo("/deadline").Post(reqToken(), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)

  827. 						m.Group("/stopwatch", func() {

  828. 							m.Post("/start", reqToken(), repo.StartIssueStopwatch)

  829. 							m.Post("/stop", reqToken(), repo.StopIssueStopwatch)

  830. 							m.Delete("/delete", reqToken(), repo.DeleteIssueStopwatch)

  831. 						})

  832. 						m.Group("/subscriptions", func() {

  833. 							m.Get("", repo.GetIssueSubscribers)

  834. 							m.Get("/check", reqToken(), repo.CheckIssueSubscription)

  835. 							m.Put("/{user}", reqToken(), repo.AddIssueSubscription)

  836. 							m.Delete("/{user}", reqToken(), repo.DelIssueSubscription)

  837. 						})

  838. 						m.Combo("/reactions").

  839. 							Get(repo.GetIssueReactions).

  840. 							Post(reqToken(), bind(api.EditReactionOption{}), repo.PostIssueReaction).

  841. 							Delete(reqToken(), bind(api.EditReactionOption{}), repo.DeleteIssueReaction)

  842. 					})

  843. 				}, mustEnableIssuesOrPulls)

  844. 				m.Group("/labels", func() {

  845. 					m.Combo("").Get(repo.ListLabels).

  846. 						Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)

  847. 					m.Combo("/{id}").Get(repo.GetLabel).

  848. 						Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).

  849. 						Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteLabel)

  850. 				})

  851. 				m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  852. 				m.Post("/markdown/raw", misc.MarkdownRaw)

  853. 				m.Group("/milestones", func() {

  854. 					m.Combo("").Get(repo.ListMilestones).

  855. 						Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)

  856. 					m.Combo("/{id}").Get(repo.GetMilestone).

  857. 						Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).

  858. 						Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteMilestone)

  859. 				})

  860. 				m.Get("/stargazers", repo.ListStargazers)

  861. 				m.Get("/subscribers", repo.ListSubscribers)

  862. 				m.Group("/subscription", func() {

  863. 					m.Get("", user.IsWatching)

  864. 					m.Put("", reqToken(), user.Watch)

  865. 					m.Delete("", reqToken(), user.Unwatch)

  866. 				})

  867. 				m.Group("/releases", func() {

  868. 					m.Combo("").Get(repo.ListReleases).

  869. 						Post(reqToken(), reqRepoWriter(models.UnitTypeReleases), context.ReferencesGitRepo(false), bind(api.CreateReleaseOption{}), repo.CreateRelease)

  870. 					m.Group("/{id}", func() {

  871. 						m.Combo("").Get(repo.GetRelease).

  872. 							Patch(reqToken(), reqRepoWriter(models.UnitTypeReleases), context.ReferencesGitRepo(false), bind(api.EditReleaseOption{}), repo.EditRelease).

  873. 							Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteRelease)

  874. 						m.Group("/assets", func() {

  875. 							m.Combo("").Get(repo.ListReleaseAttachments).

  876. 								Post(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.CreateReleaseAttachment)

  877. 							m.Combo("/{asset}").Get(repo.GetReleaseAttachment).

  878. 								Patch(reqToken(), reqRepoWriter(models.UnitTypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).

  879. 								Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteReleaseAttachment)

  880. 						})

  881. 					})

  882. 					m.Group("/tags", func() {

  883. 						m.Combo("/{tag}").

  884. 							Get(repo.GetReleaseByTag).

  885. 							Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteReleaseByTag)

  886. 					})

  887. 				}, reqRepoReader(models.UnitTypeReleases))

  888. 				m.Post("/mirror-sync", reqToken(), reqRepoWriter(models.UnitTypeCode), repo.MirrorSync)

  889. 				m.Get("/editorconfig/{filename}", context.RepoRefForAPI, reqRepoReader(models.UnitTypeCode), repo.GetEditorconfig)

  890. 				m.Group("/pulls", func() {

  891. 					m.Combo("").Get(repo.ListPullRequests).

  892. 						Post(reqToken(), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

  893. 					m.Group("/{index}", func() {

  894. 						m.Combo("").Get(repo.GetPullRequest).

  895. 							Patch(reqToken(), reqRepoWriter(models.UnitTypePullRequests), bind(api.EditPullRequestOption{}), repo.EditPullRequest)

  896. 						m.Get(".diff", repo.DownloadPullDiff)

  897. 						m.Get(".patch", repo.DownloadPullPatch)

  898. 						m.Post("/update", reqToken(), repo.UpdatePullRequest)

  899. 						m.Combo("/merge").Get(repo.IsPullRequestMerged).

  900. 							Post(reqToken(), mustNotBeArchived, bind(auth.MergePullRequestForm{}), repo.MergePullRequest)

  901. 						m.Group("/reviews", func() {

  902. 							m.Combo("").

  903. 								Get(repo.ListPullReviews).

  904. 								Post(reqToken(), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)

  905. 							m.Group("/{id}", func() {

  906. 								m.Combo("").

  907. 									Get(repo.GetPullReview).

  908. 									Delete(reqToken(), repo.DeletePullReview).

  909. 									Post(reqToken(), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)

  910. 								m.Combo("/comments").

  911. 									Get(repo.GetPullReviewComments)

  912. 								m.Post("/dismissals", reqToken(), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)

  913. 								m.Post("/undismissals", reqToken(), repo.UnDismissPullReview)

  914. 							})

  915. 						})

  916. 						m.Combo("/requested_reviewers").

  917. 							Delete(reqToken(), bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).

  918. 							Post(reqToken(), bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)

  919. 					})

  920. 				}, mustAllowPulls, reqRepoReader(models.UnitTypeCode), context.ReferencesGitRepo(false))

  921. 				m.Group("/statuses", func() {

  922. 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).

  923. 						Post(reqToken(), bind(api.CreateStatusOption{}), repo.NewCommitStatus)

  924. 				}, reqRepoReader(models.UnitTypeCode))

  925. 				m.Group("/commits", func() {

  926. 					m.Get("", repo.GetAllCommits)

  927. 					m.Group("/{ref}", func() {

  928. 						m.Get("/status", repo.GetCombinedCommitStatusByRef)

  929. 						m.Get("/statuses", repo.GetCommitStatusesByRef)

  930. 					})

  931. 				}, reqRepoReader(models.UnitTypeCode))

  932. 				m.Group("/git", func() {

  933. 					m.Group("/commits", func() {

  934. 						m.Get("/{sha}", repo.GetSingleCommit)

  935. 					})

  936. 					m.Get("/refs", repo.GetGitAllRefs)

  937. 					m.Get("/refs/*", repo.GetGitRefs)

  938. 					m.Get("/trees/{sha}", context.RepoRefForAPI, repo.GetTree)

  939. 					m.Get("/blobs/{sha}", context.RepoRefForAPI, repo.GetBlob)

  940. 					m.Get("/tags/{sha}", context.RepoRefForAPI, repo.GetTag)

  941. 				}, reqRepoReader(models.UnitTypeCode))

  942. 				m.Group("/contents", func() {

  943. 					m.Get("", repo.GetContentsList)

  944. 					m.Get("/*", repo.GetContents)

  945. 					m.Group("/*", func() {

  946. 						m.Post("", bind(api.CreateFileOptions{}), repo.CreateFile)

  947. 						m.Put("", bind(api.UpdateFileOptions{}), repo.UpdateFile)

  948. 						m.Delete("", bind(api.DeleteFileOptions{}), repo.DeleteFile)

  949. 					}, reqRepoWriter(models.UnitTypeCode), reqToken())

  950. 				}, reqRepoReader(models.UnitTypeCode))

  951. 				m.Get("/signing-key.gpg", misc.SigningKey)

  952. 				m.Group("/topics", func() {

  953. 					m.Combo("").Get(repo.ListTopics).

  954. 						Put(reqToken(), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)

  955. 					m.Group("/{topic}", func() {

  956. 						m.Combo("").Put(reqToken(), repo.AddTopic).

  957. 							Delete(reqToken(), repo.DeleteTopic)

  958. 					}, reqAdmin())

  959. 				}, reqAnyRepoReader())

  960. 				m.Get("/issue_templates", context.ReferencesGitRepo(false), repo.GetIssueTemplates)

  961. 				m.Get("/languages", reqRepoReader(models.UnitTypeCode), repo.GetLanguages)

  962. 			}, repoAssignment())

  963. 		})

  964. 

  965. 		// Organizations

  966. 		m.Get("/user/orgs", reqToken(), org.ListMyOrgs)

  967. 		m.Get("/users/{username}/orgs", org.ListUserOrgs)

  968. 		m.Post("/orgs", reqToken(), bind(api.CreateOrgOption{}), org.Create)

  969. 		m.Get("/orgs", org.GetAll)

  970. 		m.Group("/orgs/{org}", func() {

  971. 			m.Combo("").Get(org.Get).

  972. 				Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).

  973. 				Delete(reqToken(), reqOrgOwnership(), org.Delete)

  974. 			m.Combo("/repos").Get(user.ListOrgRepos).

  975. 				Post(reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)

  976. 			m.Group("/members", func() {

  977. 				m.Get("", org.ListMembers)

  978. 				m.Combo("/{username}").Get(org.IsMember).

  979. 					Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)

  980. 			})

  981. 			m.Group("/public_members", func() {

  982. 				m.Get("", org.ListPublicMembers)

  983. 				m.Combo("/{username}").Get(org.IsPublicMember).

  984. 					Put(reqToken(), reqOrgMembership(), org.PublicizeMember).

  985. 					Delete(reqToken(), reqOrgMembership(), org.ConcealMember)

  986. 			})

  987. 			m.Group("/teams", func() {

  988. 				m.Combo("", reqToken()).Get(org.ListTeams).

  989. 					Post(reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)

  990. 				m.Get("/search", org.SearchTeam)

  991. 			}, reqOrgMembership())

  992. 			m.Group("/labels", func() {

  993. 				m.Get("", org.ListLabels)

  994. 				m.Post("", reqToken(), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)

  995. 				m.Combo("/{id}").Get(org.GetLabel).

  996. 					Patch(reqToken(), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

  997. 					Delete(reqToken(), reqOrgOwnership(), org.DeleteLabel)

  998. 			})

  999. 			m.Group("/hooks", func() {

  1000. 				m.Combo("").Get(org.ListHooks).

  1001. 					Post(bind(api.CreateHookOption{}), org.CreateHook)

  1002. 				m.Combo("/{id}").Get(org.GetHook).

  1003. 					Patch(bind(api.EditHookOption{}), org.EditHook).

  1004. 					Delete(org.DeleteHook)

  1005. 			}, reqToken(), reqOrgOwnership(), reqWebhooksEnabled())

  1006. 		}, orgAssignment(true))

  1007. 		m.Group("/teams/{teamid}", func() {

  1008. 			m.Combo("").Get(org.GetTeam).

  1009. 				Patch(reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).

  1010. 				Delete(reqOrgOwnership(), org.DeleteTeam)

  1011. 			m.Group("/members", func() {

  1012. 				m.Get("", org.GetTeamMembers)

  1013. 				m.Combo("/{username}").

  1014. 					Get(org.GetTeamMember).

  1015. 					Put(reqOrgOwnership(), org.AddTeamMember).

  1016. 					Delete(reqOrgOwnership(), org.RemoveTeamMember)

  1017. 			})

  1018. 			m.Group("/repos", func() {

  1019. 				m.Get("", org.GetTeamRepos)

  1020. 				m.Combo("/{org}/{reponame}").

  1021. 					Put(org.AddTeamRepository).

  1022. 					Delete(org.RemoveTeamRepository)

  1023. 			})

  1024. 		}, orgAssignment(false, true), reqToken(), reqTeamMembership())

  1025. 

  1026. 		m.Group("/admin", func() {

  1027. 			m.Group("/cron", func() {

  1028. 				m.Get("", admin.ListCronTasks)

  1029. 				m.Post("/{task}", admin.PostCronTask)

  1030. 			})

  1031. 			m.Get("/orgs", admin.GetAllOrgs)

  1032. 			m.Group("/users", func() {

  1033. 				m.Get("", admin.GetAllUsers)

  1034. 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)

  1035. 				m.Group("/{username}", func() {

  1036. 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).

  1037. 						Delete(admin.DeleteUser)

  1038. 					m.Group("/keys", func() {

  1039. 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)

  1040. 						m.Delete("/{id}", admin.DeleteUserPublicKey)

  1041. 					})

  1042. 					m.Get("/orgs", org.ListUserOrgs)

  1043. 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)

  1044. 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)

  1045. 				})

  1046. 			})

  1047. 			m.Group("/unadopted", func() {

  1048. 				m.Get("", admin.ListUnadoptedRepositories)

  1049. 				m.Post("/{username}/{reponame}", admin.AdoptRepository)

  1050. 				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)

  1051. 			})

  1052. 		}, reqToken(), reqSiteAdmin())

  1053. 

  1054. 		m.Group("/topics", func() {

  1055. 			m.Get("/search", repo.TopicSearch)

  1056. 		})

  1057. 	}, sudo())

  1058. 

  1059. 	return m

  1060. }

  1061. 

  1062. func securityHeaders() func(http.Handler) http.Handler {

  1063. 	return func(next http.Handler) http.Handler {

  1064. 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {

  1065. 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers

  1066. 			// http://stackoverflow.com/a/3146618/244009

  1067. 			resp.Header().Set("x-content-type-options", "nosniff")

  1068. 			next.ServeHTTP(resp, req)

  1069. 		})

  1070. 	}

  1071. }