mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14435 Commits
17 Branches
Tree: 4011821c94
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4011821c94'
${ noResults }
gitea/routers/api/v1/api.go

api.go 52KB
Raw Blame History

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286 
  1. // Copyright 2015 The Gogs Authors. All rights reserved.

  2. // Copyright 2016 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. // Package v1 Gitea API.

  6. //

  7. // This documentation describes the Gitea API.

  8. //

  9. //	Schemes: http, https

  10. //	BasePath: /api/v1

  11. //	Version: {{AppVer | JSEscape | Safe}}

  12. //	License: MIT http://opensource.org/licenses/MIT

  13. //

  14. //	Consumes:

  15. //	- application/json

  16. //	- text/plain

  17. //

  18. //	Produces:

  19. //	- application/json

  20. //	- text/html

  21. //

  22. //	Security:

  23. //	- BasicAuth :

  24. //	- Token :

  25. //	- AccessToken :

  26. //	- AuthorizationHeaderToken :

  27. //	- SudoParam :

  28. //	- SudoHeader :

  29. //	- TOTPHeader :

  30. //

  31. //	SecurityDefinitions:

  32. //	BasicAuth:

  33. //	     type: basic

  34. //	Token:

  35. //	     type: apiKey

  36. //	     name: token

  37. //	     in: query

  38. //	AccessToken:

  39. //	     type: apiKey

  40. //	     name: access_token

  41. //	     in: query

  42. //	AuthorizationHeaderToken:

  43. //	     type: apiKey

  44. //	     name: Authorization

  45. //	     in: header

  46. //	     description: API tokens must be prepended with "token" followed by a space.

  47. //	SudoParam:

  48. //	     type: apiKey

  49. //	     name: sudo

  50. //	     in: query

  51. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  52. //	SudoHeader:

  53. //	     type: apiKey

  54. //	     name: Sudo

  55. //	     in: header

  56. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  57. //	TOTPHeader:

  58. //	     type: apiKey

  59. //	     name: X-GITEA-OTP

  60. //	     in: header

  61. //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.

  62. //

  63. // swagger:meta

  64. package v1

  65. 

  66. import (

  67. 	gocontext "context"

  68. 	"fmt"

  69. 	"net/http"

  70. 	"strings"

  71. 

  72. 	actions_model "code.gitea.io/gitea/models/actions"

  73. 	auth_model "code.gitea.io/gitea/models/auth"

  74. 	"code.gitea.io/gitea/models/organization"

  75. 	"code.gitea.io/gitea/models/perm"

  76. 	access_model "code.gitea.io/gitea/models/perm/access"

  77. 	repo_model "code.gitea.io/gitea/models/repo"

  78. 	"code.gitea.io/gitea/models/unit"

  79. 	user_model "code.gitea.io/gitea/models/user"

  80. 	"code.gitea.io/gitea/modules/context"

  81. 	"code.gitea.io/gitea/modules/log"

  82. 	"code.gitea.io/gitea/modules/setting"

  83. 	api "code.gitea.io/gitea/modules/structs"

  84. 	"code.gitea.io/gitea/modules/web"

  85. 	"code.gitea.io/gitea/routers/api/v1/activitypub"

  86. 	"code.gitea.io/gitea/routers/api/v1/admin"

  87. 	"code.gitea.io/gitea/routers/api/v1/misc"

  88. 	"code.gitea.io/gitea/routers/api/v1/notify"

  89. 	"code.gitea.io/gitea/routers/api/v1/org"

  90. 	"code.gitea.io/gitea/routers/api/v1/packages"

  91. 	"code.gitea.io/gitea/routers/api/v1/repo"

  92. 	"code.gitea.io/gitea/routers/api/v1/settings"

  93. 	"code.gitea.io/gitea/routers/api/v1/user"

  94. 	"code.gitea.io/gitea/services/auth"

  95. 	context_service "code.gitea.io/gitea/services/context"

  96. 	"code.gitea.io/gitea/services/forms"

  97. 

  98. 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation

  99. 

  100. 	"gitea.com/go-chi/binding"

  101. 	"github.com/go-chi/cors"

  102. )

  103. 

  104. func sudo() func(ctx *context.APIContext) {

  105. 	return func(ctx *context.APIContext) {

  106. 		sudo := ctx.FormString("sudo")

  107. 		if len(sudo) == 0 {

  108. 			sudo = ctx.Req.Header.Get("Sudo")

  109. 		}

  110. 

  111. 		if len(sudo) > 0 {

  112. 			if ctx.IsSigned && ctx.Doer.IsAdmin {

  113. 				user, err := user_model.GetUserByName(ctx, sudo)

  114. 				if err != nil {

  115. 					if user_model.IsErrUserNotExist(err) {

  116. 						ctx.NotFound()

  117. 					} else {

  118. 						ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  119. 					}

  120. 					return

  121. 				}

  122. 				log.Trace("Sudo from (%s) to: %s", ctx.Doer.Name, user.Name)

  123. 				ctx.Doer = user

  124. 			} else {

  125. 				ctx.JSON(http.StatusForbidden, map[string]string{

  126. 					"message": "Only administrators allowed to sudo.",

  127. 				})

  128. 				return

  129. 			}

  130. 		}

  131. 	}

  132. }

  133. 

  134. func repoAssignment() func(ctx *context.APIContext) {

  135. 	return func(ctx *context.APIContext) {

  136. 		userName := ctx.Params("username")

  137. 		repoName := ctx.Params("reponame")

  138. 

  139. 		var (

  140. 			owner *user_model.User

  141. 			err   error

  142. 		)

  143. 

  144. 		// Check if the user is the same as the repository owner.

  145. 		if ctx.IsSigned && ctx.Doer.LowerName == strings.ToLower(userName) {

  146. 			owner = ctx.Doer

  147. 		} else {

  148. 			owner, err = user_model.GetUserByName(ctx, userName)

  149. 			if err != nil {

  150. 				if user_model.IsErrUserNotExist(err) {

  151. 					if redirectUserID, err := user_model.LookupUserRedirect(userName); err == nil {

  152. 						context.RedirectToUser(ctx.Context, userName, redirectUserID)

  153. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  154. 						ctx.NotFound("GetUserByName", err)

  155. 					} else {

  156. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  157. 					}

  158. 				} else {

  159. 					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  160. 				}

  161. 				return

  162. 			}

  163. 		}

  164. 		ctx.Repo.Owner = owner

  165. 		ctx.ContextUser = owner

  166. 

  167. 		// Get repository.

  168. 		repo, err := repo_model.GetRepositoryByName(owner.ID, repoName)

  169. 		if err != nil {

  170. 			if repo_model.IsErrRepoNotExist(err) {

  171. 				redirectRepoID, err := repo_model.LookupRedirect(owner.ID, repoName)

  172. 				if err == nil {

  173. 					context.RedirectToRepo(ctx.Context, redirectRepoID)

  174. 				} else if repo_model.IsErrRedirectNotExist(err) {

  175. 					ctx.NotFound()

  176. 				} else {

  177. 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

  178. 				}

  179. 			} else {

  180. 				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)

  181. 			}

  182. 			return

  183. 		}

  184. 

  185. 		repo.Owner = owner

  186. 		ctx.Repo.Repository = repo

  187. 

  188. 		if ctx.Doer != nil && ctx.Doer.ID == user_model.ActionsUserID {

  189. 			taskID := ctx.Data["ActionsTaskID"].(int64)

  190. 			task, err := actions_model.GetTaskByID(ctx, taskID)

  191. 			if err != nil {

  192. 				ctx.Error(http.StatusInternalServerError, "actions_model.GetTaskByID", err)

  193. 				return

  194. 			}

  195. 			if task.RepoID != repo.ID {

  196. 				ctx.NotFound()

  197. 				return

  198. 			}

  199. 

  200. 			if task.IsForkPullRequest {

  201. 				ctx.Repo.Permission.AccessMode = perm.AccessModeRead

  202. 			} else {

  203. 				ctx.Repo.Permission.AccessMode = perm.AccessModeWrite

  204. 			}

  205. 

  206. 			if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {

  207. 				ctx.Error(http.StatusInternalServerError, "LoadUnits", err)

  208. 				return

  209. 			}

  210. 			ctx.Repo.Permission.Units = ctx.Repo.Repository.Units

  211. 			ctx.Repo.Permission.UnitsMode = make(map[unit.Type]perm.AccessMode)

  212. 			for _, u := range ctx.Repo.Repository.Units {

  213. 				ctx.Repo.Permission.UnitsMode[u.Type] = ctx.Repo.Permission.AccessMode

  214. 			}

  215. 		} else {

  216. 			ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)

  217. 			if err != nil {

  218. 				ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)

  219. 				return

  220. 			}

  221. 		}

  222. 

  223. 		if !ctx.Repo.HasAccess() {

  224. 			ctx.NotFound()

  225. 			return

  226. 		}

  227. 	}

  228. }

  229. 

  230. func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.APIContext) {

  231. 	return func(ctx *context.APIContext) {

  232. 		if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {

  233. 			ctx.Error(http.StatusForbidden, "reqPackageAccess", "user should have specific permission or be a site admin")

  234. 			return

  235. 		}

  236. 	}

  237. }

  238. 

  239. // Contexter middleware already checks token for user sign in process.

  240. func reqToken(requiredScope auth_model.AccessTokenScope) func(ctx *context.APIContext) {

  241. 	return func(ctx *context.APIContext) {

  242. 		// If actions token is present

  243. 		if true == ctx.Data["IsActionsToken"] {

  244. 			return

  245. 		}

  246. 

  247. 		// If OAuth2 token is present

  248. 		if _, ok := ctx.Data["ApiTokenScope"]; ctx.Data["IsApiToken"] == true && ok {

  249. 			// no scope required

  250. 			if requiredScope == "" {

  251. 				return

  252. 			}

  253. 

  254. 			// check scope

  255. 			scope := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)

  256. 			allow, err := scope.HasScope(requiredScope)

  257. 			if err != nil {

  258. 				ctx.Error(http.StatusForbidden, "reqToken", "parsing token failed: "+err.Error())

  259. 				return

  260. 			}

  261. 			if allow {

  262. 				return

  263. 			}

  264. 

  265. 			// if requires 'repo' scope, but only has 'public_repo' scope, allow it only if the repo is public

  266. 			if requiredScope == auth_model.AccessTokenScopeRepo {

  267. 				if allowPublicRepo, err := scope.HasScope(auth_model.AccessTokenScopePublicRepo); err == nil && allowPublicRepo {

  268. 					if ctx.Repo.Repository != nil && !ctx.Repo.Repository.IsPrivate {

  269. 						return

  270. 					}

  271. 				}

  272. 			}

  273. 

  274. 			ctx.Error(http.StatusForbidden, "reqToken", "token does not have required scope: "+requiredScope)

  275. 			return

  276. 		}

  277. 		if ctx.Context.IsBasicAuth {

  278. 			ctx.CheckForOTP()

  279. 			return

  280. 		}

  281. 		if ctx.IsSigned {

  282. 			return

  283. 		}

  284. 		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")

  285. 	}

  286. }

  287. 

  288. func reqExploreSignIn() func(ctx *context.APIContext) {

  289. 	return func(ctx *context.APIContext) {

  290. 		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {

  291. 			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")

  292. 		}

  293. 	}

  294. }

  295. 

  296. func reqBasicAuth() func(ctx *context.APIContext) {

  297. 	return func(ctx *context.APIContext) {

  298. 		if !ctx.Context.IsBasicAuth {

  299. 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required")

  300. 			return

  301. 		}

  302. 		ctx.CheckForOTP()

  303. 	}

  304. }

  305. 

  306. // reqSiteAdmin user should be the site admin

  307. func reqSiteAdmin() func(ctx *context.APIContext) {

  308. 	return func(ctx *context.APIContext) {

  309. 		if !ctx.IsUserSiteAdmin() {

  310. 			ctx.Error(http.StatusForbidden, "reqSiteAdmin", "user should be the site admin")

  311. 			return

  312. 		}

  313. 	}

  314. }

  315. 

  316. // reqOwner user should be the owner of the repo or site admin.

  317. func reqOwner() func(ctx *context.APIContext) {

  318. 	return func(ctx *context.APIContext) {

  319. 		if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {

  320. 			ctx.Error(http.StatusForbidden, "reqOwner", "user should be the owner of the repo")

  321. 			return

  322. 		}

  323. 	}

  324. }

  325. 

  326. // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin

  327. func reqAdmin() func(ctx *context.APIContext) {

  328. 	return func(ctx *context.APIContext) {

  329. 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  330. 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")

  331. 			return

  332. 		}

  333. 	}

  334. }

  335. 

  336. // reqRepoWriter user should have a permission to write to a repo, or be a site admin

  337. func reqRepoWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {

  338. 	return func(ctx *context.APIContext) {

  339. 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  340. 			ctx.Error(http.StatusForbidden, "reqRepoWriter", "user should have a permission to write to a repo")

  341. 			return

  342. 		}

  343. 	}

  344. }

  345. 

  346. // reqRepoBranchWriter user should have a permission to write to a branch, or be a site admin

  347. func reqRepoBranchWriter(ctx *context.APIContext) {

  348. 	options, ok := web.GetForm(ctx).(api.FileOptionInterface)

  349. 	if !ok || (!ctx.Repo.CanWriteToBranch(ctx.Doer, options.Branch()) && !ctx.IsUserSiteAdmin()) {

  350. 		ctx.Error(http.StatusForbidden, "reqRepoBranchWriter", "user should have a permission to write to this branch")

  351. 		return

  352. 	}

  353. }

  354. 

  355. // reqRepoReader user should have specific read permission or be a repo admin or a site admin

  356. func reqRepoReader(unitType unit.Type) func(ctx *context.APIContext) {

  357. 	return func(ctx *context.APIContext) {

  358. 		if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  359. 			ctx.Error(http.StatusForbidden, "reqRepoReader", "user should have specific read permission or be a repo admin or a site admin")

  360. 			return

  361. 		}

  362. 	}

  363. }

  364. 

  365. // reqAnyRepoReader user should have any permission to read repository or permissions of site admin

  366. func reqAnyRepoReader() func(ctx *context.APIContext) {

  367. 	return func(ctx *context.APIContext) {

  368. 		if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {

  369. 			ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")

  370. 			return

  371. 		}

  372. 	}

  373. }

  374. 

  375. // reqOrgOwnership user should be an organization owner, or a site admin

  376. func reqOrgOwnership() func(ctx *context.APIContext) {

  377. 	return func(ctx *context.APIContext) {

  378. 		if ctx.Context.IsUserSiteAdmin() {

  379. 			return

  380. 		}

  381. 

  382. 		var orgID int64

  383. 		if ctx.Org.Organization != nil {

  384. 			orgID = ctx.Org.Organization.ID

  385. 		} else if ctx.Org.Team != nil {

  386. 			orgID = ctx.Org.Team.OrgID

  387. 		} else {

  388. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")

  389. 			return

  390. 		}

  391. 

  392. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  393. 		if err != nil {

  394. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  395. 			return

  396. 		} else if !isOwner {

  397. 			if ctx.Org.Organization != nil {

  398. 				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")

  399. 			} else {

  400. 				ctx.NotFound()

  401. 			}

  402. 			return

  403. 		}

  404. 	}

  405. }

  406. 

  407. // reqTeamMembership user should be an team member, or a site admin

  408. func reqTeamMembership() func(ctx *context.APIContext) {

  409. 	return func(ctx *context.APIContext) {

  410. 		if ctx.Context.IsUserSiteAdmin() {

  411. 			return

  412. 		}

  413. 		if ctx.Org.Team == nil {

  414. 			ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")

  415. 			return

  416. 		}

  417. 

  418. 		orgID := ctx.Org.Team.OrgID

  419. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  420. 		if err != nil {

  421. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  422. 			return

  423. 		} else if isOwner {

  424. 			return

  425. 		}

  426. 

  427. 		if isTeamMember, err := organization.IsTeamMember(ctx, orgID, ctx.Org.Team.ID, ctx.Doer.ID); err != nil {

  428. 			ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)

  429. 			return

  430. 		} else if !isTeamMember {

  431. 			isOrgMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID)

  432. 			if err != nil {

  433. 				ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  434. 			} else if isOrgMember {

  435. 				ctx.Error(http.StatusForbidden, "", "Must be a team member")

  436. 			} else {

  437. 				ctx.NotFound()

  438. 			}

  439. 			return

  440. 		}

  441. 	}

  442. }

  443. 

  444. // reqOrgMembership user should be an organization member, or a site admin

  445. func reqOrgMembership() func(ctx *context.APIContext) {

  446. 	return func(ctx *context.APIContext) {

  447. 		if ctx.Context.IsUserSiteAdmin() {

  448. 			return

  449. 		}

  450. 

  451. 		var orgID int64

  452. 		if ctx.Org.Organization != nil {

  453. 			orgID = ctx.Org.Organization.ID

  454. 		} else if ctx.Org.Team != nil {

  455. 			orgID = ctx.Org.Team.OrgID

  456. 		} else {

  457. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")

  458. 			return

  459. 		}

  460. 

  461. 		if isMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID); err != nil {

  462. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  463. 			return

  464. 		} else if !isMember {

  465. 			if ctx.Org.Organization != nil {

  466. 				ctx.Error(http.StatusForbidden, "", "Must be an organization member")

  467. 			} else {

  468. 				ctx.NotFound()

  469. 			}

  470. 			return

  471. 		}

  472. 	}

  473. }

  474. 

  475. func reqGitHook() func(ctx *context.APIContext) {

  476. 	return func(ctx *context.APIContext) {

  477. 		if !ctx.Doer.CanEditGitHook() {

  478. 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")

  479. 			return

  480. 		}

  481. 	}

  482. }

  483. 

  484. // reqWebhooksEnabled requires webhooks to be enabled by admin.

  485. func reqWebhooksEnabled() func(ctx *context.APIContext) {

  486. 	return func(ctx *context.APIContext) {

  487. 		if setting.DisableWebhooks {

  488. 			ctx.Error(http.StatusForbidden, "", "webhooks disabled by administrator")

  489. 			return

  490. 		}

  491. 	}

  492. }

  493. 

  494. func orgAssignment(args ...bool) func(ctx *context.APIContext) {

  495. 	var (

  496. 		assignOrg  bool

  497. 		assignTeam bool

  498. 	)

  499. 	if len(args) > 0 {

  500. 		assignOrg = args[0]

  501. 	}

  502. 	if len(args) > 1 {

  503. 		assignTeam = args[1]

  504. 	}

  505. 	return func(ctx *context.APIContext) {

  506. 		ctx.Org = new(context.APIOrganization)

  507. 

  508. 		var err error

  509. 		if assignOrg {

  510. 			ctx.Org.Organization, err = organization.GetOrgByName(ctx.Params(":org"))

  511. 			if err != nil {

  512. 				if organization.IsErrOrgNotExist(err) {

  513. 					redirectUserID, err := user_model.LookupUserRedirect(ctx.Params(":org"))

  514. 					if err == nil {

  515. 						context.RedirectToUser(ctx.Context, ctx.Params(":org"), redirectUserID)

  516. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  517. 						ctx.NotFound("GetOrgByName", err)

  518. 					} else {

  519. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  520. 					}

  521. 				} else {

  522. 					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)

  523. 				}

  524. 				return

  525. 			}

  526. 			ctx.ContextUser = ctx.Org.Organization.AsUser()

  527. 		}

  528. 

  529. 		if assignTeam {

  530. 			ctx.Org.Team, err = organization.GetTeamByID(ctx, ctx.ParamsInt64(":teamid"))

  531. 			if err != nil {

  532. 				if organization.IsErrTeamNotExist(err) {

  533. 					ctx.NotFound()

  534. 				} else {

  535. 					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)

  536. 				}

  537. 				return

  538. 			}

  539. 		}

  540. 	}

  541. }

  542. 

  543. func mustEnableIssues(ctx *context.APIContext) {

  544. 	if !ctx.Repo.CanRead(unit.TypeIssues) {

  545. 		if log.IsTrace() {

  546. 			if ctx.IsSigned {

  547. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  548. 					"User in Repo has Permissions: %-+v",

  549. 					ctx.Doer,

  550. 					unit.TypeIssues,

  551. 					ctx.Repo.Repository,

  552. 					ctx.Repo.Permission)

  553. 			} else {

  554. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  555. 					"Anonymous user in Repo has Permissions: %-+v",

  556. 					unit.TypeIssues,

  557. 					ctx.Repo.Repository,

  558. 					ctx.Repo.Permission)

  559. 			}

  560. 		}

  561. 		ctx.NotFound()

  562. 		return

  563. 	}

  564. }

  565. 

  566. func mustAllowPulls(ctx *context.APIContext) {

  567. 	if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  568. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  569. 			if ctx.IsSigned {

  570. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  571. 					"User in Repo has Permissions: %-+v",

  572. 					ctx.Doer,

  573. 					unit.TypePullRequests,

  574. 					ctx.Repo.Repository,

  575. 					ctx.Repo.Permission)

  576. 			} else {

  577. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  578. 					"Anonymous user in Repo has Permissions: %-+v",

  579. 					unit.TypePullRequests,

  580. 					ctx.Repo.Repository,

  581. 					ctx.Repo.Permission)

  582. 			}

  583. 		}

  584. 		ctx.NotFound()

  585. 		return

  586. 	}

  587. }

  588. 

  589. func mustEnableIssuesOrPulls(ctx *context.APIContext) {

  590. 	if !ctx.Repo.CanRead(unit.TypeIssues) &&

  591. 		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  592. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  593. 			if ctx.IsSigned {

  594. 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+

  595. 					"User in Repo has Permissions: %-+v",

  596. 					ctx.Doer,

  597. 					unit.TypeIssues,

  598. 					unit.TypePullRequests,

  599. 					ctx.Repo.Repository,

  600. 					ctx.Repo.Permission)

  601. 			} else {

  602. 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+

  603. 					"Anonymous user in Repo has Permissions: %-+v",

  604. 					unit.TypeIssues,

  605. 					unit.TypePullRequests,

  606. 					ctx.Repo.Repository,

  607. 					ctx.Repo.Permission)

  608. 			}

  609. 		}

  610. 		ctx.NotFound()

  611. 		return

  612. 	}

  613. }

  614. 

  615. func mustEnableWiki(ctx *context.APIContext) {

  616. 	if !(ctx.Repo.CanRead(unit.TypeWiki)) {

  617. 		ctx.NotFound()

  618. 		return

  619. 	}

  620. }

  621. 

  622. func mustNotBeArchived(ctx *context.APIContext) {

  623. 	if ctx.Repo.Repository.IsArchived {

  624. 		ctx.NotFound()

  625. 		return

  626. 	}

  627. }

  628. 

  629. func mustEnableAttachments(ctx *context.APIContext) {

  630. 	if !setting.Attachment.Enabled {

  631. 		ctx.NotFound()

  632. 		return

  633. 	}

  634. }

  635. 

  636. // bind binding an obj to a func(ctx *context.APIContext)

  637. func bind[T any](obj T) http.HandlerFunc {

  638. 	return web.Wrap(func(ctx *context.APIContext) {

  639. 		theObj := new(T) // create a new form obj for every request but not use obj directly

  640. 		errs := binding.Bind(ctx.Req, theObj)

  641. 		if len(errs) > 0 {

  642. 			ctx.Error(http.StatusUnprocessableEntity, "validationError", fmt.Sprintf("%s: %s", errs[0].FieldNames, errs[0].Error()))

  643. 			return

  644. 		}

  645. 		web.SetForm(ctx, theObj)

  646. 	})

  647. }

  648. 

  649. // The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored

  650. // in the session (if there is a user id stored in session other plugins might return the user

  651. // object for that id).

  652. //

  653. // The Session plugin is expected to be executed second, in order to skip authentication

  654. // for users that have already signed in.

  655. func buildAuthGroup() *auth.Group {

  656. 	group := auth.NewGroup(

  657. 		&auth.OAuth2{},

  658. 		&auth.HTTPSign{},

  659. 		&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API

  660. 	)

  661. 	specialAdd(group)

  662. 

  663. 	return group

  664. }

  665. 

  666. // Routes registers all v1 APIs routes to web application.

  667. func Routes(ctx gocontext.Context) *web.Route {

  668. 	m := web.NewRoute()

  669. 

  670. 	m.Use(securityHeaders())

  671. 	if setting.CORSConfig.Enabled {

  672. 		m.Use(cors.Handler(cors.Options{

  673. 			// Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option

  674. 			AllowedOrigins: setting.CORSConfig.AllowDomain,

  675. 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option

  676. 			AllowedMethods:   setting.CORSConfig.Methods,

  677. 			AllowCredentials: setting.CORSConfig.AllowCredentials,

  678. 			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),

  679. 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),

  680. 		}))

  681. 	}

  682. 	m.Use(context.APIContexter())

  683. 

  684. 	group := buildAuthGroup()

  685. 	if err := group.Init(ctx); err != nil {

  686. 		log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err)

  687. 	}

  688. 

  689. 	// Get user from session if logged in.

  690. 	m.Use(context.APIAuth(group))

  691. 

  692. 	m.Use(context.ToggleAPI(&context.ToggleOptions{

  693. 		SignInRequired: setting.Service.RequireSignInView,

  694. 	}))

  695. 

  696. 	m.Group("", func() {

  697. 		// Miscellaneous (no scope required)

  698. 		if setting.API.EnableSwagger {

  699. 			m.Get("/swagger", func(ctx *context.APIContext) {

  700. 				ctx.Redirect(setting.AppSubURL + "/api/swagger")

  701. 			})

  702. 		}

  703. 		m.Get("/version", misc.Version)

  704. 		if setting.Federation.Enabled {

  705. 			m.Get("/nodeinfo", misc.NodeInfo)

  706. 			m.Group("/activitypub", func() {

  707. 				m.Group("/user/{username}", func() {

  708. 					m.Get("", activitypub.Person)

  709. 					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.PersonInbox)

  710. 				}, context_service.UserAssignmentAPI())

  711. 			})

  712. 		}

  713. 		m.Get("/signing-key.gpg", misc.SigningKey)

  714. 		m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  715. 		m.Post("/markdown/raw", misc.MarkdownRaw)

  716. 		m.Group("/settings", func() {

  717. 			m.Get("/ui", settings.GetGeneralUISettings)

  718. 			m.Get("/api", settings.GetGeneralAPISettings)

  719. 			m.Get("/attachment", settings.GetGeneralAttachmentSettings)

  720. 			m.Get("/repository", settings.GetGeneralRepoSettings)

  721. 		})

  722. 

  723. 		// Notifications (requires 'notification' scope)

  724. 		m.Group("/notifications", func() {

  725. 			m.Combo("").

  726. 				Get(notify.ListNotifications).

  727. 				Put(notify.ReadNotifications)

  728. 			m.Get("/new", notify.NewAvailable)

  729. 			m.Combo("/threads/{id}").

  730. 				Get(notify.GetThread).

  731. 				Patch(notify.ReadThread)

  732. 		}, reqToken(auth_model.AccessTokenScopeNotification))

  733. 

  734. 		// Users (no scope required)

  735. 		m.Group("/users", func() {

  736. 			m.Get("/search", reqExploreSignIn(), user.Search)

  737. 

  738. 			m.Group("/{username}", func() {

  739. 				m.Get("", reqExploreSignIn(), user.GetInfo)

  740. 

  741. 				if setting.Service.EnableUserHeatmap {

  742. 					m.Get("/heatmap", user.GetUserHeatmapData)

  743. 				}

  744. 

  745. 				m.Get("/repos", reqExploreSignIn(), user.ListUserRepos)

  746. 				m.Group("/tokens", func() {

  747. 					m.Combo("").Get(user.ListAccessTokens).

  748. 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)

  749. 					m.Combo("/{id}").Delete(user.DeleteAccessToken)

  750. 				}, reqBasicAuth())

  751. 			}, context_service.UserAssignmentAPI())

  752. 		})

  753. 

  754. 		// (no scope required)

  755. 		m.Group("/users", func() {

  756. 			m.Group("/{username}", func() {

  757. 				m.Get("/keys", user.ListPublicKeys)

  758. 				m.Get("/gpg_keys", user.ListGPGKeys)

  759. 

  760. 				m.Get("/followers", user.ListFollowers)

  761. 				m.Group("/following", func() {

  762. 					m.Get("", user.ListFollowing)

  763. 					m.Get("/{target}", user.CheckFollowing)

  764. 				})

  765. 

  766. 				m.Get("/starred", user.GetStarredRepos)

  767. 

  768. 				m.Get("/subscriptions", user.GetWatchedRepos)

  769. 			}, context_service.UserAssignmentAPI())

  770. 		}, reqToken(""))

  771. 

  772. 		m.Group("/user", func() {

  773. 			m.Get("", user.GetAuthenticatedUser)

  774. 			m.Group("/settings", func() {

  775. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadUser), user.GetUserSettings)

  776. 				m.Patch("", reqToken(auth_model.AccessTokenScopeUser), bind(api.UserSettingsOptions{}), user.UpdateUserSettings)

  777. 			})

  778. 			m.Combo("/emails").Get(reqToken(auth_model.AccessTokenScopeReadUser), user.ListEmails).

  779. 				Post(reqToken(auth_model.AccessTokenScopeUser), bind(api.CreateEmailOption{}), user.AddEmail).

  780. 				Delete(reqToken(auth_model.AccessTokenScopeUser), bind(api.DeleteEmailOption{}), user.DeleteEmail)

  781. 

  782. 			m.Get("/followers", user.ListMyFollowers)

  783. 			m.Group("/following", func() {

  784. 				m.Get("", user.ListMyFollowing)

  785. 				m.Group("/{username}", func() {

  786. 					m.Get("", user.CheckMyFollowing)

  787. 					m.Put("", reqToken(auth_model.AccessTokenScopeUserFollow), user.Follow)      // requires 'user:follow' scope

  788. 					m.Delete("", reqToken(auth_model.AccessTokenScopeUserFollow), user.Unfollow) // requires 'user:follow' scope

  789. 				}, context_service.UserAssignmentAPI())

  790. 			})

  791. 

  792. 			// (admin:public_key scope)

  793. 			m.Group("/keys", func() {

  794. 				m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadPublicKey), user.ListMyPublicKeys).

  795. 					Post(reqToken(auth_model.AccessTokenScopeWritePublicKey), bind(api.CreateKeyOption{}), user.CreatePublicKey)

  796. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadPublicKey), user.GetPublicKey).

  797. 					Delete(reqToken(auth_model.AccessTokenScopeWritePublicKey), user.DeletePublicKey)

  798. 			})

  799. 

  800. 			// (admin:application scope)

  801. 			m.Group("/applications", func() {

  802. 				m.Combo("/oauth2").

  803. 					Get(reqToken(auth_model.AccessTokenScopeReadApplication), user.ListOauth2Applications).

  804. 					Post(reqToken(auth_model.AccessTokenScopeWriteApplication), bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)

  805. 				m.Combo("/oauth2/{id}").

  806. 					Delete(reqToken(auth_model.AccessTokenScopeWriteApplication), user.DeleteOauth2Application).

  807. 					Patch(reqToken(auth_model.AccessTokenScopeWriteApplication), bind(api.CreateOAuth2ApplicationOptions{}), user.UpdateOauth2Application).

  808. 					Get(reqToken(auth_model.AccessTokenScopeReadApplication), user.GetOauth2Application)

  809. 			})

  810. 

  811. 			// (admin:gpg_key scope)

  812. 			m.Group("/gpg_keys", func() {

  813. 				m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadGPGKey), user.ListMyGPGKeys).

  814. 					Post(reqToken(auth_model.AccessTokenScopeWriteGPGKey), bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)

  815. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadGPGKey), user.GetGPGKey).

  816. 					Delete(reqToken(auth_model.AccessTokenScopeWriteGPGKey), user.DeleteGPGKey)

  817. 			})

  818. 			m.Get("/gpg_key_token", reqToken(auth_model.AccessTokenScopeReadGPGKey), user.GetVerificationToken)

  819. 			m.Post("/gpg_key_verify", reqToken(auth_model.AccessTokenScopeReadGPGKey), bind(api.VerifyGPGKeyOption{}), user.VerifyUserGPGKey)

  820. 

  821. 			// (repo scope)

  822. 			m.Combo("/repos", reqToken(auth_model.AccessTokenScopeRepo)).Get(user.ListMyRepos).

  823. 				Post(bind(api.CreateRepoOption{}), repo.Create)

  824. 

  825. 			// (repo scope)

  826. 			m.Group("/starred", func() {

  827. 				m.Get("", user.GetMyStarredRepos)

  828. 				m.Group("/{username}/{reponame}", func() {

  829. 					m.Get("", user.IsStarring)

  830. 					m.Put("", user.Star)

  831. 					m.Delete("", user.Unstar)

  832. 				}, repoAssignment())

  833. 			}, reqToken(auth_model.AccessTokenScopeRepo))

  834. 			m.Get("/times", reqToken(auth_model.AccessTokenScopeRepo), repo.ListMyTrackedTimes)

  835. 			m.Get("/stopwatches", reqToken(auth_model.AccessTokenScopeRepo), repo.GetStopwatches)

  836. 			m.Get("/subscriptions", reqToken(auth_model.AccessTokenScopeRepo), user.GetMyWatchedRepos)

  837. 			m.Get("/teams", reqToken(auth_model.AccessTokenScopeRepo), org.ListUserTeams)

  838. 		}, reqToken(""))

  839. 

  840. 		// Repositories

  841. 		m.Post("/org/{org}/repos", reqToken(auth_model.AccessTokenScopeAdminOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)

  842. 

  843. 		m.Combo("/repositories/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Get(repo.GetByID)

  844. 

  845. 		m.Group("/repos", func() {

  846. 			m.Get("/search", repo.Search)

  847. 

  848. 			m.Get("/issues/search", repo.SearchIssues)

  849. 

  850. 			// (repo scope)

  851. 			m.Post("/migrate", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MigrateRepoOptions{}), repo.Migrate)

  852. 

  853. 			m.Group("/{username}/{reponame}", func() {

  854. 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).

  855. 					Delete(reqToken(auth_model.AccessTokenScopeDeleteRepo), reqOwner(), repo.Delete).

  856. 					Patch(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.EditRepoOption{}), repo.Edit)

  857. 				m.Post("/generate", reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.GenerateRepoOption{}), repo.Generate)

  858. 				m.Group("/transfer", func() {

  859. 					m.Post("", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)

  860. 					m.Post("/accept", repo.AcceptTransfer)

  861. 					m.Post("/reject", repo.RejectTransfer)

  862. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  863. 				m.Combo("/notifications", reqToken(auth_model.AccessTokenScopeNotification)).

  864. 					Get(notify.ListRepoNotifications).

  865. 					Put(notify.ReadRepoNotifications)

  866. 				m.Group("/hooks/git", func() {

  867. 					m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListGitHooks)

  868. 					m.Group("/{id}", func() {

  869. 						m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetGitHook).

  870. 							Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditGitHookOption{}), repo.EditGitHook).

  871. 							Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteGitHook)

  872. 					})

  873. 				}, reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))

  874. 				m.Group("/hooks", func() {

  875. 					m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListHooks).

  876. 						Post(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.CreateHookOption{}), repo.CreateHook)

  877. 					m.Group("/{id}", func() {

  878. 						m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetHook).

  879. 							Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditHookOption{}), repo.EditHook).

  880. 							Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteHook)

  881. 						m.Post("/tests", reqToken(auth_model.AccessTokenScopeReadRepoHook), context.ReferencesGitRepo(), context.RepoRefForAPI, repo.TestHook)

  882. 					})

  883. 				}, reqAdmin(), reqWebhooksEnabled())

  884. 				m.Group("/collaborators", func() {

  885. 					m.Get("", reqAnyRepoReader(), repo.ListCollaborators)

  886. 					m.Group("/{collaborator}", func() {

  887. 						m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator).

  888. 							Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).

  889. 							Delete(reqAdmin(), repo.DeleteCollaborator)

  890. 						m.Get("/permission", repo.GetRepoPermissions)

  891. 					})

  892. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  893. 				m.Get("/assignees", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetAssignees)

  894. 				m.Get("/reviewers", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetReviewers)

  895. 				m.Group("/teams", func() {

  896. 					m.Get("", reqAnyRepoReader(), repo.ListTeams)

  897. 					m.Combo("/{team}").Get(reqAnyRepoReader(), repo.IsTeam).

  898. 						Put(reqAdmin(), repo.AddTeam).

  899. 						Delete(reqAdmin(), repo.DeleteTeam)

  900. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  901. 				m.Get("/raw/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile)

  902. 				m.Get("/media/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS)

  903. 				m.Get("/archive/*", reqRepoReader(unit.TypeCode), repo.GetArchive)

  904. 				m.Combo("/forks").Get(repo.ListForks).

  905. 					Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork)

  906. 				m.Group("/branches", func() {

  907. 					m.Get("", repo.ListBranches)

  908. 					m.Get("/*", repo.GetBranch)

  909. 					m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.DeleteBranch)

  910. 					m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch)

  911. 				}, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))

  912. 				m.Group("/branch_protections", func() {

  913. 					m.Get("", repo.ListBranchProtections)

  914. 					m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)

  915. 					m.Group("/{name}", func() {

  916. 						m.Get("", repo.GetBranchProtection)

  917. 						m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)

  918. 						m.Delete("", repo.DeleteBranchProtection)

  919. 					})

  920. 				}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())

  921. 				m.Group("/tags", func() {

  922. 					m.Get("", repo.ListTags)

  923. 					m.Get("/*", repo.GetTag)

  924. 					m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateTagOption{}), repo.CreateTag)

  925. 					m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTag)

  926. 				}, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true))

  927. 				m.Group("/keys", func() {

  928. 					m.Combo("").Get(repo.ListDeployKeys).

  929. 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)

  930. 					m.Combo("/{id}").Get(repo.GetDeployKey).

  931. 						Delete(repo.DeleteDeploykey)

  932. 				}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())

  933. 				m.Group("/times", func() {

  934. 					m.Combo("").Get(repo.ListTrackedTimesByRepository)

  935. 					m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)

  936. 				}, mustEnableIssues, reqToken(auth_model.AccessTokenScopeRepo))

  937. 				m.Group("/wiki", func() {

  938. 					m.Combo("/page/{pageName}").

  939. 						Get(repo.GetWikiPage).

  940. 						Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.EditWikiPage).

  941. 						Delete(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), repo.DeleteWikiPage)

  942. 					m.Get("/revisions/{pageName}", repo.ListPageRevisions)

  943. 					m.Post("/new", mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage)

  944. 					m.Get("/pages", repo.ListWikiPages)

  945. 				}, mustEnableWiki)

  946. 				m.Group("/issues", func() {

  947. 					m.Combo("").Get(repo.ListIssues).

  948. 						Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)

  949. 					m.Group("/comments", func() {

  950. 						m.Get("", repo.ListRepoIssueComments)

  951. 						m.Group("/{id}", func() {

  952. 							m.Combo("").

  953. 								Get(repo.GetIssueComment).

  954. 								Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).

  955. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueComment)

  956. 							m.Combo("/reactions").

  957. 								Get(repo.GetIssueCommentReactions).

  958. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).

  959. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)

  960. 							m.Group("/assets", func() {

  961. 								m.Combo("").

  962. 									Get(repo.ListIssueCommentAttachments).

  963. 									Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CreateIssueCommentAttachment)

  964. 								m.Combo("/{asset}").

  965. 									Get(repo.GetIssueCommentAttachment).

  966. 									Patch(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueCommentAttachment).

  967. 									Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.DeleteIssueCommentAttachment)

  968. 							}, mustEnableAttachments)

  969. 						})

  970. 					})

  971. 					m.Group("/{index}", func() {

  972. 						m.Combo("").Get(repo.GetIssue).

  973. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueOption{}), repo.EditIssue).

  974. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), context.ReferencesGitRepo(), repo.DeleteIssue)

  975. 						m.Group("/comments", func() {

  976. 							m.Combo("").Get(repo.ListIssueComments).

  977. 								Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

  978. 							m.Combo("/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).

  979. 								Delete(repo.DeleteIssueCommentDeprecated)

  980. 						})

  981. 						m.Get("/timeline", repo.ListIssueCommentsAndTimeline)

  982. 						m.Group("/labels", func() {

  983. 							m.Combo("").Get(repo.ListIssueLabels).

  984. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).

  985. 								Put(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).

  986. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.ClearIssueLabels)

  987. 							m.Delete("/{id}", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueLabel)

  988. 						})

  989. 						m.Group("/times", func() {

  990. 							m.Combo("").

  991. 								Get(repo.ListTrackedTimes).

  992. 								Post(bind(api.AddTimeOption{}), repo.AddTime).

  993. 								Delete(repo.ResetIssueTime)

  994. 							m.Delete("/{id}", repo.DeleteTime)

  995. 						}, reqToken(auth_model.AccessTokenScopeRepo))

  996. 						m.Combo("/deadline").Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)

  997. 						m.Group("/stopwatch", func() {

  998. 							m.Post("/start", reqToken(auth_model.AccessTokenScopeRepo), repo.StartIssueStopwatch)

  999. 							m.Post("/stop", reqToken(auth_model.AccessTokenScopeRepo), repo.StopIssueStopwatch)

  1000. 							m.Delete("/delete", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueStopwatch)

  1001. 						})

  1002. 						m.Group("/subscriptions", func() {

  1003. 							m.Get("", repo.GetIssueSubscribers)

  1004. 							m.Get("/check", reqToken(auth_model.AccessTokenScopeRepo), repo.CheckIssueSubscription)

  1005. 							m.Put("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.AddIssueSubscription)

  1006. 							m.Delete("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.DelIssueSubscription)

  1007. 						})

  1008. 						m.Combo("/reactions").

  1009. 							Get(repo.GetIssueReactions).

  1010. 							Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueReaction).

  1011. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueReaction)

  1012. 						m.Group("/assets", func() {

  1013. 							m.Combo("").

  1014. 								Get(repo.ListIssueAttachments).

  1015. 								Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CreateIssueAttachment)

  1016. 							m.Combo("/{asset}").

  1017. 								Get(repo.GetIssueAttachment).

  1018. 								Patch(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueAttachment).

  1019. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.DeleteIssueAttachment)

  1020. 						}, mustEnableAttachments)

  1021. 					})

  1022. 				}, mustEnableIssuesOrPulls)

  1023. 				m.Group("/labels", func() {

  1024. 					m.Combo("").Get(repo.ListLabels).

  1025. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)

  1026. 					m.Combo("/{id}").Get(repo.GetLabel).

  1027. 						Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).

  1028. 						Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteLabel)

  1029. 				})

  1030. 				m.Post("/markdown", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MarkdownOption{}), misc.Markdown)

  1031. 				m.Post("/markdown/raw", reqToken(auth_model.AccessTokenScopeRepo), misc.MarkdownRaw)

  1032. 				m.Group("/milestones", func() {

  1033. 					m.Combo("").Get(repo.ListMilestones).

  1034. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)

  1035. 					m.Combo("/{id}").Get(repo.GetMilestone).

  1036. 						Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).

  1037. 						Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteMilestone)

  1038. 				})

  1039. 				m.Get("/stargazers", repo.ListStargazers)

  1040. 				m.Get("/subscribers", repo.ListSubscribers)

  1041. 				m.Group("/subscription", func() {

  1042. 					m.Get("", user.IsWatching)

  1043. 					m.Put("", reqToken(auth_model.AccessTokenScopeRepo), user.Watch)

  1044. 					m.Delete("", reqToken(auth_model.AccessTokenScopeRepo), user.Unwatch)

  1045. 				})

  1046. 				m.Group("/releases", func() {

  1047. 					m.Combo("").Get(repo.ListReleases).

  1048. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.CreateReleaseOption{}), repo.CreateRelease)

  1049. 					m.Combo("/latest").Get(repo.GetLatestRelease)

  1050. 					m.Group("/{id}", func() {

  1051. 						m.Combo("").Get(repo.GetRelease).

  1052. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.EditReleaseOption{}), repo.EditRelease).

  1053. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteRelease)

  1054. 						m.Group("/assets", func() {

  1055. 							m.Combo("").Get(repo.ListReleaseAttachments).

  1056. 								Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.CreateReleaseAttachment)

  1057. 							m.Combo("/{asset}").Get(repo.GetReleaseAttachment).

  1058. 								Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).

  1059. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseAttachment)

  1060. 						})

  1061. 					})

  1062. 					m.Group("/tags", func() {

  1063. 						m.Combo("/{tag}").

  1064. 							Get(repo.GetReleaseByTag).

  1065. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseByTag)

  1066. 					})

  1067. 				}, reqRepoReader(unit.TypeReleases))

  1068. 				m.Post("/mirror-sync", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.MirrorSync)

  1069. 				m.Post("/push_mirrors-sync", reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo), repo.PushMirrorSync)

  1070. 				m.Group("/push_mirrors", func() {

  1071. 					m.Combo("").Get(repo.ListPushMirrors).

  1072. 						Post(bind(api.CreatePushMirrorOption{}), repo.AddPushMirror)

  1073. 					m.Combo("/{name}").

  1074. 						Delete(repo.DeletePushMirrorByRemoteName).

  1075. 						Get(repo.GetPushMirrorByName)

  1076. 				}, reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo))

  1077. 

  1078. 				m.Get("/editorconfig/{filename}", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetEditorconfig)

  1079. 				m.Group("/pulls", func() {

  1080. 					m.Combo("").Get(repo.ListPullRequests).

  1081. 						Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

  1082. 					m.Group("/{index}", func() {

  1083. 						m.Combo("").Get(repo.GetPullRequest).

  1084. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditPullRequestOption{}), repo.EditPullRequest)

  1085. 						m.Get(".{diffType:diff|patch}", repo.DownloadPullDiffOrPatch)

  1086. 						m.Post("/update", reqToken(auth_model.AccessTokenScopeRepo), repo.UpdatePullRequest)

  1087. 						m.Get("/commits", repo.GetPullRequestCommits)

  1088. 						m.Get("/files", repo.GetPullRequestFiles)

  1089. 						m.Combo("/merge").Get(repo.IsPullRequestMerged).

  1090. 							Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest).

  1091. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CancelScheduledAutoMerge)

  1092. 						m.Group("/reviews", func() {

  1093. 							m.Combo("").

  1094. 								Get(repo.ListPullReviews).

  1095. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)

  1096. 							m.Group("/{id}", func() {

  1097. 								m.Combo("").

  1098. 									Get(repo.GetPullReview).

  1099. 									Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeletePullReview).

  1100. 									Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)

  1101. 								m.Combo("/comments").

  1102. 									Get(repo.GetPullReviewComments)

  1103. 								m.Post("/dismissals", reqToken(auth_model.AccessTokenScopeRepo), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)

  1104. 								m.Post("/undismissals", reqToken(auth_model.AccessTokenScopeRepo), repo.UnDismissPullReview)

  1105. 							})

  1106. 						})

  1107. 						m.Combo("/requested_reviewers", reqToken(auth_model.AccessTokenScopeRepo)).

  1108. 							Delete(bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).

  1109. 							Post(bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)

  1110. 					})

  1111. 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())

  1112. 				m.Group("/statuses", func() {

  1113. 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).

  1114. 						Post(reqToken(auth_model.AccessTokenScopeRepoStatus), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)

  1115. 				}, reqRepoReader(unit.TypeCode))

  1116. 				m.Group("/commits", func() {

  1117. 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)

  1118. 					m.Group("/{ref}", func() {

  1119. 						m.Get("/status", repo.GetCombinedCommitStatusByRef)

  1120. 						m.Get("/statuses", repo.GetCommitStatusesByRef)

  1121. 					}, context.ReferencesGitRepo())

  1122. 				}, reqRepoReader(unit.TypeCode))

  1123. 				m.Group("/git", func() {

  1124. 					m.Group("/commits", func() {

  1125. 						m.Get("/{sha}", repo.GetSingleCommit)

  1126. 						m.Get("/{sha}.{diffType:diff|patch}", repo.DownloadCommitDiffOrPatch)

  1127. 					})

  1128. 					m.Get("/refs", repo.GetGitAllRefs)

  1129. 					m.Get("/refs/*", repo.GetGitRefs)

  1130. 					m.Get("/trees/{sha}", repo.GetTree)

  1131. 					m.Get("/blobs/{sha}", repo.GetBlob)

  1132. 					m.Get("/tags/{sha}", repo.GetAnnotatedTag)

  1133. 					m.Get("/notes/{sha}", repo.GetNote)

  1134. 				}, context.ReferencesGitRepo(true), reqRepoReader(unit.TypeCode))

  1135. 				m.Post("/diffpatch", reqRepoWriter(unit.TypeCode), reqToken(auth_model.AccessTokenScopeRepo), bind(api.ApplyDiffPatchFileOptions{}), repo.ApplyDiffPatch)

  1136. 				m.Group("/contents", func() {

  1137. 					m.Get("", repo.GetContentsList)

  1138. 					m.Get("/*", repo.GetContents)

  1139. 					m.Group("/*", func() {

  1140. 						m.Post("", bind(api.CreateFileOptions{}), reqRepoBranchWriter, repo.CreateFile)

  1141. 						m.Put("", bind(api.UpdateFileOptions{}), reqRepoBranchWriter, repo.UpdateFile)

  1142. 						m.Delete("", bind(api.DeleteFileOptions{}), reqRepoBranchWriter, repo.DeleteFile)

  1143. 					}, reqToken(auth_model.AccessTokenScopeRepo))

  1144. 				}, reqRepoReader(unit.TypeCode))

  1145. 				m.Get("/signing-key.gpg", misc.SigningKey)

  1146. 				m.Group("/topics", func() {

  1147. 					m.Combo("").Get(repo.ListTopics).

  1148. 						Put(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)

  1149. 					m.Group("/{topic}", func() {

  1150. 						m.Combo("").Put(reqToken(auth_model.AccessTokenScopeRepo), repo.AddTopic).

  1151. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTopic)

  1152. 					}, reqAdmin())

  1153. 				}, reqAnyRepoReader())

  1154. 				m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)

  1155. 				m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages)

  1156. 			}, repoAssignment())

  1157. 		})

  1158. 

  1159. 		// NOTE: these are Gitea package management API - see packages.CommonRoutes and packages.DockerContainerRoutes for endpoints that implement package manager APIs

  1160. 		m.Group("/packages/{username}", func() {

  1161. 			m.Group("/{type}/{name}/{version}", func() {

  1162. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadPackage), packages.GetPackage)

  1163. 				m.Delete("", reqToken(auth_model.AccessTokenScopeDeletePackage), reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)

  1164. 				m.Get("/files", reqToken(auth_model.AccessTokenScopeReadPackage), packages.ListPackageFiles)

  1165. 			})

  1166. 			m.Get("/", reqToken(auth_model.AccessTokenScopeReadPackage), packages.ListPackages)

  1167. 		}, context_service.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead))

  1168. 

  1169. 		// Organizations

  1170. 		m.Get("/user/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMyOrgs)

  1171. 		m.Group("/users/{username}/orgs", func() {

  1172. 			m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListUserOrgs)

  1173. 			m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)

  1174. 		}, context_service.UserAssignmentAPI())

  1175. 		m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)

  1176. 		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

  1177. 		m.Group("/orgs/{org}", func() {

  1178. 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).

  1179. 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).

  1180. 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)

  1181. 			m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).

  1182. 				Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)

  1183. 			m.Group("/members", func() {

  1184. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)

  1185. 				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsMember).

  1186. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)

  1187. 			})

  1188. 			m.Group("/public_members", func() {

  1189. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)

  1190. 				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).

  1191. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).

  1192. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)

  1193. 			})

  1194. 			m.Group("/teams", func() {

  1195. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListTeams)

  1196. 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)

  1197. 				m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)

  1198. 			}, reqOrgMembership())

  1199. 			m.Group("/labels", func() {

  1200. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)

  1201. 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)

  1202. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).

  1203. 					Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

  1204. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteLabel)

  1205. 			})

  1206. 			m.Group("/hooks", func() {

  1207. 				m.Combo("").Get(org.ListHooks).

  1208. 					Post(bind(api.CreateHookOption{}), org.CreateHook)

  1209. 				m.Combo("/{id}").Get(org.GetHook).

  1210. 					Patch(bind(api.EditHookOption{}), org.EditHook).

  1211. 					Delete(org.DeleteHook)

  1212. 			}, reqToken(auth_model.AccessTokenScopeAdminOrgHook), reqOrgOwnership(), reqWebhooksEnabled())

  1213. 		}, orgAssignment(true))

  1214. 		m.Group("/teams/{teamid}", func() {

  1215. 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeam).

  1216. 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).

  1217. 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteTeam)

  1218. 			m.Group("/members", func() {

  1219. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMembers)

  1220. 				m.Combo("/{username}").

  1221. 					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMember).

  1222. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.AddTeamMember).

  1223. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.RemoveTeamMember)

  1224. 			})

  1225. 			m.Group("/repos", func() {

  1226. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepos)

  1227. 				m.Combo("/{org}/{reponame}").

  1228. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), org.AddTeamRepository).

  1229. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), org.RemoveTeamRepository).

  1230. 					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepo)

  1231. 			})

  1232. 		}, orgAssignment(false, true), reqToken(""), reqTeamMembership())

  1233. 

  1234. 		m.Group("/admin", func() {

  1235. 			m.Group("/cron", func() {

  1236. 				m.Get("", admin.ListCronTasks)

  1237. 				m.Post("/{task}", admin.PostCronTask)

  1238. 			})

  1239. 			m.Get("/orgs", admin.GetAllOrgs)

  1240. 			m.Group("/users", func() {

  1241. 				m.Get("", admin.GetAllUsers)

  1242. 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)

  1243. 				m.Group("/{username}", func() {

  1244. 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).

  1245. 						Delete(admin.DeleteUser)

  1246. 					m.Group("/keys", func() {

  1247. 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)

  1248. 						m.Delete("/{id}", admin.DeleteUserPublicKey)

  1249. 					})

  1250. 					m.Get("/orgs", org.ListUserOrgs)

  1251. 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)

  1252. 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)

  1253. 				}, context_service.UserAssignmentAPI())

  1254. 			})

  1255. 			m.Group("/unadopted", func() {

  1256. 				m.Get("", admin.ListUnadoptedRepositories)

  1257. 				m.Post("/{username}/{reponame}", admin.AdoptRepository)

  1258. 				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)

  1259. 			})

  1260. 			m.Group("/hooks", func() {

  1261. 				m.Combo("").Get(admin.ListHooks).

  1262. 					Post(bind(api.CreateHookOption{}), admin.CreateHook)

  1263. 				m.Combo("/{id}").Get(admin.GetHook).

  1264. 					Patch(bind(api.EditHookOption{}), admin.EditHook).

  1265. 					Delete(admin.DeleteHook)

  1266. 			})

  1267. 		}, reqToken(auth_model.AccessTokenScopeSudo), reqSiteAdmin())

  1268. 

  1269. 		m.Group("/topics", func() {

  1270. 			m.Get("/search", repo.TopicSearch)

  1271. 		})

  1272. 	}, sudo())

  1273. 

  1274. 	return m

  1275. }

  1276. 

  1277. func securityHeaders() func(http.Handler) http.Handler {

  1278. 	return func(next http.Handler) http.Handler {

  1279. 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {

  1280. 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers

  1281. 			// http://stackoverflow.com/a/3146618/244009

  1282. 			resp.Header().Set("x-content-type-options", "nosniff")

  1283. 			next.ServeHTTP(resp, req)

  1284. 		})

  1285. 	}

  1286. }