mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17706 Commits
17 Branches
Tree: 62b073e6f3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '62b073e6f3'
${ noResults }
gitea/routers/api/v1/api.go

api.go 60KB
Raw Blame History

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610 
  1. // Copyright 2015 The Gogs Authors. All rights reserved.

  2. // Copyright 2016 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. // Package v1 Gitea API

  6. //

  7. // This documentation describes the Gitea API.

  8. //

  9. //	Schemes: https, http

  10. //	BasePath: /api/v1

  11. //	Version: {{AppVer | JSEscape}}

  12. //	License: MIT http://opensource.org/licenses/MIT

  13. //

  14. //	Consumes:

  15. //	- application/json

  16. //	- text/plain

  17. //

  18. //	Produces:

  19. //	- application/json

  20. //	- text/html

  21. //

  22. //	Security:

  23. //	- BasicAuth :

  24. //	- Token :

  25. //	- AccessToken :

  26. //	- AuthorizationHeaderToken :

  27. //	- SudoParam :

  28. //	- SudoHeader :

  29. //	- TOTPHeader :

  30. //

  31. //	SecurityDefinitions:

  32. //	BasicAuth:

  33. //	     type: basic

  34. //	Token:

  35. //	     type: apiKey

  36. //	     name: token

  37. //	     in: query

  38. //	     description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.

  39. //	AccessToken:

  40. //	     type: apiKey

  41. //	     name: access_token

  42. //	     in: query

  43. //	     description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.

  44. //	AuthorizationHeaderToken:

  45. //	     type: apiKey

  46. //	     name: Authorization

  47. //	     in: header

  48. //	     description: API tokens must be prepended with "token" followed by a space.

  49. //	SudoParam:

  50. //	     type: apiKey

  51. //	     name: sudo

  52. //	     in: query

  53. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  54. //	SudoHeader:

  55. //	     type: apiKey

  56. //	     name: Sudo

  57. //	     in: header

  58. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  59. //	TOTPHeader:

  60. //	     type: apiKey

  61. //	     name: X-GITEA-OTP

  62. //	     in: header

  63. //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.

  64. //

  65. // swagger:meta

  66. package v1

  67. 

  68. import (

  69. 	"fmt"

  70. 	"net/http"

  71. 	"strings"

  72. 

  73. 	actions_model "code.gitea.io/gitea/models/actions"

  74. 	auth_model "code.gitea.io/gitea/models/auth"

  75. 	"code.gitea.io/gitea/models/db"

  76. 	"code.gitea.io/gitea/models/organization"

  77. 	"code.gitea.io/gitea/models/perm"

  78. 	access_model "code.gitea.io/gitea/models/perm/access"

  79. 	repo_model "code.gitea.io/gitea/models/repo"

  80. 	"code.gitea.io/gitea/models/unit"

  81. 	user_model "code.gitea.io/gitea/models/user"

  82. 	"code.gitea.io/gitea/modules/log"

  83. 	"code.gitea.io/gitea/modules/setting"

  84. 	api "code.gitea.io/gitea/modules/structs"

  85. 	"code.gitea.io/gitea/modules/web"

  86. 	"code.gitea.io/gitea/routers/api/v1/activitypub"

  87. 	"code.gitea.io/gitea/routers/api/v1/admin"

  88. 	"code.gitea.io/gitea/routers/api/v1/misc"

  89. 	"code.gitea.io/gitea/routers/api/v1/notify"

  90. 	"code.gitea.io/gitea/routers/api/v1/org"

  91. 	"code.gitea.io/gitea/routers/api/v1/packages"

  92. 	"code.gitea.io/gitea/routers/api/v1/repo"

  93. 	"code.gitea.io/gitea/routers/api/v1/settings"

  94. 	"code.gitea.io/gitea/routers/api/v1/user"

  95. 	"code.gitea.io/gitea/routers/common"

  96. 	"code.gitea.io/gitea/services/auth"

  97. 	"code.gitea.io/gitea/services/context"

  98. 	"code.gitea.io/gitea/services/forms"

  99. 

  100. 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation

  101. 

  102. 	"gitea.com/go-chi/binding"

  103. 	"github.com/go-chi/cors"

  104. )

  105. 

  106. func sudo() func(ctx *context.APIContext) {

  107. 	return func(ctx *context.APIContext) {

  108. 		sudo := ctx.FormString("sudo")

  109. 		if len(sudo) == 0 {

  110. 			sudo = ctx.Req.Header.Get("Sudo")

  111. 		}

  112. 

  113. 		if len(sudo) > 0 {

  114. 			if ctx.IsSigned && ctx.Doer.IsAdmin {

  115. 				user, err := user_model.GetUserByName(ctx, sudo)

  116. 				if err != nil {

  117. 					if user_model.IsErrUserNotExist(err) {

  118. 						ctx.NotFound()

  119. 					} else {

  120. 						ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  121. 					}

  122. 					return

  123. 				}

  124. 				log.Trace("Sudo from (%s) to: %s", ctx.Doer.Name, user.Name)

  125. 				ctx.Doer = user

  126. 			} else {

  127. 				ctx.JSON(http.StatusForbidden, map[string]string{

  128. 					"message": "Only administrators allowed to sudo.",

  129. 				})

  130. 				return

  131. 			}

  132. 		}

  133. 	}

  134. }

  135. 

  136. func repoAssignment() func(ctx *context.APIContext) {

  137. 	return func(ctx *context.APIContext) {

  138. 		userName := ctx.Params("username")

  139. 		repoName := ctx.Params("reponame")

  140. 

  141. 		var (

  142. 			owner *user_model.User

  143. 			err   error

  144. 		)

  145. 

  146. 		// Check if the user is the same as the repository owner.

  147. 		if ctx.IsSigned && ctx.Doer.LowerName == strings.ToLower(userName) {

  148. 			owner = ctx.Doer

  149. 		} else {

  150. 			owner, err = user_model.GetUserByName(ctx, userName)

  151. 			if err != nil {

  152. 				if user_model.IsErrUserNotExist(err) {

  153. 					if redirectUserID, err := user_model.LookupUserRedirect(ctx, userName); err == nil {

  154. 						context.RedirectToUser(ctx.Base, userName, redirectUserID)

  155. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  156. 						ctx.NotFound("GetUserByName", err)

  157. 					} else {

  158. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  159. 					}

  160. 				} else {

  161. 					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  162. 				}

  163. 				return

  164. 			}

  165. 		}

  166. 		ctx.Repo.Owner = owner

  167. 		ctx.ContextUser = owner

  168. 

  169. 		// Get repository.

  170. 		repo, err := repo_model.GetRepositoryByName(ctx, owner.ID, repoName)

  171. 		if err != nil {

  172. 			if repo_model.IsErrRepoNotExist(err) {

  173. 				redirectRepoID, err := repo_model.LookupRedirect(ctx, owner.ID, repoName)

  174. 				if err == nil {

  175. 					context.RedirectToRepo(ctx.Base, redirectRepoID)

  176. 				} else if repo_model.IsErrRedirectNotExist(err) {

  177. 					ctx.NotFound()

  178. 				} else {

  179. 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

  180. 				}

  181. 			} else {

  182. 				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)

  183. 			}

  184. 			return

  185. 		}

  186. 

  187. 		repo.Owner = owner

  188. 		ctx.Repo.Repository = repo

  189. 

  190. 		if ctx.Doer != nil && ctx.Doer.ID == user_model.ActionsUserID {

  191. 			taskID := ctx.Data["ActionsTaskID"].(int64)

  192. 			task, err := actions_model.GetTaskByID(ctx, taskID)

  193. 			if err != nil {

  194. 				ctx.Error(http.StatusInternalServerError, "actions_model.GetTaskByID", err)

  195. 				return

  196. 			}

  197. 			if task.RepoID != repo.ID {

  198. 				ctx.NotFound()

  199. 				return

  200. 			}

  201. 

  202. 			if task.IsForkPullRequest {

  203. 				ctx.Repo.Permission.AccessMode = perm.AccessModeRead

  204. 			} else {

  205. 				ctx.Repo.Permission.AccessMode = perm.AccessModeWrite

  206. 			}

  207. 

  208. 			if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {

  209. 				ctx.Error(http.StatusInternalServerError, "LoadUnits", err)

  210. 				return

  211. 			}

  212. 			ctx.Repo.Permission.Units = ctx.Repo.Repository.Units

  213. 			ctx.Repo.Permission.UnitsMode = make(map[unit.Type]perm.AccessMode)

  214. 			for _, u := range ctx.Repo.Repository.Units {

  215. 				ctx.Repo.Permission.UnitsMode[u.Type] = ctx.Repo.Permission.AccessMode

  216. 			}

  217. 		} else {

  218. 			ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)

  219. 			if err != nil {

  220. 				ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)

  221. 				return

  222. 			}

  223. 		}

  224. 

  225. 		if !ctx.Repo.HasAccess() {

  226. 			ctx.NotFound()

  227. 			return

  228. 		}

  229. 	}

  230. }

  231. 

  232. func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.APIContext) {

  233. 	return func(ctx *context.APIContext) {

  234. 		if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {

  235. 			ctx.Error(http.StatusForbidden, "reqPackageAccess", "user should have specific permission or be a site admin")

  236. 			return

  237. 		}

  238. 	}

  239. }

  240. 

  241. // if a token is being used for auth, we check that it contains the required scope

  242. // if a token is not being used, reqToken will enforce other sign in methods

  243. func tokenRequiresScopes(requiredScopeCategories ...auth_model.AccessTokenScopeCategory) func(ctx *context.APIContext) {

  244. 	return func(ctx *context.APIContext) {

  245. 		// no scope required

  246. 		if len(requiredScopeCategories) == 0 {

  247. 			return

  248. 		}

  249. 

  250. 		// Need OAuth2 token to be present.

  251. 		scope, scopeExists := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)

  252. 		if ctx.Data["IsApiToken"] != true || !scopeExists {

  253. 			return

  254. 		}

  255. 

  256. 		ctx.Data["ApiTokenScopePublicRepoOnly"] = false

  257. 		ctx.Data["ApiTokenScopePublicOrgOnly"] = false

  258. 

  259. 		// use the http method to determine the access level

  260. 		requiredScopeLevel := auth_model.Read

  261. 		if ctx.Req.Method == "POST" || ctx.Req.Method == "PUT" || ctx.Req.Method == "PATCH" || ctx.Req.Method == "DELETE" {

  262. 			requiredScopeLevel = auth_model.Write

  263. 		}

  264. 

  265. 		// get the required scope for the given access level and category

  266. 		requiredScopes := auth_model.GetRequiredScopes(requiredScopeLevel, requiredScopeCategories...)

  267. 

  268. 		// check if scope only applies to public resources

  269. 		publicOnly, err := scope.PublicOnly()

  270. 		if err != nil {

  271. 			ctx.Error(http.StatusForbidden, "tokenRequiresScope", "parsing public resource scope failed: "+err.Error())

  272. 			return

  273. 		}

  274. 

  275. 		// this context is used by the middleware in the specific route

  276. 		ctx.Data["ApiTokenScopePublicRepoOnly"] = publicOnly && auth_model.ContainsCategory(requiredScopeCategories, auth_model.AccessTokenScopeCategoryRepository)

  277. 		ctx.Data["ApiTokenScopePublicOrgOnly"] = publicOnly && auth_model.ContainsCategory(requiredScopeCategories, auth_model.AccessTokenScopeCategoryOrganization)

  278. 

  279. 		allow, err := scope.HasScope(requiredScopes...)

  280. 		if err != nil {

  281. 			ctx.Error(http.StatusForbidden, "tokenRequiresScope", "checking scope failed: "+err.Error())

  282. 			return

  283. 		}

  284. 

  285. 		if allow {

  286. 			return

  287. 		}

  288. 

  289. 		ctx.Error(http.StatusForbidden, "tokenRequiresScope", fmt.Sprintf("token does not have at least one of required scope(s): %v", requiredScopes))

  290. 	}

  291. }

  292. 

  293. // Contexter middleware already checks token for user sign in process.

  294. func reqToken() func(ctx *context.APIContext) {

  295. 	return func(ctx *context.APIContext) {

  296. 		// If actions token is present

  297. 		if true == ctx.Data["IsActionsToken"] {

  298. 			return

  299. 		}

  300. 

  301. 		if true == ctx.Data["IsApiToken"] {

  302. 			publicRepo, pubRepoExists := ctx.Data["ApiTokenScopePublicRepoOnly"]

  303. 			publicOrg, pubOrgExists := ctx.Data["ApiTokenScopePublicOrgOnly"]

  304. 

  305. 			if pubRepoExists && publicRepo.(bool) &&

  306. 				ctx.Repo.Repository != nil && ctx.Repo.Repository.IsPrivate {

  307. 				ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public repos")

  308. 				return

  309. 			}

  310. 

  311. 			if pubOrgExists && publicOrg.(bool) &&

  312. 				ctx.Org.Organization != nil && ctx.Org.Organization.Visibility != api.VisibleTypePublic {

  313. 				ctx.Error(http.StatusForbidden, "reqToken", "token scope is limited to public orgs")

  314. 				return

  315. 			}

  316. 

  317. 			return

  318. 		}

  319. 

  320. 		if ctx.IsSigned {

  321. 			return

  322. 		}

  323. 		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")

  324. 	}

  325. }

  326. 

  327. func reqExploreSignIn() func(ctx *context.APIContext) {

  328. 	return func(ctx *context.APIContext) {

  329. 		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {

  330. 			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")

  331. 		}

  332. 	}

  333. }

  334. 

  335. func reqBasicOrRevProxyAuth() func(ctx *context.APIContext) {

  336. 	return func(ctx *context.APIContext) {

  337. 		if ctx.IsSigned && setting.Service.EnableReverseProxyAuthAPI && ctx.Data["AuthedMethod"].(string) == auth.ReverseProxyMethodName {

  338. 			return

  339. 		}

  340. 		if !ctx.IsBasicAuth {

  341. 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required")

  342. 			return

  343. 		}

  344. 	}

  345. }

  346. 

  347. // reqSiteAdmin user should be the site admin

  348. func reqSiteAdmin() func(ctx *context.APIContext) {

  349. 	return func(ctx *context.APIContext) {

  350. 		if !ctx.IsUserSiteAdmin() {

  351. 			ctx.Error(http.StatusForbidden, "reqSiteAdmin", "user should be the site admin")

  352. 			return

  353. 		}

  354. 	}

  355. }

  356. 

  357. // reqOwner user should be the owner of the repo or site admin.

  358. func reqOwner() func(ctx *context.APIContext) {

  359. 	return func(ctx *context.APIContext) {

  360. 		if !ctx.Repo.IsOwner() && !ctx.IsUserSiteAdmin() {

  361. 			ctx.Error(http.StatusForbidden, "reqOwner", "user should be the owner of the repo")

  362. 			return

  363. 		}

  364. 	}

  365. }

  366. 

  367. // reqSelfOrAdmin doer should be the same as the contextUser or site admin

  368. func reqSelfOrAdmin() func(ctx *context.APIContext) {

  369. 	return func(ctx *context.APIContext) {

  370. 		if !ctx.IsUserSiteAdmin() && ctx.ContextUser != ctx.Doer {

  371. 			ctx.Error(http.StatusForbidden, "reqSelfOrAdmin", "doer should be the site admin or be same as the contextUser")

  372. 			return

  373. 		}

  374. 	}

  375. }

  376. 

  377. // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin

  378. func reqAdmin() func(ctx *context.APIContext) {

  379. 	return func(ctx *context.APIContext) {

  380. 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  381. 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")

  382. 			return

  383. 		}

  384. 	}

  385. }

  386. 

  387. // reqRepoWriter user should have a permission to write to a repo, or be a site admin

  388. func reqRepoWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {

  389. 	return func(ctx *context.APIContext) {

  390. 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  391. 			ctx.Error(http.StatusForbidden, "reqRepoWriter", "user should have a permission to write to a repo")

  392. 			return

  393. 		}

  394. 	}

  395. }

  396. 

  397. // reqRepoBranchWriter user should have a permission to write to a branch, or be a site admin

  398. func reqRepoBranchWriter(ctx *context.APIContext) {

  399. 	options, ok := web.GetForm(ctx).(api.FileOptionInterface)

  400. 	if !ok || (!ctx.Repo.CanWriteToBranch(ctx, ctx.Doer, options.Branch()) && !ctx.IsUserSiteAdmin()) {

  401. 		ctx.Error(http.StatusForbidden, "reqRepoBranchWriter", "user should have a permission to write to this branch")

  402. 		return

  403. 	}

  404. }

  405. 

  406. // reqRepoReader user should have specific read permission or be a repo admin or a site admin

  407. func reqRepoReader(unitType unit.Type) func(ctx *context.APIContext) {

  408. 	return func(ctx *context.APIContext) {

  409. 		if !ctx.Repo.CanRead(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  410. 			ctx.Error(http.StatusForbidden, "reqRepoReader", "user should have specific read permission or be a repo admin or a site admin")

  411. 			return

  412. 		}

  413. 	}

  414. }

  415. 

  416. // reqAnyRepoReader user should have any permission to read repository or permissions of site admin

  417. func reqAnyRepoReader() func(ctx *context.APIContext) {

  418. 	return func(ctx *context.APIContext) {

  419. 		if !ctx.Repo.HasAccess() && !ctx.IsUserSiteAdmin() {

  420. 			ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")

  421. 			return

  422. 		}

  423. 	}

  424. }

  425. 

  426. // reqOrgOwnership user should be an organization owner, or a site admin

  427. func reqOrgOwnership() func(ctx *context.APIContext) {

  428. 	return func(ctx *context.APIContext) {

  429. 		if ctx.IsUserSiteAdmin() {

  430. 			return

  431. 		}

  432. 

  433. 		var orgID int64

  434. 		if ctx.Org.Organization != nil {

  435. 			orgID = ctx.Org.Organization.ID

  436. 		} else if ctx.Org.Team != nil {

  437. 			orgID = ctx.Org.Team.OrgID

  438. 		} else {

  439. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")

  440. 			return

  441. 		}

  442. 

  443. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  444. 		if err != nil {

  445. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  446. 			return

  447. 		} else if !isOwner {

  448. 			if ctx.Org.Organization != nil {

  449. 				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")

  450. 			} else {

  451. 				ctx.NotFound()

  452. 			}

  453. 			return

  454. 		}

  455. 	}

  456. }

  457. 

  458. // reqTeamMembership user should be an team member, or a site admin

  459. func reqTeamMembership() func(ctx *context.APIContext) {

  460. 	return func(ctx *context.APIContext) {

  461. 		if ctx.IsUserSiteAdmin() {

  462. 			return

  463. 		}

  464. 		if ctx.Org.Team == nil {

  465. 			ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")

  466. 			return

  467. 		}

  468. 

  469. 		orgID := ctx.Org.Team.OrgID

  470. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  471. 		if err != nil {

  472. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  473. 			return

  474. 		} else if isOwner {

  475. 			return

  476. 		}

  477. 

  478. 		if isTeamMember, err := organization.IsTeamMember(ctx, orgID, ctx.Org.Team.ID, ctx.Doer.ID); err != nil {

  479. 			ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)

  480. 			return

  481. 		} else if !isTeamMember {

  482. 			isOrgMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID)

  483. 			if err != nil {

  484. 				ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  485. 			} else if isOrgMember {

  486. 				ctx.Error(http.StatusForbidden, "", "Must be a team member")

  487. 			} else {

  488. 				ctx.NotFound()

  489. 			}

  490. 			return

  491. 		}

  492. 	}

  493. }

  494. 

  495. // reqOrgMembership user should be an organization member, or a site admin

  496. func reqOrgMembership() func(ctx *context.APIContext) {

  497. 	return func(ctx *context.APIContext) {

  498. 		if ctx.IsUserSiteAdmin() {

  499. 			return

  500. 		}

  501. 

  502. 		var orgID int64

  503. 		if ctx.Org.Organization != nil {

  504. 			orgID = ctx.Org.Organization.ID

  505. 		} else if ctx.Org.Team != nil {

  506. 			orgID = ctx.Org.Team.OrgID

  507. 		} else {

  508. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")

  509. 			return

  510. 		}

  511. 

  512. 		if isMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID); err != nil {

  513. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  514. 			return

  515. 		} else if !isMember {

  516. 			if ctx.Org.Organization != nil {

  517. 				ctx.Error(http.StatusForbidden, "", "Must be an organization member")

  518. 			} else {

  519. 				ctx.NotFound()

  520. 			}

  521. 			return

  522. 		}

  523. 	}

  524. }

  525. 

  526. func reqGitHook() func(ctx *context.APIContext) {

  527. 	return func(ctx *context.APIContext) {

  528. 		if !ctx.Doer.CanEditGitHook() {

  529. 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")

  530. 			return

  531. 		}

  532. 	}

  533. }

  534. 

  535. // reqWebhooksEnabled requires webhooks to be enabled by admin.

  536. func reqWebhooksEnabled() func(ctx *context.APIContext) {

  537. 	return func(ctx *context.APIContext) {

  538. 		if setting.DisableWebhooks {

  539. 			ctx.Error(http.StatusForbidden, "", "webhooks disabled by administrator")

  540. 			return

  541. 		}

  542. 	}

  543. }

  544. 

  545. func orgAssignment(args ...bool) func(ctx *context.APIContext) {

  546. 	var (

  547. 		assignOrg  bool

  548. 		assignTeam bool

  549. 	)

  550. 	if len(args) > 0 {

  551. 		assignOrg = args[0]

  552. 	}

  553. 	if len(args) > 1 {

  554. 		assignTeam = args[1]

  555. 	}

  556. 	return func(ctx *context.APIContext) {

  557. 		ctx.Org = new(context.APIOrganization)

  558. 

  559. 		var err error

  560. 		if assignOrg {

  561. 			ctx.Org.Organization, err = organization.GetOrgByName(ctx, ctx.Params(":org"))

  562. 			if err != nil {

  563. 				if organization.IsErrOrgNotExist(err) {

  564. 					redirectUserID, err := user_model.LookupUserRedirect(ctx, ctx.Params(":org"))

  565. 					if err == nil {

  566. 						context.RedirectToUser(ctx.Base, ctx.Params(":org"), redirectUserID)

  567. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  568. 						ctx.NotFound("GetOrgByName", err)

  569. 					} else {

  570. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  571. 					}

  572. 				} else {

  573. 					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)

  574. 				}

  575. 				return

  576. 			}

  577. 			ctx.ContextUser = ctx.Org.Organization.AsUser()

  578. 		}

  579. 

  580. 		if assignTeam {

  581. 			ctx.Org.Team, err = organization.GetTeamByID(ctx, ctx.ParamsInt64(":teamid"))

  582. 			if err != nil {

  583. 				if organization.IsErrTeamNotExist(err) {

  584. 					ctx.NotFound()

  585. 				} else {

  586. 					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)

  587. 				}

  588. 				return

  589. 			}

  590. 		}

  591. 	}

  592. }

  593. 

  594. func mustEnableIssues(ctx *context.APIContext) {

  595. 	if !ctx.Repo.CanRead(unit.TypeIssues) {

  596. 		if log.IsTrace() {

  597. 			if ctx.IsSigned {

  598. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  599. 					"User in Repo has Permissions: %-+v",

  600. 					ctx.Doer,

  601. 					unit.TypeIssues,

  602. 					ctx.Repo.Repository,

  603. 					ctx.Repo.Permission)

  604. 			} else {

  605. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  606. 					"Anonymous user in Repo has Permissions: %-+v",

  607. 					unit.TypeIssues,

  608. 					ctx.Repo.Repository,

  609. 					ctx.Repo.Permission)

  610. 			}

  611. 		}

  612. 		ctx.NotFound()

  613. 		return

  614. 	}

  615. }

  616. 

  617. func mustAllowPulls(ctx *context.APIContext) {

  618. 	if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  619. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  620. 			if ctx.IsSigned {

  621. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  622. 					"User in Repo has Permissions: %-+v",

  623. 					ctx.Doer,

  624. 					unit.TypePullRequests,

  625. 					ctx.Repo.Repository,

  626. 					ctx.Repo.Permission)

  627. 			} else {

  628. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  629. 					"Anonymous user in Repo has Permissions: %-+v",

  630. 					unit.TypePullRequests,

  631. 					ctx.Repo.Repository,

  632. 					ctx.Repo.Permission)

  633. 			}

  634. 		}

  635. 		ctx.NotFound()

  636. 		return

  637. 	}

  638. }

  639. 

  640. func mustEnableIssuesOrPulls(ctx *context.APIContext) {

  641. 	if !ctx.Repo.CanRead(unit.TypeIssues) &&

  642. 		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  643. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  644. 			if ctx.IsSigned {

  645. 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+

  646. 					"User in Repo has Permissions: %-+v",

  647. 					ctx.Doer,

  648. 					unit.TypeIssues,

  649. 					unit.TypePullRequests,

  650. 					ctx.Repo.Repository,

  651. 					ctx.Repo.Permission)

  652. 			} else {

  653. 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+

  654. 					"Anonymous user in Repo has Permissions: %-+v",

  655. 					unit.TypeIssues,

  656. 					unit.TypePullRequests,

  657. 					ctx.Repo.Repository,

  658. 					ctx.Repo.Permission)

  659. 			}

  660. 		}

  661. 		ctx.NotFound()

  662. 		return

  663. 	}

  664. }

  665. 

  666. func mustEnableWiki(ctx *context.APIContext) {

  667. 	if !(ctx.Repo.CanRead(unit.TypeWiki)) {

  668. 		ctx.NotFound()

  669. 		return

  670. 	}

  671. }

  672. 

  673. func mustNotBeArchived(ctx *context.APIContext) {

  674. 	if ctx.Repo.Repository.IsArchived {

  675. 		ctx.Error(http.StatusLocked, "RepoArchived", fmt.Errorf("%s is archived", ctx.Repo.Repository.LogString()))

  676. 		return

  677. 	}

  678. }

  679. 

  680. func mustEnableAttachments(ctx *context.APIContext) {

  681. 	if !setting.Attachment.Enabled {

  682. 		ctx.NotFound()

  683. 		return

  684. 	}

  685. }

  686. 

  687. // bind binding an obj to a func(ctx *context.APIContext)

  688. func bind[T any](_ T) any {

  689. 	return func(ctx *context.APIContext) {

  690. 		theObj := new(T) // create a new form obj for every request but not use obj directly

  691. 		errs := binding.Bind(ctx.Req, theObj)

  692. 		if len(errs) > 0 {

  693. 			ctx.Error(http.StatusUnprocessableEntity, "validationError", fmt.Sprintf("%s: %s", errs[0].FieldNames, errs[0].Error()))

  694. 			return

  695. 		}

  696. 		web.SetForm(ctx, theObj)

  697. 	}

  698. }

  699. 

  700. func buildAuthGroup() *auth.Group {

  701. 	group := auth.NewGroup(

  702. 		&auth.OAuth2{},

  703. 		&auth.HTTPSign{},

  704. 		&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API

  705. 	)

  706. 	if setting.Service.EnableReverseProxyAuthAPI {

  707. 		group.Add(&auth.ReverseProxy{})

  708. 	}

  709. 

  710. 	if setting.IsWindows && auth_model.IsSSPIEnabled(db.DefaultContext) {

  711. 		group.Add(&auth.SSPI{}) // it MUST be the last, see the comment of SSPI

  712. 	}

  713. 

  714. 	return group

  715. }

  716. 

  717. func apiAuth(authMethod auth.Method) func(*context.APIContext) {

  718. 	return func(ctx *context.APIContext) {

  719. 		ar, err := common.AuthShared(ctx.Base, nil, authMethod)

  720. 		if err != nil {

  721. 			ctx.Error(http.StatusUnauthorized, "APIAuth", err)

  722. 			return

  723. 		}

  724. 		ctx.Doer = ar.Doer

  725. 		ctx.IsSigned = ar.Doer != nil

  726. 		ctx.IsBasicAuth = ar.IsBasicAuth

  727. 	}

  728. }

  729. 

  730. // verifyAuthWithOptions checks authentication according to options

  731. func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIContext) {

  732. 	return func(ctx *context.APIContext) {

  733. 		// Check prohibit login users.

  734. 		if ctx.IsSigned {

  735. 			if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {

  736. 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")

  737. 				ctx.JSON(http.StatusForbidden, map[string]string{

  738. 					"message": "This account is not activated.",

  739. 				})

  740. 				return

  741. 			}

  742. 			if !ctx.Doer.IsActive || ctx.Doer.ProhibitLogin {

  743. 				log.Info("Failed authentication attempt for %s from %s", ctx.Doer.Name, ctx.RemoteAddr())

  744. 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")

  745. 				ctx.JSON(http.StatusForbidden, map[string]string{

  746. 					"message": "This account is prohibited from signing in, please contact your site administrator.",

  747. 				})

  748. 				return

  749. 			}

  750. 

  751. 			if ctx.Doer.MustChangePassword {

  752. 				ctx.JSON(http.StatusForbidden, map[string]string{

  753. 					"message": "You must change your password. Change it at: " + setting.AppURL + "/user/change_password",

  754. 				})

  755. 				return

  756. 			}

  757. 		}

  758. 

  759. 		// Redirect to dashboard if user tries to visit any non-login page.

  760. 		if options.SignOutRequired && ctx.IsSigned && ctx.Req.URL.RequestURI() != "/" {

  761. 			ctx.Redirect(setting.AppSubURL + "/")

  762. 			return

  763. 		}

  764. 

  765. 		if options.SignInRequired {

  766. 			if !ctx.IsSigned {

  767. 				// Restrict API calls with error message.

  768. 				ctx.JSON(http.StatusForbidden, map[string]string{

  769. 					"message": "Only signed in user is allowed to call APIs.",

  770. 				})

  771. 				return

  772. 			} else if !ctx.Doer.IsActive && setting.Service.RegisterEmailConfirm {

  773. 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")

  774. 				ctx.JSON(http.StatusForbidden, map[string]string{

  775. 					"message": "This account is not activated.",

  776. 				})

  777. 				return

  778. 			}

  779. 		}

  780. 

  781. 		if options.AdminRequired {

  782. 			if !ctx.Doer.IsAdmin {

  783. 				ctx.JSON(http.StatusForbidden, map[string]string{

  784. 					"message": "You have no permission to request for this.",

  785. 				})

  786. 				return

  787. 			}

  788. 		}

  789. 	}

  790. }

  791. 

  792. func individualPermsChecker(ctx *context.APIContext) {

  793. 	// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.

  794. 	if ctx.ContextUser.IsIndividual() {

  795. 		switch {

  796. 		case ctx.ContextUser.Visibility == api.VisibleTypePrivate:

  797. 			if ctx.Doer == nil || (ctx.ContextUser.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin) {

  798. 				ctx.NotFound("Visit Project", nil)

  799. 				return

  800. 			}

  801. 		case ctx.ContextUser.Visibility == api.VisibleTypeLimited:

  802. 			if ctx.Doer == nil {

  803. 				ctx.NotFound("Visit Project", nil)

  804. 				return

  805. 			}

  806. 		}

  807. 	}

  808. }

  809. 

  810. // check for and warn against deprecated authentication options

  811. func checkDeprecatedAuthMethods(ctx *context.APIContext) {

  812. 	if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {

  813. 		ctx.Resp.Header().Set("X-Gitea-Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")

  814. 	}

  815. }

  816. 

  817. // Routes registers all v1 APIs routes to web application.

  818. func Routes() *web.Route {

  819. 	m := web.NewRoute()

  820. 

  821. 	m.Use(securityHeaders())

  822. 	if setting.CORSConfig.Enabled {

  823. 		m.Use(cors.Handler(cors.Options{

  824. 			AllowedOrigins:   setting.CORSConfig.AllowDomain,

  825. 			AllowedMethods:   setting.CORSConfig.Methods,

  826. 			AllowCredentials: setting.CORSConfig.AllowCredentials,

  827. 			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),

  828. 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),

  829. 		}))

  830. 	}

  831. 	m.Use(context.APIContexter())

  832. 

  833. 	m.Use(checkDeprecatedAuthMethods)

  834. 

  835. 	// Get user from session if logged in.

  836. 	m.Use(apiAuth(buildAuthGroup()))

  837. 

  838. 	m.Use(verifyAuthWithOptions(&common.VerifyOptions{

  839. 		SignInRequired: setting.Service.RequireSignInView,

  840. 	}))

  841. 

  842. 	m.Group("", func() {

  843. 		// Miscellaneous (no scope required)

  844. 		if setting.API.EnableSwagger {

  845. 			m.Get("/swagger", func(ctx *context.APIContext) {

  846. 				ctx.Redirect(setting.AppSubURL + "/api/swagger")

  847. 			})

  848. 		}

  849. 

  850. 		if setting.Federation.Enabled {

  851. 			m.Get("/nodeinfo", misc.NodeInfo)

  852. 			m.Group("/activitypub", func() {

  853. 				// deprecated, remove in 1.20, use /user-id/{user-id} instead

  854. 				m.Group("/user/{username}", func() {

  855. 					m.Get("", activitypub.Person)

  856. 					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.PersonInbox)

  857. 				}, context.UserAssignmentAPI())

  858. 				m.Group("/user-id/{user-id}", func() {

  859. 					m.Get("", activitypub.Person)

  860. 					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.PersonInbox)

  861. 				}, context.UserIDAssignmentAPI())

  862. 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryActivityPub))

  863. 		}

  864. 

  865. 		// Misc (public accessible)

  866. 		m.Group("", func() {

  867. 			m.Get("/version", misc.Version)

  868. 			m.Get("/signing-key.gpg", misc.SigningKey)

  869. 			m.Post("/markup", reqToken(), bind(api.MarkupOption{}), misc.Markup)

  870. 			m.Post("/markdown", reqToken(), bind(api.MarkdownOption{}), misc.Markdown)

  871. 			m.Post("/markdown/raw", reqToken(), misc.MarkdownRaw)

  872. 			m.Get("/gitignore/templates", misc.ListGitignoresTemplates)

  873. 			m.Get("/gitignore/templates/{name}", misc.GetGitignoreTemplateInfo)

  874. 			m.Get("/licenses", misc.ListLicenseTemplates)

  875. 			m.Get("/licenses/{name}", misc.GetLicenseTemplateInfo)

  876. 			m.Get("/label/templates", misc.ListLabelTemplates)

  877. 			m.Get("/label/templates/{name}", misc.GetLabelTemplate)

  878. 

  879. 			m.Group("/settings", func() {

  880. 				m.Get("/ui", settings.GetGeneralUISettings)

  881. 				m.Get("/api", settings.GetGeneralAPISettings)

  882. 				m.Get("/attachment", settings.GetGeneralAttachmentSettings)

  883. 				m.Get("/repository", settings.GetGeneralRepoSettings)

  884. 			})

  885. 		})

  886. 

  887. 		// Notifications (requires 'notifications' scope)

  888. 		m.Group("/notifications", func() {

  889. 			m.Combo("").

  890. 				Get(reqToken(), notify.ListNotifications).

  891. 				Put(reqToken(), notify.ReadNotifications)

  892. 			m.Get("/new", reqToken(), notify.NewAvailable)

  893. 			m.Combo("/threads/{id}").

  894. 				Get(reqToken(), notify.GetThread).

  895. 				Patch(reqToken(), notify.ReadThread)

  896. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification))

  897. 

  898. 		// Users (requires user scope)

  899. 		m.Group("/users", func() {

  900. 			m.Get("/search", reqExploreSignIn(), user.Search)

  901. 

  902. 			m.Group("/{username}", func() {

  903. 				m.Get("", reqExploreSignIn(), user.GetInfo)

  904. 

  905. 				if setting.Service.EnableUserHeatmap {

  906. 					m.Get("/heatmap", user.GetUserHeatmapData)

  907. 				}

  908. 

  909. 				m.Get("/repos", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository), reqExploreSignIn(), user.ListUserRepos)

  910. 				m.Group("/tokens", func() {

  911. 					m.Combo("").Get(user.ListAccessTokens).

  912. 						Post(bind(api.CreateAccessTokenOption{}), reqToken(), user.CreateAccessToken)

  913. 					m.Combo("/{id}").Delete(reqToken(), user.DeleteAccessToken)

  914. 				}, reqSelfOrAdmin(), reqBasicOrRevProxyAuth())

  915. 

  916. 				m.Get("/activities/feeds", user.ListUserActivityFeeds)

  917. 			}, context.UserAssignmentAPI(), individualPermsChecker)

  918. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser))

  919. 

  920. 		// Users (requires user scope)

  921. 		m.Group("/users", func() {

  922. 			m.Group("/{username}", func() {

  923. 				m.Get("/keys", user.ListPublicKeys)

  924. 				m.Get("/gpg_keys", user.ListGPGKeys)

  925. 

  926. 				m.Get("/followers", user.ListFollowers)

  927. 				m.Group("/following", func() {

  928. 					m.Get("", user.ListFollowing)

  929. 					m.Get("/{target}", user.CheckFollowing)

  930. 				})

  931. 

  932. 				m.Get("/starred", user.GetStarredRepos)

  933. 

  934. 				m.Get("/subscriptions", user.GetWatchedRepos)

  935. 			}, context.UserAssignmentAPI())

  936. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())

  937. 

  938. 		// Users (requires user scope)

  939. 		m.Group("/user", func() {

  940. 			m.Get("", user.GetAuthenticatedUser)

  941. 			m.Group("/settings", func() {

  942. 				m.Get("", user.GetUserSettings)

  943. 				m.Patch("", bind(api.UserSettingsOptions{}), user.UpdateUserSettings)

  944. 			}, reqToken())

  945. 			m.Combo("/emails").

  946. 				Get(user.ListEmails).

  947. 				Post(bind(api.CreateEmailOption{}), user.AddEmail).

  948. 				Delete(bind(api.DeleteEmailOption{}), user.DeleteEmail)

  949. 

  950. 			// manage user-level actions features

  951. 			m.Group("/actions", func() {

  952. 				m.Group("/secrets", func() {

  953. 					m.Combo("/{secretname}").

  954. 						Put(bind(api.CreateOrUpdateSecretOption{}), user.CreateOrUpdateSecret).

  955. 						Delete(user.DeleteSecret)

  956. 				})

  957. 

  958. 				m.Group("/variables", func() {

  959. 					m.Get("", user.ListVariables)

  960. 					m.Combo("/{variablename}").

  961. 						Get(user.GetVariable).

  962. 						Delete(user.DeleteVariable).

  963. 						Post(bind(api.CreateVariableOption{}), user.CreateVariable).

  964. 						Put(bind(api.UpdateVariableOption{}), user.UpdateVariable)

  965. 				})

  966. 

  967. 				m.Group("/runners", func() {

  968. 					m.Get("/registration-token", reqToken(), user.GetRegistrationToken)

  969. 				})

  970. 			})

  971. 

  972. 			m.Get("/followers", user.ListMyFollowers)

  973. 			m.Group("/following", func() {

  974. 				m.Get("", user.ListMyFollowing)

  975. 				m.Group("/{username}", func() {

  976. 					m.Get("", user.CheckMyFollowing)

  977. 					m.Put("", user.Follow)

  978. 					m.Delete("", user.Unfollow)

  979. 				}, context.UserAssignmentAPI())

  980. 			})

  981. 

  982. 			// (admin:public_key scope)

  983. 			m.Group("/keys", func() {

  984. 				m.Combo("").Get(user.ListMyPublicKeys).

  985. 					Post(bind(api.CreateKeyOption{}), user.CreatePublicKey)

  986. 				m.Combo("/{id}").Get(user.GetPublicKey).

  987. 					Delete(user.DeletePublicKey)

  988. 			})

  989. 

  990. 			// (admin:application scope)

  991. 			m.Group("/applications", func() {

  992. 				m.Combo("/oauth2").

  993. 					Get(user.ListOauth2Applications).

  994. 					Post(bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)

  995. 				m.Combo("/oauth2/{id}").

  996. 					Delete(user.DeleteOauth2Application).

  997. 					Patch(bind(api.CreateOAuth2ApplicationOptions{}), user.UpdateOauth2Application).

  998. 					Get(user.GetOauth2Application)

  999. 			})

  1000. 

  1001. 			// (admin:gpg_key scope)

  1002. 			m.Group("/gpg_keys", func() {

  1003. 				m.Combo("").Get(user.ListMyGPGKeys).

  1004. 					Post(bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)

  1005. 				m.Combo("/{id}").Get(user.GetGPGKey).

  1006. 					Delete(user.DeleteGPGKey)

  1007. 			})

  1008. 			m.Get("/gpg_key_token", user.GetVerificationToken)

  1009. 			m.Post("/gpg_key_verify", bind(api.VerifyGPGKeyOption{}), user.VerifyUserGPGKey)

  1010. 

  1011. 			// (repo scope)

  1012. 			m.Combo("/repos", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository)).Get(user.ListMyRepos).

  1013. 				Post(bind(api.CreateRepoOption{}), repo.Create)

  1014. 

  1015. 			// (repo scope)

  1016. 			m.Group("/starred", func() {

  1017. 				m.Get("", user.GetMyStarredRepos)

  1018. 				m.Group("/{username}/{reponame}", func() {

  1019. 					m.Get("", user.IsStarring)

  1020. 					m.Put("", user.Star)

  1021. 					m.Delete("", user.Unstar)

  1022. 				}, repoAssignment())

  1023. 			}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))

  1024. 			m.Get("/times", repo.ListMyTrackedTimes)

  1025. 			m.Get("/stopwatches", repo.GetStopwatches)

  1026. 			m.Get("/subscriptions", user.GetMyWatchedRepos)

  1027. 			m.Get("/teams", org.ListUserTeams)

  1028. 			m.Group("/hooks", func() {

  1029. 				m.Combo("").Get(user.ListHooks).

  1030. 					Post(bind(api.CreateHookOption{}), user.CreateHook)

  1031. 				m.Combo("/{id}").Get(user.GetHook).

  1032. 					Patch(bind(api.EditHookOption{}), user.EditHook).

  1033. 					Delete(user.DeleteHook)

  1034. 			}, reqWebhooksEnabled())

  1035. 

  1036. 			m.Group("/avatar", func() {

  1037. 				m.Post("", bind(api.UpdateUserAvatarOption{}), user.UpdateAvatar)

  1038. 				m.Delete("", user.DeleteAvatar)

  1039. 			})

  1040. 

  1041. 			m.Group("/blocks", func() {

  1042. 				m.Get("", user.ListBlocks)

  1043. 				m.Group("/{username}", func() {

  1044. 					m.Get("", user.CheckUserBlock)

  1045. 					m.Put("", user.BlockUser)

  1046. 					m.Delete("", user.UnblockUser)

  1047. 				}, context.UserAssignmentAPI())

  1048. 			})

  1049. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser), reqToken())

  1050. 

  1051. 		// Repositories (requires repo scope, org scope)

  1052. 		m.Post("/org/{org}/repos",

  1053. 			tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization, auth_model.AccessTokenScopeCategoryRepository),

  1054. 			reqToken(),

  1055. 			bind(api.CreateRepoOption{}),

  1056. 			repo.CreateOrgRepoDeprecated)

  1057. 

  1058. 		// requires repo scope

  1059. 		m.Combo("/repositories/{id}", reqToken(), tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository)).Get(repo.GetByID)

  1060. 

  1061. 		// Repos (requires repo scope)

  1062. 		m.Group("/repos", func() {

  1063. 			m.Get("/search", repo.Search)

  1064. 

  1065. 			// (repo scope)

  1066. 			m.Post("/migrate", reqToken(), bind(api.MigrateRepoOptions{}), repo.Migrate)

  1067. 

  1068. 			m.Group("/{username}/{reponame}", func() {

  1069. 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).

  1070. 					Delete(reqToken(), reqOwner(), repo.Delete).

  1071. 					Patch(reqToken(), reqAdmin(), bind(api.EditRepoOption{}), repo.Edit)

  1072. 				m.Post("/generate", reqToken(), reqRepoReader(unit.TypeCode), bind(api.GenerateRepoOption{}), repo.Generate)

  1073. 				m.Group("/transfer", func() {

  1074. 					m.Post("", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)

  1075. 					m.Post("/accept", repo.AcceptTransfer)

  1076. 					m.Post("/reject", repo.RejectTransfer)

  1077. 				}, reqToken())

  1078. 				m.Group("/actions", func() {

  1079. 					m.Group("/secrets", func() {

  1080. 						m.Combo("/{secretname}").

  1081. 							Put(reqToken(), reqOwner(), bind(api.CreateOrUpdateSecretOption{}), repo.CreateOrUpdateSecret).

  1082. 							Delete(reqToken(), reqOwner(), repo.DeleteSecret)

  1083. 					})

  1084. 

  1085. 					m.Group("/variables", func() {

  1086. 						m.Get("", reqToken(), reqOwner(), repo.ListVariables)

  1087. 						m.Combo("/{variablename}").

  1088. 							Get(reqToken(), reqOwner(), repo.GetVariable).

  1089. 							Delete(reqToken(), reqOwner(), repo.DeleteVariable).

  1090. 							Post(reqToken(), reqOwner(), bind(api.CreateVariableOption{}), repo.CreateVariable).

  1091. 							Put(reqToken(), reqOwner(), bind(api.UpdateVariableOption{}), repo.UpdateVariable)

  1092. 					})

  1093. 

  1094. 					m.Group("/runners", func() {

  1095. 						m.Get("/registration-token", reqToken(), reqOwner(), repo.GetRegistrationToken)

  1096. 					})

  1097. 				})

  1098. 				m.Group("/hooks/git", func() {

  1099. 					m.Combo("").Get(repo.ListGitHooks)

  1100. 					m.Group("/{id}", func() {

  1101. 						m.Combo("").Get(repo.GetGitHook).

  1102. 							Patch(bind(api.EditGitHookOption{}), repo.EditGitHook).

  1103. 							Delete(repo.DeleteGitHook)

  1104. 					})

  1105. 				}, reqToken(), reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))

  1106. 				m.Group("/hooks", func() {

  1107. 					m.Combo("").Get(repo.ListHooks).

  1108. 						Post(bind(api.CreateHookOption{}), repo.CreateHook)

  1109. 					m.Group("/{id}", func() {

  1110. 						m.Combo("").Get(repo.GetHook).

  1111. 							Patch(bind(api.EditHookOption{}), repo.EditHook).

  1112. 							Delete(repo.DeleteHook)

  1113. 						m.Post("/tests", context.ReferencesGitRepo(), context.RepoRefForAPI, repo.TestHook)

  1114. 					})

  1115. 				}, reqToken(), reqAdmin(), reqWebhooksEnabled())

  1116. 				m.Group("/collaborators", func() {

  1117. 					m.Get("", reqAnyRepoReader(), repo.ListCollaborators)

  1118. 					m.Group("/{collaborator}", func() {

  1119. 						m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator).

  1120. 							Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).

  1121. 							Delete(reqAdmin(), repo.DeleteCollaborator)

  1122. 						m.Get("/permission", repo.GetRepoPermissions)

  1123. 					})

  1124. 				}, reqToken())

  1125. 				m.Get("/assignees", reqToken(), reqAnyRepoReader(), repo.GetAssignees)

  1126. 				m.Get("/reviewers", reqToken(), reqAnyRepoReader(), repo.GetReviewers)

  1127. 				m.Group("/teams", func() {

  1128. 					m.Get("", reqAnyRepoReader(), repo.ListTeams)

  1129. 					m.Combo("/{team}").Get(reqAnyRepoReader(), repo.IsTeam).

  1130. 						Put(reqAdmin(), repo.AddTeam).

  1131. 						Delete(reqAdmin(), repo.DeleteTeam)

  1132. 				}, reqToken())

  1133. 				m.Get("/raw/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile)

  1134. 				m.Get("/media/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS)

  1135. 				m.Get("/archive/*", reqRepoReader(unit.TypeCode), repo.GetArchive)

  1136. 				m.Combo("/forks").Get(repo.ListForks).

  1137. 					Post(reqToken(), reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork)

  1138. 				m.Group("/branches", func() {

  1139. 					m.Get("", repo.ListBranches)

  1140. 					m.Get("/*", repo.GetBranch)

  1141. 					m.Delete("/*", reqToken(), reqRepoWriter(unit.TypeCode), mustNotBeArchived, repo.DeleteBranch)

  1142. 					m.Post("", reqToken(), reqRepoWriter(unit.TypeCode), mustNotBeArchived, bind(api.CreateBranchRepoOption{}), repo.CreateBranch)

  1143. 				}, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))

  1144. 				m.Group("/branch_protections", func() {

  1145. 					m.Get("", repo.ListBranchProtections)

  1146. 					m.Post("", bind(api.CreateBranchProtectionOption{}), mustNotBeArchived, repo.CreateBranchProtection)

  1147. 					m.Group("/{name}", func() {

  1148. 						m.Get("", repo.GetBranchProtection)

  1149. 						m.Patch("", bind(api.EditBranchProtectionOption{}), mustNotBeArchived, repo.EditBranchProtection)

  1150. 						m.Delete("", repo.DeleteBranchProtection)

  1151. 					})

  1152. 				}, reqToken(), reqAdmin())

  1153. 				m.Group("/tags", func() {

  1154. 					m.Get("", repo.ListTags)

  1155. 					m.Get("/*", repo.GetTag)

  1156. 					m.Post("", reqToken(), reqRepoWriter(unit.TypeCode), mustNotBeArchived, bind(api.CreateTagOption{}), repo.CreateTag)

  1157. 					m.Delete("/*", reqToken(), reqRepoWriter(unit.TypeCode), mustNotBeArchived, repo.DeleteTag)

  1158. 				}, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true))

  1159. 				m.Group("/keys", func() {

  1160. 					m.Combo("").Get(repo.ListDeployKeys).

  1161. 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)

  1162. 					m.Combo("/{id}").Get(repo.GetDeployKey).

  1163. 						Delete(repo.DeleteDeploykey)

  1164. 				}, reqToken(), reqAdmin())

  1165. 				m.Group("/times", func() {

  1166. 					m.Combo("").Get(repo.ListTrackedTimesByRepository)

  1167. 					m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)

  1168. 				}, mustEnableIssues, reqToken())

  1169. 				m.Group("/wiki", func() {

  1170. 					m.Combo("/page/{pageName}").

  1171. 						Get(repo.GetWikiPage).

  1172. 						Patch(mustNotBeArchived, reqToken(), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.EditWikiPage).

  1173. 						Delete(mustNotBeArchived, reqToken(), reqRepoWriter(unit.TypeWiki), repo.DeleteWikiPage)

  1174. 					m.Get("/revisions/{pageName}", repo.ListPageRevisions)

  1175. 					m.Post("/new", reqToken(), mustNotBeArchived, reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage)

  1176. 					m.Get("/pages", repo.ListWikiPages)

  1177. 				}, mustEnableWiki)

  1178. 				m.Post("/markup", reqToken(), bind(api.MarkupOption{}), misc.Markup)

  1179. 				m.Post("/markdown", reqToken(), bind(api.MarkdownOption{}), misc.Markdown)

  1180. 				m.Post("/markdown/raw", reqToken(), misc.MarkdownRaw)

  1181. 				m.Get("/stargazers", repo.ListStargazers)

  1182. 				m.Get("/subscribers", repo.ListSubscribers)

  1183. 				m.Group("/subscription", func() {

  1184. 					m.Get("", user.IsWatching)

  1185. 					m.Put("", user.Watch)

  1186. 					m.Delete("", user.Unwatch)

  1187. 				}, reqToken())

  1188. 				m.Group("/releases", func() {

  1189. 					m.Combo("").Get(repo.ListReleases).

  1190. 						Post(reqToken(), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.CreateReleaseOption{}), repo.CreateRelease)

  1191. 					m.Combo("/latest").Get(repo.GetLatestRelease)

  1192. 					m.Group("/{id}", func() {

  1193. 						m.Combo("").Get(repo.GetRelease).

  1194. 							Patch(reqToken(), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.EditReleaseOption{}), repo.EditRelease).

  1195. 							Delete(reqToken(), reqRepoWriter(unit.TypeReleases), repo.DeleteRelease)

  1196. 						m.Group("/assets", func() {

  1197. 							m.Combo("").Get(repo.ListReleaseAttachments).

  1198. 								Post(reqToken(), reqRepoWriter(unit.TypeReleases), repo.CreateReleaseAttachment)

  1199. 							m.Combo("/{attachment_id}").Get(repo.GetReleaseAttachment).

  1200. 								Patch(reqToken(), reqRepoWriter(unit.TypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).

  1201. 								Delete(reqToken(), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseAttachment)

  1202. 						})

  1203. 					})

  1204. 					m.Group("/tags", func() {

  1205. 						m.Combo("/{tag}").

  1206. 							Get(repo.GetReleaseByTag).

  1207. 							Delete(reqToken(), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseByTag)

  1208. 					})

  1209. 				}, reqRepoReader(unit.TypeReleases))

  1210. 				m.Post("/mirror-sync", reqToken(), reqRepoWriter(unit.TypeCode), mustNotBeArchived, repo.MirrorSync)

  1211. 				m.Post("/push_mirrors-sync", reqAdmin(), reqToken(), mustNotBeArchived, repo.PushMirrorSync)

  1212. 				m.Group("/push_mirrors", func() {

  1213. 					m.Combo("").Get(repo.ListPushMirrors).

  1214. 						Post(mustNotBeArchived, bind(api.CreatePushMirrorOption{}), repo.AddPushMirror)

  1215. 					m.Combo("/{name}").

  1216. 						Delete(mustNotBeArchived, repo.DeletePushMirrorByRemoteName).

  1217. 						Get(repo.GetPushMirrorByName)

  1218. 				}, reqAdmin(), reqToken())

  1219. 

  1220. 				m.Get("/editorconfig/{filename}", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetEditorconfig)

  1221. 				m.Group("/pulls", func() {

  1222. 					m.Combo("").Get(repo.ListPullRequests).

  1223. 						Post(reqToken(), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

  1224. 					m.Get("/pinned", repo.ListPinnedPullRequests)

  1225. 					m.Group("/{index}", func() {

  1226. 						m.Combo("").Get(repo.GetPullRequest).

  1227. 							Patch(reqToken(), bind(api.EditPullRequestOption{}), repo.EditPullRequest)

  1228. 						m.Get(".{diffType:diff|patch}", repo.DownloadPullDiffOrPatch)

  1229. 						m.Post("/update", reqToken(), repo.UpdatePullRequest)

  1230. 						m.Get("/commits", repo.GetPullRequestCommits)

  1231. 						m.Get("/files", repo.GetPullRequestFiles)

  1232. 						m.Combo("/merge").Get(repo.IsPullRequestMerged).

  1233. 							Post(reqToken(), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest).

  1234. 							Delete(reqToken(), mustNotBeArchived, repo.CancelScheduledAutoMerge)

  1235. 						m.Group("/reviews", func() {

  1236. 							m.Combo("").

  1237. 								Get(repo.ListPullReviews).

  1238. 								Post(reqToken(), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)

  1239. 							m.Group("/{id}", func() {

  1240. 								m.Combo("").

  1241. 									Get(repo.GetPullReview).

  1242. 									Delete(reqToken(), repo.DeletePullReview).

  1243. 									Post(reqToken(), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)

  1244. 								m.Combo("/comments").

  1245. 									Get(repo.GetPullReviewComments)

  1246. 								m.Post("/dismissals", reqToken(), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)

  1247. 								m.Post("/undismissals", reqToken(), repo.UnDismissPullReview)

  1248. 							})

  1249. 						})

  1250. 						m.Combo("/requested_reviewers", reqToken()).

  1251. 							Delete(bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).

  1252. 							Post(bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)

  1253. 					})

  1254. 					m.Get("/{base}/*", repo.GetPullRequestByBaseHead)

  1255. 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())

  1256. 				m.Group("/statuses", func() {

  1257. 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).

  1258. 						Post(reqToken(), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)

  1259. 				}, reqRepoReader(unit.TypeCode))

  1260. 				m.Group("/commits", func() {

  1261. 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)

  1262. 					m.Group("/{ref}", func() {

  1263. 						m.Get("/status", repo.GetCombinedCommitStatusByRef)

  1264. 						m.Get("/statuses", repo.GetCommitStatusesByRef)

  1265. 						m.Get("/pull", repo.GetCommitPullRequest)

  1266. 					}, context.ReferencesGitRepo())

  1267. 				}, reqRepoReader(unit.TypeCode))

  1268. 				m.Group("/git", func() {

  1269. 					m.Group("/commits", func() {

  1270. 						m.Get("/{sha}", repo.GetSingleCommit)

  1271. 						m.Get("/{sha}.{diffType:diff|patch}", repo.DownloadCommitDiffOrPatch)

  1272. 					})

  1273. 					m.Get("/refs", repo.GetGitAllRefs)

  1274. 					m.Get("/refs/*", repo.GetGitRefs)

  1275. 					m.Get("/trees/{sha}", repo.GetTree)

  1276. 					m.Get("/blobs/{sha}", repo.GetBlob)

  1277. 					m.Get("/tags/{sha}", repo.GetAnnotatedTag)

  1278. 					m.Get("/notes/{sha}", repo.GetNote)

  1279. 				}, context.ReferencesGitRepo(true), reqRepoReader(unit.TypeCode))

  1280. 				m.Post("/diffpatch", reqRepoWriter(unit.TypeCode), reqToken(), bind(api.ApplyDiffPatchFileOptions{}), mustNotBeArchived, repo.ApplyDiffPatch)

  1281. 				m.Group("/contents", func() {

  1282. 					m.Get("", repo.GetContentsList)

  1283. 					m.Post("", reqToken(), bind(api.ChangeFilesOptions{}), reqRepoBranchWriter, mustNotBeArchived, repo.ChangeFiles)

  1284. 					m.Get("/*", repo.GetContents)

  1285. 					m.Group("/*", func() {

  1286. 						m.Post("", bind(api.CreateFileOptions{}), reqRepoBranchWriter, mustNotBeArchived, repo.CreateFile)

  1287. 						m.Put("", bind(api.UpdateFileOptions{}), reqRepoBranchWriter, mustNotBeArchived, repo.UpdateFile)

  1288. 						m.Delete("", bind(api.DeleteFileOptions{}), reqRepoBranchWriter, mustNotBeArchived, repo.DeleteFile)

  1289. 					}, reqToken())

  1290. 				}, reqRepoReader(unit.TypeCode))

  1291. 				m.Get("/signing-key.gpg", misc.SigningKey)

  1292. 				m.Group("/topics", func() {

  1293. 					m.Combo("").Get(repo.ListTopics).

  1294. 						Put(reqToken(), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)

  1295. 					m.Group("/{topic}", func() {

  1296. 						m.Combo("").Put(reqToken(), repo.AddTopic).

  1297. 							Delete(reqToken(), repo.DeleteTopic)

  1298. 					}, reqAdmin())

  1299. 				}, reqAnyRepoReader())

  1300. 				m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)

  1301. 				m.Get("/issue_config", context.ReferencesGitRepo(), repo.GetIssueConfig)

  1302. 				m.Get("/issue_config/validate", context.ReferencesGitRepo(), repo.ValidateIssueConfig)

  1303. 				m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages)

  1304. 				m.Get("/activities/feeds", repo.ListRepoActivityFeeds)

  1305. 				m.Get("/new_pin_allowed", repo.AreNewIssuePinsAllowed)

  1306. 				m.Group("/avatar", func() {

  1307. 					m.Post("", bind(api.UpdateRepoAvatarOption{}), repo.UpdateAvatar)

  1308. 					m.Delete("", repo.DeleteAvatar)

  1309. 				}, reqAdmin(), reqToken())

  1310. 			}, repoAssignment())

  1311. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))

  1312. 

  1313. 		// Notifications (requires notifications scope)

  1314. 		m.Group("/repos", func() {

  1315. 			m.Group("/{username}/{reponame}", func() {

  1316. 				m.Combo("/notifications", reqToken()).

  1317. 					Get(notify.ListRepoNotifications).

  1318. 					Put(notify.ReadRepoNotifications)

  1319. 			}, repoAssignment())

  1320. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification))

  1321. 

  1322. 		// Issue (requires issue scope)

  1323. 		m.Group("/repos", func() {

  1324. 			m.Get("/issues/search", repo.SearchIssues)

  1325. 

  1326. 			m.Group("/{username}/{reponame}", func() {

  1327. 				m.Group("/issues", func() {

  1328. 					m.Combo("").Get(repo.ListIssues).

  1329. 						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), reqRepoReader(unit.TypeIssues), repo.CreateIssue)

  1330. 					m.Get("/pinned", reqRepoReader(unit.TypeIssues), repo.ListPinnedIssues)

  1331. 					m.Group("/comments", func() {

  1332. 						m.Get("", repo.ListRepoIssueComments)

  1333. 						m.Group("/{id}", func() {

  1334. 							m.Combo("").

  1335. 								Get(repo.GetIssueComment).

  1336. 								Patch(mustNotBeArchived, reqToken(), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).

  1337. 								Delete(reqToken(), repo.DeleteIssueComment)

  1338. 							m.Combo("/reactions").

  1339. 								Get(repo.GetIssueCommentReactions).

  1340. 								Post(reqToken(), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).

  1341. 								Delete(reqToken(), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)

  1342. 							m.Group("/assets", func() {

  1343. 								m.Combo("").

  1344. 									Get(repo.ListIssueCommentAttachments).

  1345. 									Post(reqToken(), mustNotBeArchived, repo.CreateIssueCommentAttachment)

  1346. 								m.Combo("/{attachment_id}").

  1347. 									Get(repo.GetIssueCommentAttachment).

  1348. 									Patch(reqToken(), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueCommentAttachment).

  1349. 									Delete(reqToken(), mustNotBeArchived, repo.DeleteIssueCommentAttachment)

  1350. 							}, mustEnableAttachments)

  1351. 						})

  1352. 					})

  1353. 					m.Group("/{index}", func() {

  1354. 						m.Combo("").Get(repo.GetIssue).

  1355. 							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue).

  1356. 							Delete(reqToken(), reqAdmin(), context.ReferencesGitRepo(), repo.DeleteIssue)

  1357. 						m.Group("/comments", func() {

  1358. 							m.Combo("").Get(repo.ListIssueComments).

  1359. 								Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

  1360. 							m.Combo("/{id}", reqToken()).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).

  1361. 								Delete(repo.DeleteIssueCommentDeprecated)

  1362. 						})

  1363. 						m.Get("/timeline", repo.ListIssueCommentsAndTimeline)

  1364. 						m.Group("/labels", func() {

  1365. 							m.Combo("").Get(repo.ListIssueLabels).

  1366. 								Post(reqToken(), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).

  1367. 								Put(reqToken(), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).

  1368. 								Delete(reqToken(), repo.ClearIssueLabels)

  1369. 							m.Delete("/{id}", reqToken(), repo.DeleteIssueLabel)

  1370. 						})

  1371. 						m.Group("/times", func() {

  1372. 							m.Combo("").

  1373. 								Get(repo.ListTrackedTimes).

  1374. 								Post(bind(api.AddTimeOption{}), repo.AddTime).

  1375. 								Delete(repo.ResetIssueTime)

  1376. 							m.Delete("/{id}", repo.DeleteTime)

  1377. 						}, reqToken())

  1378. 						m.Combo("/deadline").Post(reqToken(), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)

  1379. 						m.Group("/stopwatch", func() {

  1380. 							m.Post("/start", repo.StartIssueStopwatch)

  1381. 							m.Post("/stop", repo.StopIssueStopwatch)

  1382. 							m.Delete("/delete", repo.DeleteIssueStopwatch)

  1383. 						}, reqToken())

  1384. 						m.Group("/subscriptions", func() {

  1385. 							m.Get("", repo.GetIssueSubscribers)

  1386. 							m.Get("/check", reqToken(), repo.CheckIssueSubscription)

  1387. 							m.Put("/{user}", reqToken(), repo.AddIssueSubscription)

  1388. 							m.Delete("/{user}", reqToken(), repo.DelIssueSubscription)

  1389. 						})

  1390. 						m.Combo("/reactions").

  1391. 							Get(repo.GetIssueReactions).

  1392. 							Post(reqToken(), bind(api.EditReactionOption{}), repo.PostIssueReaction).

  1393. 							Delete(reqToken(), bind(api.EditReactionOption{}), repo.DeleteIssueReaction)

  1394. 						m.Group("/assets", func() {

  1395. 							m.Combo("").

  1396. 								Get(repo.ListIssueAttachments).

  1397. 								Post(reqToken(), mustNotBeArchived, repo.CreateIssueAttachment)

  1398. 							m.Combo("/{attachment_id}").

  1399. 								Get(repo.GetIssueAttachment).

  1400. 								Patch(reqToken(), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueAttachment).

  1401. 								Delete(reqToken(), mustNotBeArchived, repo.DeleteIssueAttachment)

  1402. 						}, mustEnableAttachments)

  1403. 						m.Combo("/dependencies").

  1404. 							Get(repo.GetIssueDependencies).

  1405. 							Post(reqToken(), mustNotBeArchived, bind(api.IssueMeta{}), repo.CreateIssueDependency).

  1406. 							Delete(reqToken(), mustNotBeArchived, bind(api.IssueMeta{}), repo.RemoveIssueDependency)

  1407. 						m.Combo("/blocks").

  1408. 							Get(repo.GetIssueBlocks).

  1409. 							Post(reqToken(), bind(api.IssueMeta{}), repo.CreateIssueBlocking).

  1410. 							Delete(reqToken(), bind(api.IssueMeta{}), repo.RemoveIssueBlocking)

  1411. 						m.Group("/pin", func() {

  1412. 							m.Combo("").

  1413. 								Post(reqToken(), reqAdmin(), repo.PinIssue).

  1414. 								Delete(reqToken(), reqAdmin(), repo.UnpinIssue)

  1415. 							m.Patch("/{position}", reqToken(), reqAdmin(), repo.MoveIssuePin)

  1416. 						})

  1417. 					})

  1418. 				}, mustEnableIssuesOrPulls)

  1419. 				m.Group("/labels", func() {

  1420. 					m.Combo("").Get(repo.ListLabels).

  1421. 						Post(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)

  1422. 					m.Combo("/{id}").Get(repo.GetLabel).

  1423. 						Patch(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).

  1424. 						Delete(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteLabel)

  1425. 				})

  1426. 				m.Group("/milestones", func() {

  1427. 					m.Combo("").Get(repo.ListMilestones).

  1428. 						Post(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)

  1429. 					m.Combo("/{id}").Get(repo.GetMilestone).

  1430. 						Patch(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).

  1431. 						Delete(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteMilestone)

  1432. 				})

  1433. 			}, repoAssignment())

  1434. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryIssue))

  1435. 

  1436. 		// NOTE: these are Gitea package management API - see packages.CommonRoutes and packages.DockerContainerRoutes for endpoints that implement package manager APIs

  1437. 		m.Group("/packages/{username}", func() {

  1438. 			m.Group("/{type}/{name}/{version}", func() {

  1439. 				m.Get("", reqToken(), packages.GetPackage)

  1440. 				m.Delete("", reqToken(), reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)

  1441. 				m.Get("/files", reqToken(), packages.ListPackageFiles)

  1442. 			})

  1443. 			m.Get("/", reqToken(), packages.ListPackages)

  1444. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryPackage), context.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead))

  1445. 

  1446. 		// Organizations

  1447. 		m.Get("/user/orgs", reqToken(), tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), org.ListMyOrgs)

  1448. 		m.Group("/users/{username}/orgs", func() {

  1449. 			m.Get("", reqToken(), org.ListUserOrgs)

  1450. 			m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)

  1451. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser, auth_model.AccessTokenScopeCategoryOrganization), context.UserAssignmentAPI())

  1452. 		m.Post("/orgs", tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), reqToken(), bind(api.CreateOrgOption{}), org.Create)

  1453. 		m.Get("/orgs", org.GetAll, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization))

  1454. 		m.Group("/orgs/{org}", func() {

  1455. 			m.Combo("").Get(org.Get).

  1456. 				Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).

  1457. 				Delete(reqToken(), reqOrgOwnership(), org.Delete)

  1458. 			m.Combo("/repos").Get(user.ListOrgRepos).

  1459. 				Post(reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)

  1460. 			m.Group("/members", func() {

  1461. 				m.Get("", reqToken(), org.ListMembers)

  1462. 				m.Combo("/{username}").Get(reqToken(), org.IsMember).

  1463. 					Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)

  1464. 			})

  1465. 			m.Group("/actions", func() {

  1466. 				m.Group("/secrets", func() {

  1467. 					m.Get("", reqToken(), reqOrgOwnership(), org.ListActionsSecrets)

  1468. 					m.Combo("/{secretname}").

  1469. 						Put(reqToken(), reqOrgOwnership(), bind(api.CreateOrUpdateSecretOption{}), org.CreateOrUpdateSecret).

  1470. 						Delete(reqToken(), reqOrgOwnership(), org.DeleteSecret)

  1471. 				})

  1472. 

  1473. 				m.Group("/variables", func() {

  1474. 					m.Get("", reqToken(), reqOrgOwnership(), org.ListVariables)

  1475. 					m.Combo("/{variablename}").

  1476. 						Get(reqToken(), reqOrgOwnership(), org.GetVariable).

  1477. 						Delete(reqToken(), reqOrgOwnership(), org.DeleteVariable).

  1478. 						Post(reqToken(), reqOrgOwnership(), bind(api.CreateVariableOption{}), org.CreateVariable).

  1479. 						Put(reqToken(), reqOrgOwnership(), bind(api.UpdateVariableOption{}), org.UpdateVariable)

  1480. 				})

  1481. 

  1482. 				m.Group("/runners", func() {

  1483. 					m.Get("/registration-token", reqToken(), reqOrgOwnership(), org.GetRegistrationToken)

  1484. 				})

  1485. 			})

  1486. 			m.Group("/public_members", func() {

  1487. 				m.Get("", org.ListPublicMembers)

  1488. 				m.Combo("/{username}").Get(org.IsPublicMember).

  1489. 					Put(reqToken(), reqOrgMembership(), org.PublicizeMember).

  1490. 					Delete(reqToken(), reqOrgMembership(), org.ConcealMember)

  1491. 			})

  1492. 			m.Group("/teams", func() {

  1493. 				m.Get("", org.ListTeams)

  1494. 				m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)

  1495. 				m.Get("/search", org.SearchTeam)

  1496. 			}, reqToken(), reqOrgMembership())

  1497. 			m.Group("/labels", func() {

  1498. 				m.Get("", org.ListLabels)

  1499. 				m.Post("", reqToken(), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)

  1500. 				m.Combo("/{id}").Get(reqToken(), org.GetLabel).

  1501. 					Patch(reqToken(), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

  1502. 					Delete(reqToken(), reqOrgOwnership(), org.DeleteLabel)

  1503. 			})

  1504. 			m.Group("/hooks", func() {

  1505. 				m.Combo("").Get(org.ListHooks).

  1506. 					Post(bind(api.CreateHookOption{}), org.CreateHook)

  1507. 				m.Combo("/{id}").Get(org.GetHook).

  1508. 					Patch(bind(api.EditHookOption{}), org.EditHook).

  1509. 					Delete(org.DeleteHook)

  1510. 			}, reqToken(), reqOrgOwnership(), reqWebhooksEnabled())

  1511. 			m.Group("/avatar", func() {

  1512. 				m.Post("", bind(api.UpdateUserAvatarOption{}), org.UpdateAvatar)

  1513. 				m.Delete("", org.DeleteAvatar)

  1514. 			}, reqToken(), reqOrgOwnership())

  1515. 			m.Get("/activities/feeds", org.ListOrgActivityFeeds)

  1516. 

  1517. 			m.Group("/blocks", func() {

  1518. 				m.Get("", org.ListBlocks)

  1519. 				m.Group("/{username}", func() {

  1520. 					m.Get("", org.CheckUserBlock)

  1521. 					m.Put("", org.BlockUser)

  1522. 					m.Delete("", org.UnblockUser)

  1523. 				})

  1524. 			}, reqToken(), reqOrgOwnership())

  1525. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(true))

  1526. 		m.Group("/teams/{teamid}", func() {

  1527. 			m.Combo("").Get(reqToken(), org.GetTeam).

  1528. 				Patch(reqToken(), reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).

  1529. 				Delete(reqToken(), reqOrgOwnership(), org.DeleteTeam)

  1530. 			m.Group("/members", func() {

  1531. 				m.Get("", reqToken(), org.GetTeamMembers)

  1532. 				m.Combo("/{username}").

  1533. 					Get(reqToken(), org.GetTeamMember).

  1534. 					Put(reqToken(), reqOrgOwnership(), org.AddTeamMember).

  1535. 					Delete(reqToken(), reqOrgOwnership(), org.RemoveTeamMember)

  1536. 			})

  1537. 			m.Group("/repos", func() {

  1538. 				m.Get("", reqToken(), org.GetTeamRepos)

  1539. 				m.Combo("/{org}/{reponame}").

  1540. 					Put(reqToken(), org.AddTeamRepository).

  1541. 					Delete(reqToken(), org.RemoveTeamRepository).

  1542. 					Get(reqToken(), org.GetTeamRepo)

  1543. 			})

  1544. 			m.Get("/activities/feeds", org.ListTeamActivityFeeds)

  1545. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryOrganization), orgAssignment(false, true), reqToken(), reqTeamMembership())

  1546. 

  1547. 		m.Group("/admin", func() {

  1548. 			m.Group("/cron", func() {

  1549. 				m.Get("", admin.ListCronTasks)

  1550. 				m.Post("/{task}", admin.PostCronTask)

  1551. 			})

  1552. 			m.Get("/orgs", admin.GetAllOrgs)

  1553. 			m.Group("/users", func() {

  1554. 				m.Get("", admin.SearchUsers)

  1555. 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)

  1556. 				m.Group("/{username}", func() {

  1557. 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).

  1558. 						Delete(admin.DeleteUser)

  1559. 					m.Group("/keys", func() {

  1560. 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)

  1561. 						m.Delete("/{id}", admin.DeleteUserPublicKey)

  1562. 					})

  1563. 					m.Get("/orgs", org.ListUserOrgs)

  1564. 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)

  1565. 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)

  1566. 					m.Post("/rename", bind(api.RenameUserOption{}), admin.RenameUser)

  1567. 					m.Get("/badges", admin.ListUserBadges)

  1568. 					m.Post("/badges", bind(api.UserBadgeOption{}), admin.AddUserBadges)

  1569. 					m.Delete("/badges", bind(api.UserBadgeOption{}), admin.DeleteUserBadges)

  1570. 				}, context.UserAssignmentAPI())

  1571. 			})

  1572. 			m.Group("/emails", func() {

  1573. 				m.Get("", admin.GetAllEmails)

  1574. 				m.Get("/search", admin.SearchEmail)

  1575. 			})

  1576. 			m.Group("/unadopted", func() {

  1577. 				m.Get("", admin.ListUnadoptedRepositories)

  1578. 				m.Post("/{username}/{reponame}", admin.AdoptRepository)

  1579. 				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)

  1580. 			})

  1581. 			m.Group("/hooks", func() {

  1582. 				m.Combo("").Get(admin.ListHooks).

  1583. 					Post(bind(api.CreateHookOption{}), admin.CreateHook)

  1584. 				m.Combo("/{id}").Get(admin.GetHook).

  1585. 					Patch(bind(api.EditHookOption{}), admin.EditHook).

  1586. 					Delete(admin.DeleteHook)

  1587. 			})

  1588. 			m.Group("/runners", func() {

  1589. 				m.Get("/registration-token", admin.GetRegistrationToken)

  1590. 			})

  1591. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryAdmin), reqToken(), reqSiteAdmin())

  1592. 

  1593. 		m.Group("/topics", func() {

  1594. 			m.Get("/search", repo.TopicSearch)

  1595. 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryRepository))

  1596. 	}, sudo())

  1597. 

  1598. 	return m

  1599. }

  1600. 

  1601. func securityHeaders() func(http.Handler) http.Handler {

  1602. 	return func(next http.Handler) http.Handler {

  1603. 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {

  1604. 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers

  1605. 			// http://stackoverflow.com/a/3146618/244009

  1606. 			resp.Header().Set("x-content-type-options", "nosniff")

  1607. 			next.ServeHTTP(resp, req)

  1608. 		})

  1609. 	}

  1610. }