mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9105 Commits
17 Branches
Tree: af61b2249a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'af61b2249a'
${ noResults }
gitea/routers/api/v1/api.go

api.go 30KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928 
  1. // Copyright 2015 The Gogs Authors. All rights reserved.

  2. // Copyright 2016 The Gitea Authors. All rights reserved.

  3. // Use of this source code is governed by a MIT-style

  4. // license that can be found in the LICENSE file.

  5. 

  6. // Package v1 Gitea API.

  7. //

  8. // This documentation describes the Gitea API.

  9. //

  10. //     Schemes: http, https

  11. //     BasePath: /api/v1

  12. //     Version: 1.1.1

  13. //     License: MIT http://opensource.org/licenses/MIT

  14. //

  15. //     Consumes:

  16. //     - application/json

  17. //     - text/plain

  18. //

  19. //     Produces:

  20. //     - application/json

  21. //     - text/html

  22. //

  23. //     Security:

  24. //     - BasicAuth :

  25. //     - Token :

  26. //     - AccessToken :

  27. //     - AuthorizationHeaderToken :

  28. //     - SudoParam :

  29. //     - SudoHeader :

  30. //

  31. //     SecurityDefinitions:

  32. //     BasicAuth:

  33. //          type: basic

  34. //     Token:

  35. //          type: apiKey

  36. //          name: token

  37. //          in: query

  38. //     AccessToken:

  39. //          type: apiKey

  40. //          name: access_token

  41. //          in: query

  42. //     AuthorizationHeaderToken:

  43. //          type: apiKey

  44. //          name: Authorization

  45. //          in: header

  46. //          description: API tokens must be prepended with "token" followed by a space.

  47. //     SudoParam:

  48. //          type: apiKey

  49. //          name: sudo

  50. //          in: query

  51. //          description: Sudo API request as the user provided as the key. Admin privileges are required.

  52. //     SudoHeader:

  53. //          type: apiKey

  54. //          name: Sudo

  55. //          in: header

  56. //          description: Sudo API request as the user provided as the key. Admin privileges are required.

  57. //

  58. // swagger:meta

  59. package v1

  60. 

  61. import (

  62. 	"net/http"

  63. 	"strings"

  64. 

  65. 	"code.gitea.io/gitea/models"

  66. 	"code.gitea.io/gitea/modules/auth"

  67. 	"code.gitea.io/gitea/modules/context"

  68. 	"code.gitea.io/gitea/modules/log"

  69. 	"code.gitea.io/gitea/modules/setting"

  70. 	api "code.gitea.io/gitea/modules/structs"

  71. 	"code.gitea.io/gitea/routers/api/v1/admin"

  72. 	"code.gitea.io/gitea/routers/api/v1/misc"

  73. 	"code.gitea.io/gitea/routers/api/v1/notify"

  74. 	"code.gitea.io/gitea/routers/api/v1/org"

  75. 	"code.gitea.io/gitea/routers/api/v1/repo"

  76. 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation

  77. 	"code.gitea.io/gitea/routers/api/v1/user"

  78. 

  79. 	"gitea.com/macaron/binding"

  80. 	"gitea.com/macaron/macaron"

  81. )

  82. 

  83. func sudo() macaron.Handler {

  84. 	return func(ctx *context.APIContext) {

  85. 		sudo := ctx.Query("sudo")

  86. 		if len(sudo) == 0 {

  87. 			sudo = ctx.Req.Header.Get("Sudo")

  88. 		}

  89. 

  90. 		if len(sudo) > 0 {

  91. 			if ctx.IsSigned && ctx.User.IsAdmin {

  92. 				user, err := models.GetUserByName(sudo)

  93. 				if err != nil {

  94. 					if models.IsErrUserNotExist(err) {

  95. 						ctx.NotFound()

  96. 					} else {

  97. 						ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  98. 					}

  99. 					return

  100. 				}

  101. 				log.Trace("Sudo from (%s) to: %s", ctx.User.Name, user.Name)

  102. 				ctx.User = user

  103. 			} else {

  104. 				ctx.JSON(http.StatusForbidden, map[string]string{

  105. 					"message": "Only administrators allowed to sudo.",

  106. 				})

  107. 				return

  108. 			}

  109. 		}

  110. 	}

  111. }

  112. 

  113. func repoAssignment() macaron.Handler {

  114. 	return func(ctx *context.APIContext) {

  115. 		userName := ctx.Params(":username")

  116. 		repoName := ctx.Params(":reponame")

  117. 

  118. 		var (

  119. 			owner *models.User

  120. 			err   error

  121. 		)

  122. 

  123. 		// Check if the user is the same as the repository owner.

  124. 		if ctx.IsSigned && ctx.User.LowerName == strings.ToLower(userName) {

  125. 			owner = ctx.User

  126. 		} else {

  127. 			owner, err = models.GetUserByName(userName)

  128. 			if err != nil {

  129. 				if models.IsErrUserNotExist(err) {

  130. 					ctx.NotFound()

  131. 				} else {

  132. 					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  133. 				}

  134. 				return

  135. 			}

  136. 		}

  137. 		ctx.Repo.Owner = owner

  138. 

  139. 		// Get repository.

  140. 		repo, err := models.GetRepositoryByName(owner.ID, repoName)

  141. 		if err != nil {

  142. 			if models.IsErrRepoNotExist(err) {

  143. 				redirectRepoID, err := models.LookupRepoRedirect(owner.ID, repoName)

  144. 				if err == nil {

  145. 					context.RedirectToRepo(ctx.Context, redirectRepoID)

  146. 				} else if models.IsErrRepoRedirectNotExist(err) {

  147. 					ctx.NotFound()

  148. 				} else {

  149. 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

  150. 				}

  151. 			} else {

  152. 				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)

  153. 			}

  154. 			return

  155. 		}

  156. 

  157. 		repo.Owner = owner

  158. 		ctx.Repo.Repository = repo

  159. 

  160. 		ctx.Repo.Permission, err = models.GetUserRepoPermission(repo, ctx.User)

  161. 		if err != nil {

  162. 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)

  163. 			return

  164. 		}

  165. 

  166. 		if !ctx.Repo.HasAccess() {

  167. 			ctx.NotFound()

  168. 			return

  169. 		}

  170. 	}

  171. }

  172. 

  173. // Contexter middleware already checks token for user sign in process.

  174. func reqToken() macaron.Handler {

  175. 	return func(ctx *context.APIContext) {

  176. 		if true == ctx.Data["IsApiToken"] {

  177. 			return

  178. 		}

  179. 		if ctx.Context.IsBasicAuth {

  180. 			ctx.CheckForOTP()

  181. 			return

  182. 		}

  183. 		if ctx.IsSigned {

  184. 			ctx.RequireCSRF()

  185. 			return

  186. 		}

  187. 		ctx.Context.Error(http.StatusUnauthorized)

  188. 	}

  189. }

  190. 

  191. func reqBasicAuth() macaron.Handler {

  192. 	return func(ctx *context.APIContext) {

  193. 		if !ctx.Context.IsBasicAuth {

  194. 			ctx.Context.Error(http.StatusUnauthorized)

  195. 			return

  196. 		}

  197. 		ctx.CheckForOTP()

  198. 	}

  199. }

  200. 

  201. // reqSiteAdmin user should be the site admin

  202. func reqSiteAdmin() macaron.Handler {

  203. 	return func(ctx *context.Context) {

  204. 		if !ctx.IsUserSiteAdmin() {

  205. 			ctx.Error(http.StatusForbidden)

  206. 			return

  207. 		}

  208. 	}

  209. }

  210. 

  211. // reqOwner user should be the owner of the repo or site admin.

  212. func reqOwner() macaron.Handler {

  213. 	return func(ctx *context.Context) {

  214. 		if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {

  215. 			ctx.Error(http.StatusForbidden)

  216. 			return

  217. 		}

  218. 	}

  219. }

  220. 

  221. // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin

  222. func reqAdmin() macaron.Handler {

  223. 	return func(ctx *context.Context) {

  224. 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  225. 			ctx.Error(http.StatusForbidden)

  226. 			return

  227. 		}

  228. 	}

  229. }

  230. 

  231. // reqRepoWriter user should have a permission to write to a repo, or be a site admin

  232. func reqRepoWriter(unitTypes ...models.UnitType) macaron.Handler {

  233. 	return func(ctx *context.Context) {

  234. 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  235. 			ctx.Error(http.StatusForbidden)

  236. 			return

  237. 		}

  238. 	}

  239. }

  240. 

  241. // reqRepoReader user should have specific read permission or be a repo admin or a site admin

  242. func reqRepoReader(unitType models.UnitType) macaron.Handler {

  243. 	return func(ctx *context.Context) {

  244. 		if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  245. 			ctx.Error(http.StatusForbidden)

  246. 			return

  247. 		}

  248. 	}

  249. }

  250. 

  251. // reqAnyRepoReader user should have any permission to read repository or permissions of site admin

  252. func reqAnyRepoReader() macaron.Handler {

  253. 	return func(ctx *context.Context) {

  254. 		if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {

  255. 			ctx.Error(http.StatusForbidden)

  256. 			return

  257. 		}

  258. 	}

  259. }

  260. 

  261. // reqOrgOwnership user should be an organization owner, or a site admin

  262. func reqOrgOwnership() macaron.Handler {

  263. 	return func(ctx *context.APIContext) {

  264. 		if ctx.Context.IsUserSiteAdmin() {

  265. 			return

  266. 		}

  267. 

  268. 		var orgID int64

  269. 		if ctx.Org.Organization != nil {

  270. 			orgID = ctx.Org.Organization.ID

  271. 		} else if ctx.Org.Team != nil {

  272. 			orgID = ctx.Org.Team.OrgID

  273. 		} else {

  274. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")

  275. 			return

  276. 		}

  277. 

  278. 		isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)

  279. 		if err != nil {

  280. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  281. 			return

  282. 		} else if !isOwner {

  283. 			if ctx.Org.Organization != nil {

  284. 				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")

  285. 			} else {

  286. 				ctx.NotFound()

  287. 			}

  288. 			return

  289. 		}

  290. 	}

  291. }

  292. 

  293. // reqTeamMembership user should be an team member, or a site admin

  294. func reqTeamMembership() macaron.Handler {

  295. 	return func(ctx *context.APIContext) {

  296. 		if ctx.Context.IsUserSiteAdmin() {

  297. 			return

  298. 		}

  299. 		if ctx.Org.Team == nil {

  300. 			ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")

  301. 			return

  302. 		}

  303. 

  304. 		var orgID = ctx.Org.Team.OrgID

  305. 		isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)

  306. 		if err != nil {

  307. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  308. 			return

  309. 		} else if isOwner {

  310. 			return

  311. 		}

  312. 

  313. 		if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {

  314. 			ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)

  315. 			return

  316. 		} else if !isTeamMember {

  317. 			isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)

  318. 			if err != nil {

  319. 				ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  320. 			} else if isOrgMember {

  321. 				ctx.Error(http.StatusForbidden, "", "Must be a team member")

  322. 			} else {

  323. 				ctx.NotFound()

  324. 			}

  325. 			return

  326. 		}

  327. 	}

  328. }

  329. 

  330. // reqOrgMembership user should be an organization member, or a site admin

  331. func reqOrgMembership() macaron.Handler {

  332. 	return func(ctx *context.APIContext) {

  333. 		if ctx.Context.IsUserSiteAdmin() {

  334. 			return

  335. 		}

  336. 

  337. 		var orgID int64

  338. 		if ctx.Org.Organization != nil {

  339. 			orgID = ctx.Org.Organization.ID

  340. 		} else if ctx.Org.Team != nil {

  341. 			orgID = ctx.Org.Team.OrgID

  342. 		} else {

  343. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")

  344. 			return

  345. 		}

  346. 

  347. 		if isMember, err := models.IsOrganizationMember(orgID, ctx.User.ID); err != nil {

  348. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  349. 			return

  350. 		} else if !isMember {

  351. 			if ctx.Org.Organization != nil {

  352. 				ctx.Error(http.StatusForbidden, "", "Must be an organization member")

  353. 			} else {

  354. 				ctx.NotFound()

  355. 			}

  356. 			return

  357. 		}

  358. 	}

  359. }

  360. 

  361. func reqGitHook() macaron.Handler {

  362. 	return func(ctx *context.APIContext) {

  363. 		if !ctx.User.CanEditGitHook() {

  364. 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")

  365. 			return

  366. 		}

  367. 	}

  368. }

  369. 

  370. func orgAssignment(args ...bool) macaron.Handler {

  371. 	var (

  372. 		assignOrg  bool

  373. 		assignTeam bool

  374. 	)

  375. 	if len(args) > 0 {

  376. 		assignOrg = args[0]

  377. 	}

  378. 	if len(args) > 1 {

  379. 		assignTeam = args[1]

  380. 	}

  381. 	return func(ctx *context.APIContext) {

  382. 		ctx.Org = new(context.APIOrganization)

  383. 

  384. 		var err error

  385. 		if assignOrg {

  386. 			ctx.Org.Organization, err = models.GetOrgByName(ctx.Params(":orgname"))

  387. 			if err != nil {

  388. 				if models.IsErrOrgNotExist(err) {

  389. 					ctx.NotFound()

  390. 				} else {

  391. 					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)

  392. 				}

  393. 				return

  394. 			}

  395. 		}

  396. 

  397. 		if assignTeam {

  398. 			ctx.Org.Team, err = models.GetTeamByID(ctx.ParamsInt64(":teamid"))

  399. 			if err != nil {

  400. 				if models.IsErrUserNotExist(err) {

  401. 					ctx.NotFound()

  402. 				} else {

  403. 					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)

  404. 				}

  405. 				return

  406. 			}

  407. 		}

  408. 	}

  409. }

  410. 

  411. func mustEnableIssues(ctx *context.APIContext) {

  412. 	if !ctx.Repo.CanRead(models.UnitTypeIssues) {

  413. 		if log.IsTrace() {

  414. 			if ctx.IsSigned {

  415. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  416. 					"User in Repo has Permissions: %-+v",

  417. 					ctx.User,

  418. 					models.UnitTypeIssues,

  419. 					ctx.Repo.Repository,

  420. 					ctx.Repo.Permission)

  421. 			} else {

  422. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  423. 					"Anonymous user in Repo has Permissions: %-+v",

  424. 					models.UnitTypeIssues,

  425. 					ctx.Repo.Repository,

  426. 					ctx.Repo.Permission)

  427. 			}

  428. 		}

  429. 		ctx.NotFound()

  430. 		return

  431. 	}

  432. }

  433. 

  434. func mustAllowPulls(ctx *context.APIContext) {

  435. 	if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) {

  436. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  437. 			if ctx.IsSigned {

  438. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  439. 					"User in Repo has Permissions: %-+v",

  440. 					ctx.User,

  441. 					models.UnitTypePullRequests,

  442. 					ctx.Repo.Repository,

  443. 					ctx.Repo.Permission)

  444. 			} else {

  445. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  446. 					"Anonymous user in Repo has Permissions: %-+v",

  447. 					models.UnitTypePullRequests,

  448. 					ctx.Repo.Repository,

  449. 					ctx.Repo.Permission)

  450. 			}

  451. 		}

  452. 		ctx.NotFound()

  453. 		return

  454. 	}

  455. }

  456. 

  457. func mustEnableIssuesOrPulls(ctx *context.APIContext) {

  458. 	if !ctx.Repo.CanRead(models.UnitTypeIssues) &&

  459. 		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(models.UnitTypePullRequests)) {

  460. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  461. 			if ctx.IsSigned {

  462. 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+

  463. 					"User in Repo has Permissions: %-+v",

  464. 					ctx.User,

  465. 					models.UnitTypeIssues,

  466. 					models.UnitTypePullRequests,

  467. 					ctx.Repo.Repository,

  468. 					ctx.Repo.Permission)

  469. 			} else {

  470. 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+

  471. 					"Anonymous user in Repo has Permissions: %-+v",

  472. 					models.UnitTypeIssues,

  473. 					models.UnitTypePullRequests,

  474. 					ctx.Repo.Repository,

  475. 					ctx.Repo.Permission)

  476. 			}

  477. 		}

  478. 		ctx.NotFound()

  479. 		return

  480. 	}

  481. }

  482. 

  483. func mustEnableUserHeatmap(ctx *context.APIContext) {

  484. 	if !setting.Service.EnableUserHeatmap {

  485. 		ctx.NotFound()

  486. 		return

  487. 	}

  488. }

  489. 

  490. func mustNotBeArchived(ctx *context.APIContext) {

  491. 	if ctx.Repo.Repository.IsArchived {

  492. 		ctx.NotFound()

  493. 		return

  494. 	}

  495. }

  496. 

  497. // RegisterRoutes registers all v1 APIs routes to web application.

  498. // FIXME: custom form error response

  499. func RegisterRoutes(m *macaron.Macaron) {

  500. 	bind := binding.Bind

  501. 

  502. 	if setting.API.EnableSwagger {

  503. 		m.Get("/swagger", misc.Swagger) //Render V1 by default

  504. 	}

  505. 

  506. 	m.Group("/v1", func() {

  507. 		// Miscellaneous

  508. 		if setting.API.EnableSwagger {

  509. 			m.Get("/swagger", misc.Swagger)

  510. 		}

  511. 		m.Get("/version", misc.Version)

  512. 		m.Get("/signing-key.gpg", misc.SigningKey)

  513. 		m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  514. 		m.Post("/markdown/raw", misc.MarkdownRaw)

  515. 

  516. 		// Notifications

  517. 		m.Group("/notifications", func() {

  518. 			m.Combo("").

  519. 				Get(notify.ListNotifications).

  520. 				Put(notify.ReadNotifications)

  521. 			m.Get("/new", notify.NewAvailable)

  522. 			m.Combo("/threads/:id").

  523. 				Get(notify.GetThread).

  524. 				Patch(notify.ReadThread)

  525. 		}, reqToken())

  526. 

  527. 		// Users

  528. 		m.Group("/users", func() {

  529. 			m.Get("/search", user.Search)

  530. 

  531. 			m.Group("/:username", func() {

  532. 				m.Get("", user.GetInfo)

  533. 				m.Get("/heatmap", mustEnableUserHeatmap, user.GetUserHeatmapData)

  534. 

  535. 				m.Get("/repos", user.ListUserRepos)

  536. 				m.Group("/tokens", func() {

  537. 					m.Combo("").Get(user.ListAccessTokens).

  538. 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)

  539. 					m.Combo("/:id").Delete(user.DeleteAccessToken)

  540. 				}, reqBasicAuth())

  541. 			})

  542. 		})

  543. 

  544. 		m.Group("/users", func() {

  545. 			m.Group("/:username", func() {

  546. 				m.Get("/keys", user.ListPublicKeys)

  547. 				m.Get("/gpg_keys", user.ListGPGKeys)

  548. 

  549. 				m.Get("/followers", user.ListFollowers)

  550. 				m.Group("/following", func() {

  551. 					m.Get("", user.ListFollowing)

  552. 					m.Get("/:target", user.CheckFollowing)

  553. 				})

  554. 

  555. 				m.Get("/starred", user.GetStarredRepos)

  556. 

  557. 				m.Get("/subscriptions", user.GetWatchedRepos)

  558. 			})

  559. 		}, reqToken())

  560. 

  561. 		m.Group("/user", func() {

  562. 			m.Get("", user.GetAuthenticatedUser)

  563. 			m.Combo("/emails").Get(user.ListEmails).

  564. 				Post(bind(api.CreateEmailOption{}), user.AddEmail).

  565. 				Delete(bind(api.DeleteEmailOption{}), user.DeleteEmail)

  566. 

  567. 			m.Get("/followers", user.ListMyFollowers)

  568. 			m.Group("/following", func() {

  569. 				m.Get("", user.ListMyFollowing)

  570. 				m.Combo("/:username").Get(user.CheckMyFollowing).Put(user.Follow).Delete(user.Unfollow)

  571. 			})

  572. 

  573. 			m.Group("/keys", func() {

  574. 				m.Combo("").Get(user.ListMyPublicKeys).

  575. 					Post(bind(api.CreateKeyOption{}), user.CreatePublicKey)

  576. 				m.Combo("/:id").Get(user.GetPublicKey).

  577. 					Delete(user.DeletePublicKey)

  578. 			})

  579. 			m.Group("/applications", func() {

  580. 				m.Combo("/oauth2").

  581. 					Get(user.ListOauth2Applications).

  582. 					Post(bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)

  583. 				m.Delete("/oauth2/:id", user.DeleteOauth2Application)

  584. 			}, reqToken())

  585. 

  586. 			m.Group("/gpg_keys", func() {

  587. 				m.Combo("").Get(user.ListMyGPGKeys).

  588. 					Post(bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)

  589. 				m.Combo("/:id").Get(user.GetGPGKey).

  590. 					Delete(user.DeleteGPGKey)

  591. 			})

  592. 

  593. 			m.Combo("/repos").Get(user.ListMyRepos).

  594. 				Post(bind(api.CreateRepoOption{}), repo.Create)

  595. 

  596. 			m.Group("/starred", func() {

  597. 				m.Get("", user.GetMyStarredRepos)

  598. 				m.Group("/:username/:reponame", func() {

  599. 					m.Get("", user.IsStarring)

  600. 					m.Put("", user.Star)

  601. 					m.Delete("", user.Unstar)

  602. 				}, repoAssignment())

  603. 			})

  604. 			m.Get("/times", repo.ListMyTrackedTimes)

  605. 

  606. 			m.Get("/stopwatches", repo.GetStopwatches)

  607. 

  608. 			m.Get("/subscriptions", user.GetMyWatchedRepos)

  609. 

  610. 			m.Get("/teams", org.ListUserTeams)

  611. 		}, reqToken())

  612. 

  613. 		// Repositories

  614. 		m.Post("/org/:org/repos", reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)

  615. 

  616. 		m.Combo("/repositories/:id", reqToken()).Get(repo.GetByID)

  617. 

  618. 		m.Group("/repos", func() {

  619. 			m.Get("/search", repo.Search)

  620. 

  621. 			m.Get("/issues/search", repo.SearchIssues)

  622. 

  623. 			m.Post("/migrate", reqToken(), bind(auth.MigrateRepoForm{}), repo.Migrate)

  624. 

  625. 			m.Group("/:username/:reponame", func() {

  626. 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).

  627. 					Delete(reqToken(), reqOwner(), repo.Delete).

  628. 					Patch(reqToken(), reqAdmin(), bind(api.EditRepoOption{}), context.RepoRef(), repo.Edit)

  629. 				m.Post("/transfer", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)

  630. 				m.Combo("/notifications").

  631. 					Get(reqToken(), notify.ListRepoNotifications).

  632. 					Put(reqToken(), notify.ReadRepoNotifications)

  633. 				m.Group("/hooks", func() {

  634. 					m.Combo("").Get(repo.ListHooks).

  635. 						Post(bind(api.CreateHookOption{}), repo.CreateHook)

  636. 					m.Group("/:id", func() {

  637. 						m.Combo("").Get(repo.GetHook).

  638. 							Patch(bind(api.EditHookOption{}), repo.EditHook).

  639. 							Delete(repo.DeleteHook)

  640. 						m.Post("/tests", context.RepoRef(), repo.TestHook)

  641. 					})

  642. 					m.Group("/git", func() {

  643. 						m.Combo("").Get(repo.ListGitHooks)

  644. 						m.Group("/:id", func() {

  645. 							m.Combo("").Get(repo.GetGitHook).

  646. 								Patch(bind(api.EditGitHookOption{}), repo.EditGitHook).

  647. 								Delete(repo.DeleteGitHook)

  648. 						})

  649. 					}, reqGitHook(), context.ReferencesGitRepo(true))

  650. 				}, reqToken(), reqAdmin())

  651. 				m.Group("/collaborators", func() {

  652. 					m.Get("", repo.ListCollaborators)

  653. 					m.Combo("/:collaborator").Get(repo.IsCollaborator).

  654. 						Put(bind(api.AddCollaboratorOption{}), repo.AddCollaborator).

  655. 						Delete(repo.DeleteCollaborator)

  656. 				}, reqToken(), reqAdmin())

  657. 				m.Get("/raw/*", context.RepoRefByType(context.RepoRefAny), reqRepoReader(models.UnitTypeCode), repo.GetRawFile)

  658. 				m.Get("/archive/*", reqRepoReader(models.UnitTypeCode), repo.GetArchive)

  659. 				m.Combo("/forks").Get(repo.ListForks).

  660. 					Post(reqToken(), reqRepoReader(models.UnitTypeCode), bind(api.CreateForkOption{}), repo.CreateFork)

  661. 				m.Group("/branches", func() {

  662. 					m.Get("", repo.ListBranches)

  663. 					m.Get("/*", context.RepoRefByType(context.RepoRefBranch), repo.GetBranch)

  664. 				}, reqRepoReader(models.UnitTypeCode))

  665. 				m.Group("/branch_protections", func() {

  666. 					m.Get("", repo.ListBranchProtections)

  667. 					m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)

  668. 					m.Group("/:name", func() {

  669. 						m.Get("", repo.GetBranchProtection)

  670. 						m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)

  671. 						m.Delete("", repo.DeleteBranchProtection)

  672. 					})

  673. 				}, reqToken(), reqAdmin())

  674. 				m.Group("/tags", func() {

  675. 					m.Get("", repo.ListTags)

  676. 				}, reqRepoReader(models.UnitTypeCode), context.ReferencesGitRepo(true))

  677. 				m.Group("/keys", func() {

  678. 					m.Combo("").Get(repo.ListDeployKeys).

  679. 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)

  680. 					m.Combo("/:id").Get(repo.GetDeployKey).

  681. 						Delete(repo.DeleteDeploykey)

  682. 				}, reqToken(), reqAdmin())

  683. 				m.Group("/times", func() {

  684. 					m.Combo("").Get(repo.ListTrackedTimesByRepository)

  685. 					m.Combo("/:timetrackingusername").Get(repo.ListTrackedTimesByUser)

  686. 				}, mustEnableIssues, reqToken())

  687. 				m.Group("/issues", func() {

  688. 					m.Combo("").Get(repo.ListIssues).

  689. 						Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)

  690. 					m.Group("/comments", func() {

  691. 						m.Get("", repo.ListRepoIssueComments)

  692. 						m.Group("/:id", func() {

  693. 							m.Combo("").

  694. 								Get(repo.GetIssueComment).

  695. 								Patch(mustNotBeArchived, reqToken(), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).

  696. 								Delete(reqToken(), repo.DeleteIssueComment)

  697. 							m.Combo("/reactions").

  698. 								Get(repo.GetIssueCommentReactions).

  699. 								Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueCommentReaction).

  700. 								Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueCommentReaction)

  701. 						})

  702. 					})

  703. 					m.Group("/:index", func() {

  704. 						m.Combo("").Get(repo.GetIssue).

  705. 							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue)

  706. 						m.Group("/comments", func() {

  707. 							m.Combo("").Get(repo.ListIssueComments).

  708. 								Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

  709. 							m.Combo("/:id", reqToken()).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).

  710. 								Delete(repo.DeleteIssueCommentDeprecated)

  711. 						})

  712. 						m.Group("/labels", func() {

  713. 							m.Combo("").Get(repo.ListIssueLabels).

  714. 								Post(reqToken(), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).

  715. 								Put(reqToken(), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).

  716. 								Delete(reqToken(), repo.ClearIssueLabels)

  717. 							m.Delete("/:id", reqToken(), repo.DeleteIssueLabel)

  718. 						})

  719. 						m.Group("/times", func() {

  720. 							m.Combo("").

  721. 								Get(repo.ListTrackedTimes).

  722. 								Post(bind(api.AddTimeOption{}), repo.AddTime).

  723. 								Delete(repo.ResetIssueTime)

  724. 							m.Delete("/:id", repo.DeleteTime)

  725. 						}, reqToken())

  726. 						m.Combo("/deadline").Post(reqToken(), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)

  727. 						m.Group("/stopwatch", func() {

  728. 							m.Post("/start", reqToken(), repo.StartIssueStopwatch)

  729. 							m.Post("/stop", reqToken(), repo.StopIssueStopwatch)

  730. 							m.Delete("/delete", reqToken(), repo.DeleteIssueStopwatch)

  731. 						})

  732. 						m.Group("/subscriptions", func() {

  733. 							m.Get("", repo.GetIssueSubscribers)

  734. 							m.Put("/:user", reqToken(), repo.AddIssueSubscription)

  735. 							m.Delete("/:user", reqToken(), repo.DelIssueSubscription)

  736. 						})

  737. 						m.Combo("/reactions").

  738. 							Get(repo.GetIssueReactions).

  739. 							Post(bind(api.EditReactionOption{}), reqToken(), repo.PostIssueReaction).

  740. 							Delete(bind(api.EditReactionOption{}), reqToken(), repo.DeleteIssueReaction)

  741. 					})

  742. 				}, mustEnableIssuesOrPulls)

  743. 				m.Group("/labels", func() {

  744. 					m.Combo("").Get(repo.ListLabels).

  745. 						Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)

  746. 					m.Combo("/:id").Get(repo.GetLabel).

  747. 						Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).

  748. 						Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteLabel)

  749. 				})

  750. 				m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  751. 				m.Post("/markdown/raw", misc.MarkdownRaw)

  752. 				m.Group("/milestones", func() {

  753. 					m.Combo("").Get(repo.ListMilestones).

  754. 						Post(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)

  755. 					m.Combo("/:id").Get(repo.GetMilestone).

  756. 						Patch(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).

  757. 						Delete(reqToken(), reqRepoWriter(models.UnitTypeIssues, models.UnitTypePullRequests), repo.DeleteMilestone)

  758. 				})

  759. 				m.Get("/stargazers", repo.ListStargazers)

  760. 				m.Get("/subscribers", repo.ListSubscribers)

  761. 				m.Group("/subscription", func() {

  762. 					m.Get("", user.IsWatching)

  763. 					m.Put("", reqToken(), user.Watch)

  764. 					m.Delete("", reqToken(), user.Unwatch)

  765. 				})

  766. 				m.Group("/releases", func() {

  767. 					m.Combo("").Get(repo.ListReleases).

  768. 						Post(reqToken(), reqRepoWriter(models.UnitTypeReleases), context.ReferencesGitRepo(false), bind(api.CreateReleaseOption{}), repo.CreateRelease)

  769. 					m.Group("/:id", func() {

  770. 						m.Combo("").Get(repo.GetRelease).

  771. 							Patch(reqToken(), reqRepoWriter(models.UnitTypeReleases), context.ReferencesGitRepo(false), bind(api.EditReleaseOption{}), repo.EditRelease).

  772. 							Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteRelease)

  773. 						m.Group("/assets", func() {

  774. 							m.Combo("").Get(repo.ListReleaseAttachments).

  775. 								Post(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.CreateReleaseAttachment)

  776. 							m.Combo("/:asset").Get(repo.GetReleaseAttachment).

  777. 								Patch(reqToken(), reqRepoWriter(models.UnitTypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).

  778. 								Delete(reqToken(), reqRepoWriter(models.UnitTypeReleases), repo.DeleteReleaseAttachment)

  779. 						})

  780. 					})

  781. 				}, reqRepoReader(models.UnitTypeReleases))

  782. 				m.Post("/mirror-sync", reqToken(), reqRepoWriter(models.UnitTypeCode), repo.MirrorSync)

  783. 				m.Get("/editorconfig/:filename", context.RepoRef(), reqRepoReader(models.UnitTypeCode), repo.GetEditorconfig)

  784. 				m.Group("/pulls", func() {

  785. 					m.Combo("").Get(bind(api.ListPullRequestsOptions{}), repo.ListPullRequests).

  786. 						Post(reqToken(), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

  787. 					m.Group("/:index", func() {

  788. 						m.Combo("").Get(repo.GetPullRequest).

  789. 							Patch(reqToken(), reqRepoWriter(models.UnitTypePullRequests), bind(api.EditPullRequestOption{}), repo.EditPullRequest)

  790. 						m.Combo("/merge").Get(repo.IsPullRequestMerged).

  791. 							Post(reqToken(), mustNotBeArchived, reqRepoWriter(models.UnitTypePullRequests), bind(auth.MergePullRequestForm{}), repo.MergePullRequest)

  792. 					})

  793. 				}, mustAllowPulls, reqRepoReader(models.UnitTypeCode), context.ReferencesGitRepo(false))

  794. 				m.Group("/statuses", func() {

  795. 					m.Combo("/:sha").Get(repo.GetCommitStatuses).

  796. 						Post(reqToken(), bind(api.CreateStatusOption{}), repo.NewCommitStatus)

  797. 				}, reqRepoReader(models.UnitTypeCode))

  798. 				m.Group("/commits", func() {

  799. 					m.Get("", repo.GetAllCommits)

  800. 					m.Group("/:ref", func() {

  801. 						// TODO: Add m.Get("") for single commit (https://developer.github.com/v3/repos/commits/#get-a-single-commit)

  802. 						m.Get("/status", repo.GetCombinedCommitStatusByRef)

  803. 						m.Get("/statuses", repo.GetCommitStatusesByRef)

  804. 					})

  805. 				}, reqRepoReader(models.UnitTypeCode))

  806. 				m.Group("/git", func() {

  807. 					m.Group("/commits", func() {

  808. 						m.Get("/:sha", repo.GetSingleCommit)

  809. 					})

  810. 					m.Get("/refs", repo.GetGitAllRefs)

  811. 					m.Get("/refs/*", repo.GetGitRefs)

  812. 					m.Get("/trees/:sha", context.RepoRef(), repo.GetTree)

  813. 					m.Get("/blobs/:sha", context.RepoRef(), repo.GetBlob)

  814. 					m.Get("/tags/:sha", context.RepoRef(), repo.GetTag)

  815. 				}, reqRepoReader(models.UnitTypeCode))

  816. 				m.Group("/contents", func() {

  817. 					m.Get("", repo.GetContentsList)

  818. 					m.Get("/*", repo.GetContents)

  819. 					m.Group("/*", func() {

  820. 						m.Post("", bind(api.CreateFileOptions{}), repo.CreateFile)

  821. 						m.Put("", bind(api.UpdateFileOptions{}), repo.UpdateFile)

  822. 						m.Delete("", bind(api.DeleteFileOptions{}), repo.DeleteFile)

  823. 					}, reqRepoWriter(models.UnitTypeCode), reqToken())

  824. 				}, reqRepoReader(models.UnitTypeCode))

  825. 				m.Get("/signing-key.gpg", misc.SigningKey)

  826. 				m.Group("/topics", func() {

  827. 					m.Combo("").Get(repo.ListTopics).

  828. 						Put(reqToken(), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)

  829. 					m.Group("/:topic", func() {

  830. 						m.Combo("").Put(reqToken(), repo.AddTopic).

  831. 							Delete(reqToken(), repo.DeleteTopic)

  832. 					}, reqAdmin())

  833. 				}, reqAnyRepoReader())

  834. 			}, repoAssignment())

  835. 		})

  836. 

  837. 		// Organizations

  838. 		m.Get("/user/orgs", reqToken(), org.ListMyOrgs)

  839. 		m.Get("/users/:username/orgs", org.ListUserOrgs)

  840. 		m.Post("/orgs", reqToken(), bind(api.CreateOrgOption{}), org.Create)

  841. 		m.Get("/orgs", org.GetAll)

  842. 		m.Group("/orgs/:orgname", func() {

  843. 			m.Combo("").Get(org.Get).

  844. 				Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).

  845. 				Delete(reqToken(), reqOrgOwnership(), org.Delete)

  846. 			m.Combo("/repos").Get(user.ListOrgRepos).

  847. 				Post(reqToken(), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)

  848. 			m.Group("/members", func() {

  849. 				m.Get("", org.ListMembers)

  850. 				m.Combo("/:username").Get(org.IsMember).

  851. 					Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)

  852. 			})

  853. 			m.Group("/public_members", func() {

  854. 				m.Get("", org.ListPublicMembers)

  855. 				m.Combo("/:username").Get(org.IsPublicMember).

  856. 					Put(reqToken(), reqOrgMembership(), org.PublicizeMember).

  857. 					Delete(reqToken(), reqOrgMembership(), org.ConcealMember)

  858. 			})

  859. 			m.Group("/teams", func() {

  860. 				m.Combo("", reqToken()).Get(org.ListTeams).

  861. 					Post(reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)

  862. 				m.Get("/search", org.SearchTeam)

  863. 			}, reqOrgMembership())

  864. 			m.Group("/hooks", func() {

  865. 				m.Combo("").Get(org.ListHooks).

  866. 					Post(bind(api.CreateHookOption{}), org.CreateHook)

  867. 				m.Combo("/:id").Get(org.GetHook).

  868. 					Patch(bind(api.EditHookOption{}), org.EditHook).

  869. 					Delete(org.DeleteHook)

  870. 			}, reqToken(), reqOrgOwnership())

  871. 		}, orgAssignment(true))

  872. 		m.Group("/teams/:teamid", func() {

  873. 			m.Combo("").Get(org.GetTeam).

  874. 				Patch(reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).

  875. 				Delete(reqOrgOwnership(), org.DeleteTeam)

  876. 			m.Group("/members", func() {

  877. 				m.Get("", org.GetTeamMembers)

  878. 				m.Combo("/:username").

  879. 					Get(org.GetTeamMember).

  880. 					Put(reqOrgOwnership(), org.AddTeamMember).

  881. 					Delete(reqOrgOwnership(), org.RemoveTeamMember)

  882. 			})

  883. 			m.Group("/repos", func() {

  884. 				m.Get("", org.GetTeamRepos)

  885. 				m.Combo("/:orgname/:reponame").

  886. 					Put(org.AddTeamRepository).

  887. 					Delete(org.RemoveTeamRepository)

  888. 			})

  889. 		}, orgAssignment(false, true), reqToken(), reqTeamMembership())

  890. 

  891. 		m.Any("/*", func(ctx *context.APIContext) {

  892. 			ctx.NotFound()

  893. 		})

  894. 

  895. 		m.Group("/admin", func() {

  896. 			m.Get("/orgs", admin.GetAllOrgs)

  897. 			m.Group("/users", func() {

  898. 				m.Get("", admin.GetAllUsers)

  899. 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)

  900. 				m.Group("/:username", func() {

  901. 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).

  902. 						Delete(admin.DeleteUser)

  903. 					m.Group("/keys", func() {

  904. 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)

  905. 						m.Delete("/:id", admin.DeleteUserPublicKey)

  906. 					})

  907. 					m.Get("/orgs", org.ListUserOrgs)

  908. 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)

  909. 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)

  910. 				})

  911. 			})

  912. 		}, reqToken(), reqSiteAdmin())

  913. 

  914. 		m.Group("/topics", func() {

  915. 			m.Get("/search", repo.TopicSearch)

  916. 		})

  917. 	}, securityHeaders(), context.APIContexter(), sudo())

  918. }

  919. 

  920. func securityHeaders() macaron.Handler {

  921. 	return func(ctx *macaron.Context) {

  922. 		ctx.Resp.Before(func(w macaron.ResponseWriter) {

  923. 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers

  924. 			// http://stackoverflow.com/a/3146618/244009

  925. 			w.Header().Set("x-content-type-options", "nosniff")

  926. 		})

  927. 	}

  928. }