mirrors
/
gitea
kopie van https://github.com/go-gitea/gitea.git
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Publicaties 210 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14378 Commits
17 Branches
Tree: de484e86bc
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'de484e86bc'
${ noResults }
gitea/routers/api/v1/api.go

api.go 51KB
Ruw Blame Geschiedenis

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243 
  1. // Copyright 2015 The Gogs Authors. All rights reserved.

  2. // Copyright 2016 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. // Package v1 Gitea API.

  6. //

  7. // This documentation describes the Gitea API.

  8. //

  9. //	Schemes: http, https

  10. //	BasePath: /api/v1

  11. //	Version: {{AppVer | JSEscape | Safe}}

  12. //	License: MIT http://opensource.org/licenses/MIT

  13. //

  14. //	Consumes:

  15. //	- application/json

  16. //	- text/plain

  17. //

  18. //	Produces:

  19. //	- application/json

  20. //	- text/html

  21. //

  22. //	Security:

  23. //	- BasicAuth :

  24. //	- Token :

  25. //	- AccessToken :

  26. //	- AuthorizationHeaderToken :

  27. //	- SudoParam :

  28. //	- SudoHeader :

  29. //	- TOTPHeader :

  30. //

  31. //	SecurityDefinitions:

  32. //	BasicAuth:

  33. //	     type: basic

  34. //	Token:

  35. //	     type: apiKey

  36. //	     name: token

  37. //	     in: query

  38. //	AccessToken:

  39. //	     type: apiKey

  40. //	     name: access_token

  41. //	     in: query

  42. //	AuthorizationHeaderToken:

  43. //	     type: apiKey

  44. //	     name: Authorization

  45. //	     in: header

  46. //	     description: API tokens must be prepended with "token" followed by a space.

  47. //	SudoParam:

  48. //	     type: apiKey

  49. //	     name: sudo

  50. //	     in: query

  51. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  52. //	SudoHeader:

  53. //	     type: apiKey

  54. //	     name: Sudo

  55. //	     in: header

  56. //	     description: Sudo API request as the user provided as the key. Admin privileges are required.

  57. //	TOTPHeader:

  58. //	     type: apiKey

  59. //	     name: X-GITEA-OTP

  60. //	     in: header

  61. //	     description: Must be used in combination with BasicAuth if two-factor authentication is enabled.

  62. //

  63. // swagger:meta

  64. package v1

  65. 

  66. import (

  67. 	gocontext "context"

  68. 	"fmt"

  69. 	"net/http"

  70. 	"strings"

  71. 

  72. 	auth_model "code.gitea.io/gitea/models/auth"

  73. 	"code.gitea.io/gitea/models/organization"

  74. 	"code.gitea.io/gitea/models/perm"

  75. 	access_model "code.gitea.io/gitea/models/perm/access"

  76. 	repo_model "code.gitea.io/gitea/models/repo"

  77. 	"code.gitea.io/gitea/models/unit"

  78. 	user_model "code.gitea.io/gitea/models/user"

  79. 	"code.gitea.io/gitea/modules/context"

  80. 	"code.gitea.io/gitea/modules/log"

  81. 	"code.gitea.io/gitea/modules/setting"

  82. 	api "code.gitea.io/gitea/modules/structs"

  83. 	"code.gitea.io/gitea/modules/web"

  84. 	"code.gitea.io/gitea/routers/api/v1/activitypub"

  85. 	"code.gitea.io/gitea/routers/api/v1/admin"

  86. 	"code.gitea.io/gitea/routers/api/v1/misc"

  87. 	"code.gitea.io/gitea/routers/api/v1/notify"

  88. 	"code.gitea.io/gitea/routers/api/v1/org"

  89. 	"code.gitea.io/gitea/routers/api/v1/packages"

  90. 	"code.gitea.io/gitea/routers/api/v1/repo"

  91. 	"code.gitea.io/gitea/routers/api/v1/settings"

  92. 	"code.gitea.io/gitea/routers/api/v1/user"

  93. 	"code.gitea.io/gitea/services/auth"

  94. 	context_service "code.gitea.io/gitea/services/context"

  95. 	"code.gitea.io/gitea/services/forms"

  96. 

  97. 	_ "code.gitea.io/gitea/routers/api/v1/swagger" // for swagger generation

  98. 

  99. 	"gitea.com/go-chi/binding"

  100. 	"github.com/go-chi/cors"

  101. )

  102. 

  103. func sudo() func(ctx *context.APIContext) {

  104. 	return func(ctx *context.APIContext) {

  105. 		sudo := ctx.FormString("sudo")

  106. 		if len(sudo) == 0 {

  107. 			sudo = ctx.Req.Header.Get("Sudo")

  108. 		}

  109. 

  110. 		if len(sudo) > 0 {

  111. 			if ctx.IsSigned && ctx.Doer.IsAdmin {

  112. 				user, err := user_model.GetUserByName(ctx, sudo)

  113. 				if err != nil {

  114. 					if user_model.IsErrUserNotExist(err) {

  115. 						ctx.NotFound()

  116. 					} else {

  117. 						ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  118. 					}

  119. 					return

  120. 				}

  121. 				log.Trace("Sudo from (%s) to: %s", ctx.Doer.Name, user.Name)

  122. 				ctx.Doer = user

  123. 			} else {

  124. 				ctx.JSON(http.StatusForbidden, map[string]string{

  125. 					"message": "Only administrators allowed to sudo.",

  126. 				})

  127. 				return

  128. 			}

  129. 		}

  130. 	}

  131. }

  132. 

  133. func repoAssignment() func(ctx *context.APIContext) {

  134. 	return func(ctx *context.APIContext) {

  135. 		userName := ctx.Params("username")

  136. 		repoName := ctx.Params("reponame")

  137. 

  138. 		var (

  139. 			owner *user_model.User

  140. 			err   error

  141. 		)

  142. 

  143. 		// Check if the user is the same as the repository owner.

  144. 		if ctx.IsSigned && ctx.Doer.LowerName == strings.ToLower(userName) {

  145. 			owner = ctx.Doer

  146. 		} else {

  147. 			owner, err = user_model.GetUserByName(ctx, userName)

  148. 			if err != nil {

  149. 				if user_model.IsErrUserNotExist(err) {

  150. 					if redirectUserID, err := user_model.LookupUserRedirect(userName); err == nil {

  151. 						context.RedirectToUser(ctx.Context, userName, redirectUserID)

  152. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  153. 						ctx.NotFound("GetUserByName", err)

  154. 					} else {

  155. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  156. 					}

  157. 				} else {

  158. 					ctx.Error(http.StatusInternalServerError, "GetUserByName", err)

  159. 				}

  160. 				return

  161. 			}

  162. 		}

  163. 		ctx.Repo.Owner = owner

  164. 		ctx.ContextUser = owner

  165. 

  166. 		// Get repository.

  167. 		repo, err := repo_model.GetRepositoryByName(owner.ID, repoName)

  168. 		if err != nil {

  169. 			if repo_model.IsErrRepoNotExist(err) {

  170. 				redirectRepoID, err := repo_model.LookupRedirect(owner.ID, repoName)

  171. 				if err == nil {

  172. 					context.RedirectToRepo(ctx.Context, redirectRepoID)

  173. 				} else if repo_model.IsErrRedirectNotExist(err) {

  174. 					ctx.NotFound()

  175. 				} else {

  176. 					ctx.Error(http.StatusInternalServerError, "LookupRepoRedirect", err)

  177. 				}

  178. 			} else {

  179. 				ctx.Error(http.StatusInternalServerError, "GetRepositoryByName", err)

  180. 			}

  181. 			return

  182. 		}

  183. 

  184. 		repo.Owner = owner

  185. 		ctx.Repo.Repository = repo

  186. 

  187. 		ctx.Repo.Permission, err = access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)

  188. 		if err != nil {

  189. 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)

  190. 			return

  191. 		}

  192. 

  193. 		if !ctx.Repo.HasAccess() {

  194. 			ctx.NotFound()

  195. 			return

  196. 		}

  197. 	}

  198. }

  199. 

  200. func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.APIContext) {

  201. 	return func(ctx *context.APIContext) {

  202. 		if ctx.Package.AccessMode < accessMode && !ctx.IsUserSiteAdmin() {

  203. 			ctx.Error(http.StatusForbidden, "reqPackageAccess", "user should have specific permission or be a site admin")

  204. 			return

  205. 		}

  206. 	}

  207. }

  208. 

  209. // Contexter middleware already checks token for user sign in process.

  210. func reqToken(requiredScope auth_model.AccessTokenScope) func(ctx *context.APIContext) {

  211. 	return func(ctx *context.APIContext) {

  212. 		// If OAuth2 token is present

  213. 		if _, ok := ctx.Data["ApiTokenScope"]; ctx.Data["IsApiToken"] == true && ok {

  214. 			// no scope required

  215. 			if requiredScope == "" {

  216. 				return

  217. 			}

  218. 

  219. 			// check scope

  220. 			scope := ctx.Data["ApiTokenScope"].(auth_model.AccessTokenScope)

  221. 			allow, err := scope.HasScope(requiredScope)

  222. 			if err != nil {

  223. 				ctx.Error(http.StatusForbidden, "reqToken", "parsing token failed: "+err.Error())

  224. 				return

  225. 			}

  226. 			if allow {

  227. 				return

  228. 			}

  229. 

  230. 			// if requires 'repo' scope, but only has 'public_repo' scope, allow it only if the repo is public

  231. 			if requiredScope == auth_model.AccessTokenScopeRepo {

  232. 				if allowPublicRepo, err := scope.HasScope(auth_model.AccessTokenScopePublicRepo); err == nil && allowPublicRepo {

  233. 					if ctx.Repo.Repository != nil && !ctx.Repo.Repository.IsPrivate {

  234. 						return

  235. 					}

  236. 				}

  237. 			}

  238. 

  239. 			ctx.Error(http.StatusForbidden, "reqToken", "token does not have required scope: "+requiredScope)

  240. 			return

  241. 		}

  242. 		if ctx.Context.IsBasicAuth {

  243. 			ctx.CheckForOTP()

  244. 			return

  245. 		}

  246. 		if ctx.IsSigned {

  247. 			return

  248. 		}

  249. 		ctx.Error(http.StatusUnauthorized, "reqToken", "token is required")

  250. 	}

  251. }

  252. 

  253. func reqExploreSignIn() func(ctx *context.APIContext) {

  254. 	return func(ctx *context.APIContext) {

  255. 		if setting.Service.Explore.RequireSigninView && !ctx.IsSigned {

  256. 			ctx.Error(http.StatusUnauthorized, "reqExploreSignIn", "you must be signed in to search for users")

  257. 		}

  258. 	}

  259. }

  260. 

  261. func reqBasicAuth() func(ctx *context.APIContext) {

  262. 	return func(ctx *context.APIContext) {

  263. 		if !ctx.Context.IsBasicAuth {

  264. 			ctx.Error(http.StatusUnauthorized, "reqBasicAuth", "auth required")

  265. 			return

  266. 		}

  267. 		ctx.CheckForOTP()

  268. 	}

  269. }

  270. 

  271. // reqSiteAdmin user should be the site admin

  272. func reqSiteAdmin() func(ctx *context.APIContext) {

  273. 	return func(ctx *context.APIContext) {

  274. 		if !ctx.IsUserSiteAdmin() {

  275. 			ctx.Error(http.StatusForbidden, "reqSiteAdmin", "user should be the site admin")

  276. 			return

  277. 		}

  278. 	}

  279. }

  280. 

  281. // reqOwner user should be the owner of the repo or site admin.

  282. func reqOwner() func(ctx *context.APIContext) {

  283. 	return func(ctx *context.APIContext) {

  284. 		if !ctx.IsUserRepoOwner() && !ctx.IsUserSiteAdmin() {

  285. 			ctx.Error(http.StatusForbidden, "reqOwner", "user should be the owner of the repo")

  286. 			return

  287. 		}

  288. 	}

  289. }

  290. 

  291. // reqAdmin user should be an owner or a collaborator with admin write of a repository, or site admin

  292. func reqAdmin() func(ctx *context.APIContext) {

  293. 	return func(ctx *context.APIContext) {

  294. 		if !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  295. 			ctx.Error(http.StatusForbidden, "reqAdmin", "user should be an owner or a collaborator with admin write of a repository")

  296. 			return

  297. 		}

  298. 	}

  299. }

  300. 

  301. // reqRepoWriter user should have a permission to write to a repo, or be a site admin

  302. func reqRepoWriter(unitTypes ...unit.Type) func(ctx *context.APIContext) {

  303. 	return func(ctx *context.APIContext) {

  304. 		if !ctx.IsUserRepoWriter(unitTypes) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  305. 			ctx.Error(http.StatusForbidden, "reqRepoWriter", "user should have a permission to write to a repo")

  306. 			return

  307. 		}

  308. 	}

  309. }

  310. 

  311. // reqRepoBranchWriter user should have a permission to write to a branch, or be a site admin

  312. func reqRepoBranchWriter(ctx *context.APIContext) {

  313. 	options, ok := web.GetForm(ctx).(api.FileOptionInterface)

  314. 	if !ok || (!ctx.Repo.CanWriteToBranch(ctx.Doer, options.Branch()) && !ctx.IsUserSiteAdmin()) {

  315. 		ctx.Error(http.StatusForbidden, "reqRepoBranchWriter", "user should have a permission to write to this branch")

  316. 		return

  317. 	}

  318. }

  319. 

  320. // reqRepoReader user should have specific read permission or be a repo admin or a site admin

  321. func reqRepoReader(unitType unit.Type) func(ctx *context.APIContext) {

  322. 	return func(ctx *context.APIContext) {

  323. 		if !ctx.IsUserRepoReaderSpecific(unitType) && !ctx.IsUserRepoAdmin() && !ctx.IsUserSiteAdmin() {

  324. 			ctx.Error(http.StatusForbidden, "reqRepoReader", "user should have specific read permission or be a repo admin or a site admin")

  325. 			return

  326. 		}

  327. 	}

  328. }

  329. 

  330. // reqAnyRepoReader user should have any permission to read repository or permissions of site admin

  331. func reqAnyRepoReader() func(ctx *context.APIContext) {

  332. 	return func(ctx *context.APIContext) {

  333. 		if !ctx.IsUserRepoReaderAny() && !ctx.IsUserSiteAdmin() {

  334. 			ctx.Error(http.StatusForbidden, "reqAnyRepoReader", "user should have any permission to read repository or permissions of site admin")

  335. 			return

  336. 		}

  337. 	}

  338. }

  339. 

  340. // reqOrgOwnership user should be an organization owner, or a site admin

  341. func reqOrgOwnership() func(ctx *context.APIContext) {

  342. 	return func(ctx *context.APIContext) {

  343. 		if ctx.Context.IsUserSiteAdmin() {

  344. 			return

  345. 		}

  346. 

  347. 		var orgID int64

  348. 		if ctx.Org.Organization != nil {

  349. 			orgID = ctx.Org.Organization.ID

  350. 		} else if ctx.Org.Team != nil {

  351. 			orgID = ctx.Org.Team.OrgID

  352. 		} else {

  353. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgOwnership: unprepared context")

  354. 			return

  355. 		}

  356. 

  357. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  358. 		if err != nil {

  359. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  360. 			return

  361. 		} else if !isOwner {

  362. 			if ctx.Org.Organization != nil {

  363. 				ctx.Error(http.StatusForbidden, "", "Must be an organization owner")

  364. 			} else {

  365. 				ctx.NotFound()

  366. 			}

  367. 			return

  368. 		}

  369. 	}

  370. }

  371. 

  372. // reqTeamMembership user should be an team member, or a site admin

  373. func reqTeamMembership() func(ctx *context.APIContext) {

  374. 	return func(ctx *context.APIContext) {

  375. 		if ctx.Context.IsUserSiteAdmin() {

  376. 			return

  377. 		}

  378. 		if ctx.Org.Team == nil {

  379. 			ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")

  380. 			return

  381. 		}

  382. 

  383. 		orgID := ctx.Org.Team.OrgID

  384. 		isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)

  385. 		if err != nil {

  386. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)

  387. 			return

  388. 		} else if isOwner {

  389. 			return

  390. 		}

  391. 

  392. 		if isTeamMember, err := organization.IsTeamMember(ctx, orgID, ctx.Org.Team.ID, ctx.Doer.ID); err != nil {

  393. 			ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)

  394. 			return

  395. 		} else if !isTeamMember {

  396. 			isOrgMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID)

  397. 			if err != nil {

  398. 				ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  399. 			} else if isOrgMember {

  400. 				ctx.Error(http.StatusForbidden, "", "Must be a team member")

  401. 			} else {

  402. 				ctx.NotFound()

  403. 			}

  404. 			return

  405. 		}

  406. 	}

  407. }

  408. 

  409. // reqOrgMembership user should be an organization member, or a site admin

  410. func reqOrgMembership() func(ctx *context.APIContext) {

  411. 	return func(ctx *context.APIContext) {

  412. 		if ctx.Context.IsUserSiteAdmin() {

  413. 			return

  414. 		}

  415. 

  416. 		var orgID int64

  417. 		if ctx.Org.Organization != nil {

  418. 			orgID = ctx.Org.Organization.ID

  419. 		} else if ctx.Org.Team != nil {

  420. 			orgID = ctx.Org.Team.OrgID

  421. 		} else {

  422. 			ctx.Error(http.StatusInternalServerError, "", "reqOrgMembership: unprepared context")

  423. 			return

  424. 		}

  425. 

  426. 		if isMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID); err != nil {

  427. 			ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)

  428. 			return

  429. 		} else if !isMember {

  430. 			if ctx.Org.Organization != nil {

  431. 				ctx.Error(http.StatusForbidden, "", "Must be an organization member")

  432. 			} else {

  433. 				ctx.NotFound()

  434. 			}

  435. 			return

  436. 		}

  437. 	}

  438. }

  439. 

  440. func reqGitHook() func(ctx *context.APIContext) {

  441. 	return func(ctx *context.APIContext) {

  442. 		if !ctx.Doer.CanEditGitHook() {

  443. 			ctx.Error(http.StatusForbidden, "", "must be allowed to edit Git hooks")

  444. 			return

  445. 		}

  446. 	}

  447. }

  448. 

  449. // reqWebhooksEnabled requires webhooks to be enabled by admin.

  450. func reqWebhooksEnabled() func(ctx *context.APIContext) {

  451. 	return func(ctx *context.APIContext) {

  452. 		if setting.DisableWebhooks {

  453. 			ctx.Error(http.StatusForbidden, "", "webhooks disabled by administrator")

  454. 			return

  455. 		}

  456. 	}

  457. }

  458. 

  459. func orgAssignment(args ...bool) func(ctx *context.APIContext) {

  460. 	var (

  461. 		assignOrg  bool

  462. 		assignTeam bool

  463. 	)

  464. 	if len(args) > 0 {

  465. 		assignOrg = args[0]

  466. 	}

  467. 	if len(args) > 1 {

  468. 		assignTeam = args[1]

  469. 	}

  470. 	return func(ctx *context.APIContext) {

  471. 		ctx.Org = new(context.APIOrganization)

  472. 

  473. 		var err error

  474. 		if assignOrg {

  475. 			ctx.Org.Organization, err = organization.GetOrgByName(ctx.Params(":org"))

  476. 			if err != nil {

  477. 				if organization.IsErrOrgNotExist(err) {

  478. 					redirectUserID, err := user_model.LookupUserRedirect(ctx.Params(":org"))

  479. 					if err == nil {

  480. 						context.RedirectToUser(ctx.Context, ctx.Params(":org"), redirectUserID)

  481. 					} else if user_model.IsErrUserRedirectNotExist(err) {

  482. 						ctx.NotFound("GetOrgByName", err)

  483. 					} else {

  484. 						ctx.Error(http.StatusInternalServerError, "LookupUserRedirect", err)

  485. 					}

  486. 				} else {

  487. 					ctx.Error(http.StatusInternalServerError, "GetOrgByName", err)

  488. 				}

  489. 				return

  490. 			}

  491. 			ctx.ContextUser = ctx.Org.Organization.AsUser()

  492. 		}

  493. 

  494. 		if assignTeam {

  495. 			ctx.Org.Team, err = organization.GetTeamByID(ctx, ctx.ParamsInt64(":teamid"))

  496. 			if err != nil {

  497. 				if organization.IsErrTeamNotExist(err) {

  498. 					ctx.NotFound()

  499. 				} else {

  500. 					ctx.Error(http.StatusInternalServerError, "GetTeamById", err)

  501. 				}

  502. 				return

  503. 			}

  504. 		}

  505. 	}

  506. }

  507. 

  508. func mustEnableIssues(ctx *context.APIContext) {

  509. 	if !ctx.Repo.CanRead(unit.TypeIssues) {

  510. 		if log.IsTrace() {

  511. 			if ctx.IsSigned {

  512. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  513. 					"User in Repo has Permissions: %-+v",

  514. 					ctx.Doer,

  515. 					unit.TypeIssues,

  516. 					ctx.Repo.Repository,

  517. 					ctx.Repo.Permission)

  518. 			} else {

  519. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  520. 					"Anonymous user in Repo has Permissions: %-+v",

  521. 					unit.TypeIssues,

  522. 					ctx.Repo.Repository,

  523. 					ctx.Repo.Permission)

  524. 			}

  525. 		}

  526. 		ctx.NotFound()

  527. 		return

  528. 	}

  529. }

  530. 

  531. func mustAllowPulls(ctx *context.APIContext) {

  532. 	if !(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  533. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  534. 			if ctx.IsSigned {

  535. 				log.Trace("Permission Denied: User %-v cannot read %-v in Repo %-v\n"+

  536. 					"User in Repo has Permissions: %-+v",

  537. 					ctx.Doer,

  538. 					unit.TypePullRequests,

  539. 					ctx.Repo.Repository,

  540. 					ctx.Repo.Permission)

  541. 			} else {

  542. 				log.Trace("Permission Denied: Anonymous user cannot read %-v in Repo %-v\n"+

  543. 					"Anonymous user in Repo has Permissions: %-+v",

  544. 					unit.TypePullRequests,

  545. 					ctx.Repo.Repository,

  546. 					ctx.Repo.Permission)

  547. 			}

  548. 		}

  549. 		ctx.NotFound()

  550. 		return

  551. 	}

  552. }

  553. 

  554. func mustEnableIssuesOrPulls(ctx *context.APIContext) {

  555. 	if !ctx.Repo.CanRead(unit.TypeIssues) &&

  556. 		!(ctx.Repo.Repository.CanEnablePulls() && ctx.Repo.CanRead(unit.TypePullRequests)) {

  557. 		if ctx.Repo.Repository.CanEnablePulls() && log.IsTrace() {

  558. 			if ctx.IsSigned {

  559. 				log.Trace("Permission Denied: User %-v cannot read %-v and %-v in Repo %-v\n"+

  560. 					"User in Repo has Permissions: %-+v",

  561. 					ctx.Doer,

  562. 					unit.TypeIssues,

  563. 					unit.TypePullRequests,

  564. 					ctx.Repo.Repository,

  565. 					ctx.Repo.Permission)

  566. 			} else {

  567. 				log.Trace("Permission Denied: Anonymous user cannot read %-v and %-v in Repo %-v\n"+

  568. 					"Anonymous user in Repo has Permissions: %-+v",

  569. 					unit.TypeIssues,

  570. 					unit.TypePullRequests,

  571. 					ctx.Repo.Repository,

  572. 					ctx.Repo.Permission)

  573. 			}

  574. 		}

  575. 		ctx.NotFound()

  576. 		return

  577. 	}

  578. }

  579. 

  580. func mustEnableWiki(ctx *context.APIContext) {

  581. 	if !(ctx.Repo.CanRead(unit.TypeWiki)) {

  582. 		ctx.NotFound()

  583. 		return

  584. 	}

  585. }

  586. 

  587. func mustNotBeArchived(ctx *context.APIContext) {

  588. 	if ctx.Repo.Repository.IsArchived {

  589. 		ctx.NotFound()

  590. 		return

  591. 	}

  592. }

  593. 

  594. func mustEnableAttachments(ctx *context.APIContext) {

  595. 	if !setting.Attachment.Enabled {

  596. 		ctx.NotFound()

  597. 		return

  598. 	}

  599. }

  600. 

  601. // bind binding an obj to a func(ctx *context.APIContext)

  602. func bind[T any](obj T) http.HandlerFunc {

  603. 	return web.Wrap(func(ctx *context.APIContext) {

  604. 		theObj := new(T) // create a new form obj for every request but not use obj directly

  605. 		errs := binding.Bind(ctx.Req, theObj)

  606. 		if len(errs) > 0 {

  607. 			ctx.Error(http.StatusUnprocessableEntity, "validationError", fmt.Sprintf("%s: %s", errs[0].FieldNames, errs[0].Error()))

  608. 			return

  609. 		}

  610. 		web.SetForm(ctx, theObj)

  611. 	})

  612. }

  613. 

  614. // The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored

  615. // in the session (if there is a user id stored in session other plugins might return the user

  616. // object for that id).

  617. //

  618. // The Session plugin is expected to be executed second, in order to skip authentication

  619. // for users that have already signed in.

  620. func buildAuthGroup() *auth.Group {

  621. 	group := auth.NewGroup(

  622. 		&auth.OAuth2{},

  623. 		&auth.HTTPSign{},

  624. 		&auth.Basic{}, // FIXME: this should be removed once we don't allow basic auth in API

  625. 	)

  626. 	specialAdd(group)

  627. 

  628. 	return group

  629. }

  630. 

  631. // Routes registers all v1 APIs routes to web application.

  632. func Routes(ctx gocontext.Context) *web.Route {

  633. 	m := web.NewRoute()

  634. 

  635. 	m.Use(securityHeaders())

  636. 	if setting.CORSConfig.Enabled {

  637. 		m.Use(cors.Handler(cors.Options{

  638. 			// Scheme:           setting.CORSConfig.Scheme, // FIXME: the cors middleware needs scheme option

  639. 			AllowedOrigins: setting.CORSConfig.AllowDomain,

  640. 			// setting.CORSConfig.AllowSubdomain // FIXME: the cors middleware needs allowSubdomain option

  641. 			AllowedMethods:   setting.CORSConfig.Methods,

  642. 			AllowCredentials: setting.CORSConfig.AllowCredentials,

  643. 			AllowedHeaders:   append([]string{"Authorization", "X-Gitea-OTP"}, setting.CORSConfig.Headers...),

  644. 			MaxAge:           int(setting.CORSConfig.MaxAge.Seconds()),

  645. 		}))

  646. 	}

  647. 	m.Use(context.APIContexter())

  648. 

  649. 	group := buildAuthGroup()

  650. 	if err := group.Init(ctx); err != nil {

  651. 		log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err)

  652. 	}

  653. 

  654. 	// Get user from session if logged in.

  655. 	m.Use(context.APIAuth(group))

  656. 

  657. 	m.Use(context.ToggleAPI(&context.ToggleOptions{

  658. 		SignInRequired: setting.Service.RequireSignInView,

  659. 	}))

  660. 

  661. 	m.Group("", func() {

  662. 		// Miscellaneous (no scope required)

  663. 		if setting.API.EnableSwagger {

  664. 			m.Get("/swagger", func(ctx *context.APIContext) {

  665. 				ctx.Redirect(setting.AppSubURL + "/api/swagger")

  666. 			})

  667. 		}

  668. 		m.Get("/version", misc.Version)

  669. 		if setting.Federation.Enabled {

  670. 			m.Get("/nodeinfo", misc.NodeInfo)

  671. 			m.Group("/activitypub", func() {

  672. 				m.Group("/user/{username}", func() {

  673. 					m.Get("", activitypub.Person)

  674. 					m.Post("/inbox", activitypub.ReqHTTPSignature(), activitypub.PersonInbox)

  675. 				}, context_service.UserAssignmentAPI())

  676. 			})

  677. 		}

  678. 		m.Get("/signing-key.gpg", misc.SigningKey)

  679. 		m.Post("/markdown", bind(api.MarkdownOption{}), misc.Markdown)

  680. 		m.Post("/markdown/raw", misc.MarkdownRaw)

  681. 		m.Group("/settings", func() {

  682. 			m.Get("/ui", settings.GetGeneralUISettings)

  683. 			m.Get("/api", settings.GetGeneralAPISettings)

  684. 			m.Get("/attachment", settings.GetGeneralAttachmentSettings)

  685. 			m.Get("/repository", settings.GetGeneralRepoSettings)

  686. 		})

  687. 

  688. 		// Notifications (requires 'notification' scope)

  689. 		m.Group("/notifications", func() {

  690. 			m.Combo("").

  691. 				Get(notify.ListNotifications).

  692. 				Put(notify.ReadNotifications)

  693. 			m.Get("/new", notify.NewAvailable)

  694. 			m.Combo("/threads/{id}").

  695. 				Get(notify.GetThread).

  696. 				Patch(notify.ReadThread)

  697. 		}, reqToken(auth_model.AccessTokenScopeNotification))

  698. 

  699. 		// Users (no scope required)

  700. 		m.Group("/users", func() {

  701. 			m.Get("/search", reqExploreSignIn(), user.Search)

  702. 

  703. 			m.Group("/{username}", func() {

  704. 				m.Get("", reqExploreSignIn(), user.GetInfo)

  705. 

  706. 				if setting.Service.EnableUserHeatmap {

  707. 					m.Get("/heatmap", user.GetUserHeatmapData)

  708. 				}

  709. 

  710. 				m.Get("/repos", reqExploreSignIn(), user.ListUserRepos)

  711. 				m.Group("/tokens", func() {

  712. 					m.Combo("").Get(user.ListAccessTokens).

  713. 						Post(bind(api.CreateAccessTokenOption{}), user.CreateAccessToken)

  714. 					m.Combo("/{id}").Delete(user.DeleteAccessToken)

  715. 				}, reqBasicAuth())

  716. 			}, context_service.UserAssignmentAPI())

  717. 		})

  718. 

  719. 		// (no scope required)

  720. 		m.Group("/users", func() {

  721. 			m.Group("/{username}", func() {

  722. 				m.Get("/keys", user.ListPublicKeys)

  723. 				m.Get("/gpg_keys", user.ListGPGKeys)

  724. 

  725. 				m.Get("/followers", user.ListFollowers)

  726. 				m.Group("/following", func() {

  727. 					m.Get("", user.ListFollowing)

  728. 					m.Get("/{target}", user.CheckFollowing)

  729. 				})

  730. 

  731. 				m.Get("/starred", user.GetStarredRepos)

  732. 

  733. 				m.Get("/subscriptions", user.GetWatchedRepos)

  734. 			}, context_service.UserAssignmentAPI())

  735. 		}, reqToken(""))

  736. 

  737. 		m.Group("/user", func() {

  738. 			m.Get("", user.GetAuthenticatedUser)

  739. 			m.Group("/settings", func() {

  740. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadUser), user.GetUserSettings)

  741. 				m.Patch("", reqToken(auth_model.AccessTokenScopeUser), bind(api.UserSettingsOptions{}), user.UpdateUserSettings)

  742. 			})

  743. 			m.Combo("/emails").Get(reqToken(auth_model.AccessTokenScopeReadUser), user.ListEmails).

  744. 				Post(reqToken(auth_model.AccessTokenScopeUser), bind(api.CreateEmailOption{}), user.AddEmail).

  745. 				Delete(reqToken(auth_model.AccessTokenScopeUser), bind(api.DeleteEmailOption{}), user.DeleteEmail)

  746. 

  747. 			m.Get("/followers", user.ListMyFollowers)

  748. 			m.Group("/following", func() {

  749. 				m.Get("", user.ListMyFollowing)

  750. 				m.Group("/{username}", func() {

  751. 					m.Get("", user.CheckMyFollowing)

  752. 					m.Put("", reqToken(auth_model.AccessTokenScopeUserFollow), user.Follow)      // requires 'user:follow' scope

  753. 					m.Delete("", reqToken(auth_model.AccessTokenScopeUserFollow), user.Unfollow) // requires 'user:follow' scope

  754. 				}, context_service.UserAssignmentAPI())

  755. 			})

  756. 

  757. 			// (admin:public_key scope)

  758. 			m.Group("/keys", func() {

  759. 				m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadPublicKey), user.ListMyPublicKeys).

  760. 					Post(reqToken(auth_model.AccessTokenScopeWritePublicKey), bind(api.CreateKeyOption{}), user.CreatePublicKey)

  761. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadPublicKey), user.GetPublicKey).

  762. 					Delete(reqToken(auth_model.AccessTokenScopeWritePublicKey), user.DeletePublicKey)

  763. 			})

  764. 

  765. 			// (admin:application scope)

  766. 			m.Group("/applications", func() {

  767. 				m.Combo("/oauth2").

  768. 					Get(reqToken(auth_model.AccessTokenScopeReadApplication), user.ListOauth2Applications).

  769. 					Post(reqToken(auth_model.AccessTokenScopeWriteApplication), bind(api.CreateOAuth2ApplicationOptions{}), user.CreateOauth2Application)

  770. 				m.Combo("/oauth2/{id}").

  771. 					Delete(reqToken(auth_model.AccessTokenScopeWriteApplication), user.DeleteOauth2Application).

  772. 					Patch(reqToken(auth_model.AccessTokenScopeWriteApplication), bind(api.CreateOAuth2ApplicationOptions{}), user.UpdateOauth2Application).

  773. 					Get(reqToken(auth_model.AccessTokenScopeReadApplication), user.GetOauth2Application)

  774. 			})

  775. 

  776. 			// (admin:gpg_key scope)

  777. 			m.Group("/gpg_keys", func() {

  778. 				m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadGPGKey), user.ListMyGPGKeys).

  779. 					Post(reqToken(auth_model.AccessTokenScopeWriteGPGKey), bind(api.CreateGPGKeyOption{}), user.CreateGPGKey)

  780. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadGPGKey), user.GetGPGKey).

  781. 					Delete(reqToken(auth_model.AccessTokenScopeWriteGPGKey), user.DeleteGPGKey)

  782. 			})

  783. 			m.Get("/gpg_key_token", reqToken(auth_model.AccessTokenScopeReadGPGKey), user.GetVerificationToken)

  784. 			m.Post("/gpg_key_verify", reqToken(auth_model.AccessTokenScopeReadGPGKey), bind(api.VerifyGPGKeyOption{}), user.VerifyUserGPGKey)

  785. 

  786. 			// (repo scope)

  787. 			m.Combo("/repos", reqToken(auth_model.AccessTokenScopeRepo)).Get(user.ListMyRepos).

  788. 				Post(bind(api.CreateRepoOption{}), repo.Create)

  789. 

  790. 			// (repo scope)

  791. 			m.Group("/starred", func() {

  792. 				m.Get("", user.GetMyStarredRepos)

  793. 				m.Group("/{username}/{reponame}", func() {

  794. 					m.Get("", user.IsStarring)

  795. 					m.Put("", user.Star)

  796. 					m.Delete("", user.Unstar)

  797. 				}, repoAssignment())

  798. 			}, reqToken(auth_model.AccessTokenScopeRepo))

  799. 			m.Get("/times", reqToken(auth_model.AccessTokenScopeRepo), repo.ListMyTrackedTimes)

  800. 			m.Get("/stopwatches", reqToken(auth_model.AccessTokenScopeRepo), repo.GetStopwatches)

  801. 			m.Get("/subscriptions", reqToken(auth_model.AccessTokenScopeRepo), user.GetMyWatchedRepos)

  802. 			m.Get("/teams", reqToken(auth_model.AccessTokenScopeRepo), org.ListUserTeams)

  803. 		}, reqToken(""))

  804. 

  805. 		// Repositories

  806. 		m.Post("/org/{org}/repos", reqToken(auth_model.AccessTokenScopeAdminOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepoDeprecated)

  807. 

  808. 		m.Combo("/repositories/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Get(repo.GetByID)

  809. 

  810. 		m.Group("/repos", func() {

  811. 			m.Get("/search", repo.Search)

  812. 

  813. 			m.Get("/issues/search", repo.SearchIssues)

  814. 

  815. 			// (repo scope)

  816. 			m.Post("/migrate", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MigrateRepoOptions{}), repo.Migrate)

  817. 

  818. 			m.Group("/{username}/{reponame}", func() {

  819. 				m.Combo("").Get(reqAnyRepoReader(), repo.Get).

  820. 					Delete(reqToken(auth_model.AccessTokenScopeDeleteRepo), reqOwner(), repo.Delete).

  821. 					Patch(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.EditRepoOption{}), repo.Edit)

  822. 				m.Post("/generate", reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.GenerateRepoOption{}), repo.Generate)

  823. 				m.Group("/transfer", func() {

  824. 					m.Post("", reqOwner(), bind(api.TransferRepoOption{}), repo.Transfer)

  825. 					m.Post("/accept", repo.AcceptTransfer)

  826. 					m.Post("/reject", repo.RejectTransfer)

  827. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  828. 				m.Combo("/notifications", reqToken(auth_model.AccessTokenScopeNotification)).

  829. 					Get(notify.ListRepoNotifications).

  830. 					Put(notify.ReadRepoNotifications)

  831. 				m.Group("/hooks/git", func() {

  832. 					m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListGitHooks)

  833. 					m.Group("/{id}", func() {

  834. 						m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetGitHook).

  835. 							Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditGitHookOption{}), repo.EditGitHook).

  836. 							Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteGitHook)

  837. 					})

  838. 				}, reqAdmin(), reqGitHook(), context.ReferencesGitRepo(true))

  839. 				m.Group("/hooks", func() {

  840. 					m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.ListHooks).

  841. 						Post(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.CreateHookOption{}), repo.CreateHook)

  842. 					m.Group("/{id}", func() {

  843. 						m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadRepoHook), repo.GetHook).

  844. 							Patch(reqToken(auth_model.AccessTokenScopeWriteRepoHook), bind(api.EditHookOption{}), repo.EditHook).

  845. 							Delete(reqToken(auth_model.AccessTokenScopeWriteRepoHook), repo.DeleteHook)

  846. 						m.Post("/tests", reqToken(auth_model.AccessTokenScopeReadRepoHook), context.ReferencesGitRepo(), context.RepoRefForAPI, repo.TestHook)

  847. 					})

  848. 				}, reqAdmin(), reqWebhooksEnabled())

  849. 				m.Group("/collaborators", func() {

  850. 					m.Get("", reqAnyRepoReader(), repo.ListCollaborators)

  851. 					m.Group("/{collaborator}", func() {

  852. 						m.Combo("").Get(reqAnyRepoReader(), repo.IsCollaborator).

  853. 							Put(reqAdmin(), bind(api.AddCollaboratorOption{}), repo.AddCollaborator).

  854. 							Delete(reqAdmin(), repo.DeleteCollaborator)

  855. 						m.Get("/permission", repo.GetRepoPermissions)

  856. 					})

  857. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  858. 				m.Get("/assignees", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetAssignees)

  859. 				m.Get("/reviewers", reqToken(auth_model.AccessTokenScopeRepo), reqAnyRepoReader(), repo.GetReviewers)

  860. 				m.Group("/teams", func() {

  861. 					m.Get("", reqAnyRepoReader(), repo.ListTeams)

  862. 					m.Combo("/{team}").Get(reqAnyRepoReader(), repo.IsTeam).

  863. 						Put(reqAdmin(), repo.AddTeam).

  864. 						Delete(reqAdmin(), repo.DeleteTeam)

  865. 				}, reqToken(auth_model.AccessTokenScopeRepo))

  866. 				m.Get("/raw/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFile)

  867. 				m.Get("/media/*", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetRawFileOrLFS)

  868. 				m.Get("/archive/*", reqRepoReader(unit.TypeCode), repo.GetArchive)

  869. 				m.Combo("/forks").Get(repo.ListForks).

  870. 					Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoReader(unit.TypeCode), bind(api.CreateForkOption{}), repo.CreateFork)

  871. 				m.Group("/branches", func() {

  872. 					m.Get("", repo.ListBranches)

  873. 					m.Get("/*", repo.GetBranch)

  874. 					m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.DeleteBranch)

  875. 					m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateBranchRepoOption{}), repo.CreateBranch)

  876. 				}, context.ReferencesGitRepo(), reqRepoReader(unit.TypeCode))

  877. 				m.Group("/branch_protections", func() {

  878. 					m.Get("", repo.ListBranchProtections)

  879. 					m.Post("", bind(api.CreateBranchProtectionOption{}), repo.CreateBranchProtection)

  880. 					m.Group("/{name}", func() {

  881. 						m.Get("", repo.GetBranchProtection)

  882. 						m.Patch("", bind(api.EditBranchProtectionOption{}), repo.EditBranchProtection)

  883. 						m.Delete("", repo.DeleteBranchProtection)

  884. 					})

  885. 				}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())

  886. 				m.Group("/tags", func() {

  887. 					m.Get("", repo.ListTags)

  888. 					m.Get("/*", repo.GetTag)

  889. 					m.Post("", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), bind(api.CreateTagOption{}), repo.CreateTag)

  890. 					m.Delete("/*", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTag)

  891. 				}, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo(true))

  892. 				m.Group("/keys", func() {

  893. 					m.Combo("").Get(repo.ListDeployKeys).

  894. 						Post(bind(api.CreateKeyOption{}), repo.CreateDeployKey)

  895. 					m.Combo("/{id}").Get(repo.GetDeployKey).

  896. 						Delete(repo.DeleteDeploykey)

  897. 				}, reqToken(auth_model.AccessTokenScopeRepo), reqAdmin())

  898. 				m.Group("/times", func() {

  899. 					m.Combo("").Get(repo.ListTrackedTimesByRepository)

  900. 					m.Combo("/{timetrackingusername}").Get(repo.ListTrackedTimesByUser)

  901. 				}, mustEnableIssues, reqToken(auth_model.AccessTokenScopeRepo))

  902. 				m.Group("/wiki", func() {

  903. 					m.Combo("/page/{pageName}").

  904. 						Get(repo.GetWikiPage).

  905. 						Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.EditWikiPage).

  906. 						Delete(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), repo.DeleteWikiPage)

  907. 					m.Get("/revisions/{pageName}", repo.ListPageRevisions)

  908. 					m.Post("/new", mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage)

  909. 					m.Get("/pages", repo.ListWikiPages)

  910. 				}, mustEnableWiki)

  911. 				m.Group("/issues", func() {

  912. 					m.Combo("").Get(repo.ListIssues).

  913. 						Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueOption{}), repo.CreateIssue)

  914. 					m.Group("/comments", func() {

  915. 						m.Get("", repo.ListRepoIssueComments)

  916. 						m.Group("/{id}", func() {

  917. 							m.Combo("").

  918. 								Get(repo.GetIssueComment).

  919. 								Patch(mustNotBeArchived, reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueCommentOption{}), repo.EditIssueComment).

  920. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueComment)

  921. 							m.Combo("/reactions").

  922. 								Get(repo.GetIssueCommentReactions).

  923. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueCommentReaction).

  924. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueCommentReaction)

  925. 							m.Group("/assets", func() {

  926. 								m.Combo("").

  927. 									Get(repo.ListIssueCommentAttachments).

  928. 									Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CreateIssueCommentAttachment)

  929. 								m.Combo("/{asset}").

  930. 									Get(repo.GetIssueCommentAttachment).

  931. 									Patch(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueCommentAttachment).

  932. 									Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.DeleteIssueCommentAttachment)

  933. 							}, mustEnableAttachments)

  934. 						})

  935. 					})

  936. 					m.Group("/{index}", func() {

  937. 						m.Combo("").Get(repo.GetIssue).

  938. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditIssueOption{}), repo.EditIssue).

  939. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), context.ReferencesGitRepo(), repo.DeleteIssue)

  940. 						m.Group("/comments", func() {

  941. 							m.Combo("").Get(repo.ListIssueComments).

  942. 								Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

  943. 							m.Combo("/{id}", reqToken(auth_model.AccessTokenScopeRepo)).Patch(bind(api.EditIssueCommentOption{}), repo.EditIssueCommentDeprecated).

  944. 								Delete(repo.DeleteIssueCommentDeprecated)

  945. 						})

  946. 						m.Get("/timeline", repo.ListIssueCommentsAndTimeline)

  947. 						m.Group("/labels", func() {

  948. 							m.Combo("").Get(repo.ListIssueLabels).

  949. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.AddIssueLabels).

  950. 								Put(reqToken(auth_model.AccessTokenScopeRepo), bind(api.IssueLabelsOption{}), repo.ReplaceIssueLabels).

  951. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.ClearIssueLabels)

  952. 							m.Delete("/{id}", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueLabel)

  953. 						})

  954. 						m.Group("/times", func() {

  955. 							m.Combo("").

  956. 								Get(repo.ListTrackedTimes).

  957. 								Post(bind(api.AddTimeOption{}), repo.AddTime).

  958. 								Delete(repo.ResetIssueTime)

  959. 							m.Delete("/{id}", repo.DeleteTime)

  960. 						}, reqToken(auth_model.AccessTokenScopeRepo))

  961. 						m.Combo("/deadline").Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditDeadlineOption{}), repo.UpdateIssueDeadline)

  962. 						m.Group("/stopwatch", func() {

  963. 							m.Post("/start", reqToken(auth_model.AccessTokenScopeRepo), repo.StartIssueStopwatch)

  964. 							m.Post("/stop", reqToken(auth_model.AccessTokenScopeRepo), repo.StopIssueStopwatch)

  965. 							m.Delete("/delete", reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteIssueStopwatch)

  966. 						})

  967. 						m.Group("/subscriptions", func() {

  968. 							m.Get("", repo.GetIssueSubscribers)

  969. 							m.Get("/check", reqToken(auth_model.AccessTokenScopeRepo), repo.CheckIssueSubscription)

  970. 							m.Put("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.AddIssueSubscription)

  971. 							m.Delete("/{user}", reqToken(auth_model.AccessTokenScopeRepo), repo.DelIssueSubscription)

  972. 						})

  973. 						m.Combo("/reactions").

  974. 							Get(repo.GetIssueReactions).

  975. 							Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.PostIssueReaction).

  976. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditReactionOption{}), repo.DeleteIssueReaction)

  977. 						m.Group("/assets", func() {

  978. 							m.Combo("").

  979. 								Get(repo.ListIssueAttachments).

  980. 								Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CreateIssueAttachment)

  981. 							m.Combo("/{asset}").

  982. 								Get(repo.GetIssueAttachment).

  983. 								Patch(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.EditAttachmentOptions{}), repo.EditIssueAttachment).

  984. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.DeleteIssueAttachment)

  985. 						}, mustEnableAttachments)

  986. 					})

  987. 				}, mustEnableIssuesOrPulls)

  988. 				m.Group("/labels", func() {

  989. 					m.Combo("").Get(repo.ListLabels).

  990. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateLabelOption{}), repo.CreateLabel)

  991. 					m.Combo("/{id}").Get(repo.GetLabel).

  992. 						Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditLabelOption{}), repo.EditLabel).

  993. 						Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteLabel)

  994. 				})

  995. 				m.Post("/markdown", reqToken(auth_model.AccessTokenScopeRepo), bind(api.MarkdownOption{}), misc.Markdown)

  996. 				m.Post("/markdown/raw", reqToken(auth_model.AccessTokenScopeRepo), misc.MarkdownRaw)

  997. 				m.Group("/milestones", func() {

  998. 					m.Combo("").Get(repo.ListMilestones).

  999. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.CreateMilestoneOption{}), repo.CreateMilestone)

  1000. 					m.Combo("/{id}").Get(repo.GetMilestone).

  1001. 						Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).

  1002. 						Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteMilestone)

  1003. 				})

  1004. 				m.Get("/stargazers", repo.ListStargazers)

  1005. 				m.Get("/subscribers", repo.ListSubscribers)

  1006. 				m.Group("/subscription", func() {

  1007. 					m.Get("", user.IsWatching)

  1008. 					m.Put("", reqToken(auth_model.AccessTokenScopeRepo), user.Watch)

  1009. 					m.Delete("", reqToken(auth_model.AccessTokenScopeRepo), user.Unwatch)

  1010. 				})

  1011. 				m.Group("/releases", func() {

  1012. 					m.Combo("").Get(repo.ListReleases).

  1013. 						Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.CreateReleaseOption{}), repo.CreateRelease)

  1014. 					m.Group("/{id}", func() {

  1015. 						m.Combo("").Get(repo.GetRelease).

  1016. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), context.ReferencesGitRepo(), bind(api.EditReleaseOption{}), repo.EditRelease).

  1017. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteRelease)

  1018. 						m.Group("/assets", func() {

  1019. 							m.Combo("").Get(repo.ListReleaseAttachments).

  1020. 								Post(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.CreateReleaseAttachment)

  1021. 							m.Combo("/{asset}").Get(repo.GetReleaseAttachment).

  1022. 								Patch(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), bind(api.EditAttachmentOptions{}), repo.EditReleaseAttachment).

  1023. 								Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseAttachment)

  1024. 						})

  1025. 					})

  1026. 					m.Group("/tags", func() {

  1027. 						m.Combo("/{tag}").

  1028. 							Get(repo.GetReleaseByTag).

  1029. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeReleases), repo.DeleteReleaseByTag)

  1030. 					})

  1031. 				}, reqRepoReader(unit.TypeReleases))

  1032. 				m.Post("/mirror-sync", reqToken(auth_model.AccessTokenScopeRepo), reqRepoWriter(unit.TypeCode), repo.MirrorSync)

  1033. 				m.Post("/push_mirrors-sync", reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo), repo.PushMirrorSync)

  1034. 				m.Group("/push_mirrors", func() {

  1035. 					m.Combo("").Get(repo.ListPushMirrors).

  1036. 						Post(bind(api.CreatePushMirrorOption{}), repo.AddPushMirror)

  1037. 					m.Combo("/{name}").

  1038. 						Delete(repo.DeletePushMirrorByRemoteName).

  1039. 						Get(repo.GetPushMirrorByName)

  1040. 				}, reqAdmin(), reqToken(auth_model.AccessTokenScopeRepo))

  1041. 

  1042. 				m.Get("/editorconfig/{filename}", context.ReferencesGitRepo(), context.RepoRefForAPI, reqRepoReader(unit.TypeCode), repo.GetEditorconfig)

  1043. 				m.Group("/pulls", func() {

  1044. 					m.Combo("").Get(repo.ListPullRequests).

  1045. 						Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(api.CreatePullRequestOption{}), repo.CreatePullRequest)

  1046. 					m.Group("/{index}", func() {

  1047. 						m.Combo("").Get(repo.GetPullRequest).

  1048. 							Patch(reqToken(auth_model.AccessTokenScopeRepo), bind(api.EditPullRequestOption{}), repo.EditPullRequest)

  1049. 						m.Get(".{diffType:diff|patch}", repo.DownloadPullDiffOrPatch)

  1050. 						m.Post("/update", reqToken(auth_model.AccessTokenScopeRepo), repo.UpdatePullRequest)

  1051. 						m.Get("/commits", repo.GetPullRequestCommits)

  1052. 						m.Get("/files", repo.GetPullRequestFiles)

  1053. 						m.Combo("/merge").Get(repo.IsPullRequestMerged).

  1054. 							Post(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, bind(forms.MergePullRequestForm{}), repo.MergePullRequest).

  1055. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), mustNotBeArchived, repo.CancelScheduledAutoMerge)

  1056. 						m.Group("/reviews", func() {

  1057. 							m.Combo("").

  1058. 								Get(repo.ListPullReviews).

  1059. 								Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.CreatePullReviewOptions{}), repo.CreatePullReview)

  1060. 							m.Group("/{id}", func() {

  1061. 								m.Combo("").

  1062. 									Get(repo.GetPullReview).

  1063. 									Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeletePullReview).

  1064. 									Post(reqToken(auth_model.AccessTokenScopeRepo), bind(api.SubmitPullReviewOptions{}), repo.SubmitPullReview)

  1065. 								m.Combo("/comments").

  1066. 									Get(repo.GetPullReviewComments)

  1067. 								m.Post("/dismissals", reqToken(auth_model.AccessTokenScopeRepo), bind(api.DismissPullReviewOptions{}), repo.DismissPullReview)

  1068. 								m.Post("/undismissals", reqToken(auth_model.AccessTokenScopeRepo), repo.UnDismissPullReview)

  1069. 							})

  1070. 						})

  1071. 						m.Combo("/requested_reviewers", reqToken(auth_model.AccessTokenScopeRepo)).

  1072. 							Delete(bind(api.PullReviewRequestOptions{}), repo.DeleteReviewRequests).

  1073. 							Post(bind(api.PullReviewRequestOptions{}), repo.CreateReviewRequests)

  1074. 					})

  1075. 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())

  1076. 				m.Group("/statuses", func() {

  1077. 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).

  1078. 						Post(reqToken(auth_model.AccessTokenScopeRepoStatus), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)

  1079. 				}, reqRepoReader(unit.TypeCode))

  1080. 				m.Group("/commits", func() {

  1081. 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)

  1082. 					m.Group("/{ref}", func() {

  1083. 						m.Get("/status", repo.GetCombinedCommitStatusByRef)

  1084. 						m.Get("/statuses", repo.GetCommitStatusesByRef)

  1085. 					}, context.ReferencesGitRepo())

  1086. 				}, reqRepoReader(unit.TypeCode))

  1087. 				m.Group("/git", func() {

  1088. 					m.Group("/commits", func() {

  1089. 						m.Get("/{sha}", repo.GetSingleCommit)

  1090. 						m.Get("/{sha}.{diffType:diff|patch}", repo.DownloadCommitDiffOrPatch)

  1091. 					})

  1092. 					m.Get("/refs", repo.GetGitAllRefs)

  1093. 					m.Get("/refs/*", repo.GetGitRefs)

  1094. 					m.Get("/trees/{sha}", repo.GetTree)

  1095. 					m.Get("/blobs/{sha}", repo.GetBlob)

  1096. 					m.Get("/tags/{sha}", repo.GetAnnotatedTag)

  1097. 					m.Get("/notes/{sha}", repo.GetNote)

  1098. 				}, context.ReferencesGitRepo(true), reqRepoReader(unit.TypeCode))

  1099. 				m.Post("/diffpatch", reqRepoWriter(unit.TypeCode), reqToken(auth_model.AccessTokenScopeRepo), bind(api.ApplyDiffPatchFileOptions{}), repo.ApplyDiffPatch)

  1100. 				m.Group("/contents", func() {

  1101. 					m.Get("", repo.GetContentsList)

  1102. 					m.Get("/*", repo.GetContents)

  1103. 					m.Group("/*", func() {

  1104. 						m.Post("", bind(api.CreateFileOptions{}), reqRepoBranchWriter, repo.CreateFile)

  1105. 						m.Put("", bind(api.UpdateFileOptions{}), reqRepoBranchWriter, repo.UpdateFile)

  1106. 						m.Delete("", bind(api.DeleteFileOptions{}), reqRepoBranchWriter, repo.DeleteFile)

  1107. 					}, reqToken(auth_model.AccessTokenScopeRepo))

  1108. 				}, reqRepoReader(unit.TypeCode))

  1109. 				m.Get("/signing-key.gpg", misc.SigningKey)

  1110. 				m.Group("/topics", func() {

  1111. 					m.Combo("").Get(repo.ListTopics).

  1112. 						Put(reqToken(auth_model.AccessTokenScopeRepo), reqAdmin(), bind(api.RepoTopicOptions{}), repo.UpdateTopics)

  1113. 					m.Group("/{topic}", func() {

  1114. 						m.Combo("").Put(reqToken(auth_model.AccessTokenScopeRepo), repo.AddTopic).

  1115. 							Delete(reqToken(auth_model.AccessTokenScopeRepo), repo.DeleteTopic)

  1116. 					}, reqAdmin())

  1117. 				}, reqAnyRepoReader())

  1118. 				m.Get("/issue_templates", context.ReferencesGitRepo(), repo.GetIssueTemplates)

  1119. 				m.Get("/languages", reqRepoReader(unit.TypeCode), repo.GetLanguages)

  1120. 			}, repoAssignment())

  1121. 		})

  1122. 

  1123. 		// NOTE: these are Gitea package management API - see packages.CommonRoutes and packages.DockerContainerRoutes for endpoints that implement package manager APIs

  1124. 		m.Group("/packages/{username}", func() {

  1125. 			m.Group("/{type}/{name}/{version}", func() {

  1126. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadPackage), packages.GetPackage)

  1127. 				m.Delete("", reqToken(auth_model.AccessTokenScopeDeletePackage), reqPackageAccess(perm.AccessModeWrite), packages.DeletePackage)

  1128. 				m.Get("/files", reqToken(auth_model.AccessTokenScopeReadPackage), packages.ListPackageFiles)

  1129. 			})

  1130. 			m.Get("/", reqToken(auth_model.AccessTokenScopeReadPackage), packages.ListPackages)

  1131. 		}, context_service.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead))

  1132. 

  1133. 		// Organizations

  1134. 		m.Get("/user/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMyOrgs)

  1135. 		m.Group("/users/{username}/orgs", func() {

  1136. 			m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListUserOrgs)

  1137. 			m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)

  1138. 		}, context_service.UserAssignmentAPI())

  1139. 		m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)

  1140. 		m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)

  1141. 		m.Group("/orgs/{org}", func() {

  1142. 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).

  1143. 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).

  1144. 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)

  1145. 			m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).

  1146. 				Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)

  1147. 			m.Group("/members", func() {

  1148. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)

  1149. 				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsMember).

  1150. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)

  1151. 			})

  1152. 			m.Group("/public_members", func() {

  1153. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)

  1154. 				m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).

  1155. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).

  1156. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)

  1157. 			})

  1158. 			m.Group("/teams", func() {

  1159. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListTeams)

  1160. 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)

  1161. 				m.Get("/search", reqToken(auth_model.AccessTokenScopeReadOrg), org.SearchTeam)

  1162. 			}, reqOrgMembership())

  1163. 			m.Group("/labels", func() {

  1164. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)

  1165. 				m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)

  1166. 				m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).

  1167. 					Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).

  1168. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteLabel)

  1169. 			})

  1170. 			m.Group("/hooks", func() {

  1171. 				m.Combo("").Get(org.ListHooks).

  1172. 					Post(bind(api.CreateHookOption{}), org.CreateHook)

  1173. 				m.Combo("/{id}").Get(org.GetHook).

  1174. 					Patch(bind(api.EditHookOption{}), org.EditHook).

  1175. 					Delete(org.DeleteHook)

  1176. 			}, reqToken(auth_model.AccessTokenScopeAdminOrgHook), reqOrgOwnership(), reqWebhooksEnabled())

  1177. 		}, orgAssignment(true))

  1178. 		m.Group("/teams/{teamid}", func() {

  1179. 			m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeam).

  1180. 				Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditTeamOption{}), org.EditTeam).

  1181. 				Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteTeam)

  1182. 			m.Group("/members", func() {

  1183. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMembers)

  1184. 				m.Combo("/{username}").

  1185. 					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamMember).

  1186. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.AddTeamMember).

  1187. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.RemoveTeamMember)

  1188. 			})

  1189. 			m.Group("/repos", func() {

  1190. 				m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepos)

  1191. 				m.Combo("/{org}/{reponame}").

  1192. 					Put(reqToken(auth_model.AccessTokenScopeWriteOrg), org.AddTeamRepository).

  1193. 					Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), org.RemoveTeamRepository).

  1194. 					Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetTeamRepo)

  1195. 			})

  1196. 		}, orgAssignment(false, true), reqToken(""), reqTeamMembership())

  1197. 

  1198. 		m.Group("/admin", func() {

  1199. 			m.Group("/cron", func() {

  1200. 				m.Get("", admin.ListCronTasks)

  1201. 				m.Post("/{task}", admin.PostCronTask)

  1202. 			})

  1203. 			m.Get("/orgs", admin.GetAllOrgs)

  1204. 			m.Group("/users", func() {

  1205. 				m.Get("", admin.GetAllUsers)

  1206. 				m.Post("", bind(api.CreateUserOption{}), admin.CreateUser)

  1207. 				m.Group("/{username}", func() {

  1208. 					m.Combo("").Patch(bind(api.EditUserOption{}), admin.EditUser).

  1209. 						Delete(admin.DeleteUser)

  1210. 					m.Group("/keys", func() {

  1211. 						m.Post("", bind(api.CreateKeyOption{}), admin.CreatePublicKey)

  1212. 						m.Delete("/{id}", admin.DeleteUserPublicKey)

  1213. 					})

  1214. 					m.Get("/orgs", org.ListUserOrgs)

  1215. 					m.Post("/orgs", bind(api.CreateOrgOption{}), admin.CreateOrg)

  1216. 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)

  1217. 				}, context_service.UserAssignmentAPI())

  1218. 			})

  1219. 			m.Group("/unadopted", func() {

  1220. 				m.Get("", admin.ListUnadoptedRepositories)

  1221. 				m.Post("/{username}/{reponame}", admin.AdoptRepository)

  1222. 				m.Delete("/{username}/{reponame}", admin.DeleteUnadoptedRepository)

  1223. 			})

  1224. 		}, reqToken(auth_model.AccessTokenScopeSudo), reqSiteAdmin())

  1225. 

  1226. 		m.Group("/topics", func() {

  1227. 			m.Get("/search", repo.TopicSearch)

  1228. 		})

  1229. 	}, sudo())

  1230. 

  1231. 	return m

  1232. }

  1233. 

  1234. func securityHeaders() func(http.Handler) http.Handler {

  1235. 	return func(next http.Handler) http.Handler {

  1236. 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {

  1237. 			// CORB: https://www.chromium.org/Home/chromium-security/corb-for-developers

  1238. 			// http://stackoverflow.com/a/3146618/244009

  1239. 			resp.Header().Set("x-content-type-options", "nosniff")

  1240. 			next.ServeHTTP(resp, req)

  1241. 		})

  1242. 	}

  1243. }