mirror of
https://github.com/go-gitea/gitea
synced 2024-12-23 17:14:27 +00:00
Fix team members API (#6714)
This commit is contained in:
parent
e0172f0db7
commit
59be704efb
@ -16,6 +16,7 @@ import (
|
|||||||
|
|
||||||
func TestAPITeam(t *testing.T) {
|
func TestAPITeam(t *testing.T) {
|
||||||
prepareTestEnv(t)
|
prepareTestEnv(t)
|
||||||
|
|
||||||
teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
|
teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
|
||||||
team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
|
team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
|
||||||
user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
|
user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
|
||||||
@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) {
|
|||||||
DecodeJSON(t, resp, &apiTeam)
|
DecodeJSON(t, resp, &apiTeam)
|
||||||
assert.EqualValues(t, team.ID, apiTeam.ID)
|
assert.EqualValues(t, team.ID, apiTeam.ID)
|
||||||
assert.Equal(t, team.Name, apiTeam.Name)
|
assert.Equal(t, team.Name, apiTeam.Name)
|
||||||
|
|
||||||
|
// non team member user will not access the teams details
|
||||||
|
teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser)
|
||||||
|
user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User)
|
||||||
|
|
||||||
|
session = loginUser(t, user2.Name)
|
||||||
|
token = getTokenForLoggedInUser(t, session)
|
||||||
|
req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
|
||||||
|
resp = session.MakeRequest(t, req, http.StatusForbidden)
|
||||||
|
|
||||||
|
req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
|
||||||
|
resp = session.MakeRequest(t, req, http.StatusUnauthorized)
|
||||||
}
|
}
|
||||||
|
@ -286,6 +286,43 @@ func reqOrgOwnership() macaron.Handler {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// reqTeamMembership user should be an team member, or a site admin
|
||||||
|
func reqTeamMembership() macaron.Handler {
|
||||||
|
return func(ctx *context.APIContext) {
|
||||||
|
if ctx.Context.IsUserSiteAdmin() {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if ctx.Org.Team == nil {
|
||||||
|
ctx.Error(500, "", "reqTeamMembership: unprepared context")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var orgID = ctx.Org.Team.OrgID
|
||||||
|
isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(500, "IsOrganizationOwner", err)
|
||||||
|
return
|
||||||
|
} else if isOwner {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {
|
||||||
|
ctx.Error(500, "IsTeamMember", err)
|
||||||
|
return
|
||||||
|
} else if !isTeamMember {
|
||||||
|
isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(500, "IsOrganizationMember", err)
|
||||||
|
} else if isOrgMember {
|
||||||
|
ctx.Error(403, "", "Must be a team member")
|
||||||
|
} else {
|
||||||
|
ctx.NotFound()
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// reqOrgMembership user should be an organization member, or a site admin
|
// reqOrgMembership user should be an organization member, or a site admin
|
||||||
func reqOrgMembership() macaron.Handler {
|
func reqOrgMembership() macaron.Handler {
|
||||||
return func(ctx *context.APIContext) {
|
return func(ctx *context.APIContext) {
|
||||||
@ -775,7 +812,7 @@ func RegisterRoutes(m *macaron.Macaron) {
|
|||||||
Put(org.AddTeamRepository).
|
Put(org.AddTeamRepository).
|
||||||
Delete(org.RemoveTeamRepository)
|
Delete(org.RemoveTeamRepository)
|
||||||
})
|
})
|
||||||
}, orgAssignment(false, true), reqToken(), reqOrgMembership())
|
}, orgAssignment(false, true), reqToken(), reqTeamMembership())
|
||||||
|
|
||||||
m.Any("/*", func(ctx *context.APIContext) {
|
m.Any("/*", func(ctx *context.APIContext) {
|
||||||
ctx.NotFound()
|
ctx.NotFound()
|
||||||
|
Loading…
Reference in New Issue
Block a user