Fix team members API (#6714) (#6729)

This commit is contained in:
Lunny Xiao 2019-04-24 20:41:02 +08:00 committed by GitHub
parent b1cb52e477
commit 5f6b118007
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 1 deletions

View File

@ -16,6 +16,7 @@ import (
func TestAPITeam(t *testing.T) { func TestAPITeam(t *testing.T) {
prepareTestEnv(t) prepareTestEnv(t)
teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser) teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team) team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User) user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) {
DecodeJSON(t, resp, &apiTeam) DecodeJSON(t, resp, &apiTeam)
assert.EqualValues(t, team.ID, apiTeam.ID) assert.EqualValues(t, team.ID, apiTeam.ID)
assert.Equal(t, team.Name, apiTeam.Name) assert.Equal(t, team.Name, apiTeam.Name)
// non team member user will not access the teams details
teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser)
user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User)
session = loginUser(t, user2.Name)
token = getTokenForLoggedInUser(t, session)
req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
resp = session.MakeRequest(t, req, http.StatusForbidden)
req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
resp = session.MakeRequest(t, req, http.StatusUnauthorized)
} }

View File

@ -280,6 +280,43 @@ func reqOrgMembership() macaron.Handler {
} }
} }
// reqTeamMembership user should be an team member, or a site admin
func reqTeamMembership() macaron.Handler {
return func(ctx *context.APIContext) {
if ctx.User.IsAdmin {
return
}
if ctx.Org.Team == nil {
ctx.Error(500, "", "reqTeamMembership: unprepared context")
return
}
var orgID = ctx.Org.Team.OrgID
isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
if err != nil {
ctx.Error(500, "IsOrganizationOwner", err)
return
} else if isOwner {
return
}
if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {
ctx.Error(500, "IsTeamMember", err)
return
} else if !isTeamMember {
isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)
if err != nil {
ctx.Error(500, "IsOrganizationMember", err)
} else if isOrgMember {
ctx.Error(403, "", "Must be a team member")
} else {
ctx.Status(404)
}
return
}
}
}
func reqOrgOwnership() macaron.Handler { func reqOrgOwnership() macaron.Handler {
return func(ctx *context.APIContext) { return func(ctx *context.APIContext) {
var orgID int64 var orgID int64
@ -686,7 +723,7 @@ func RegisterRoutes(m *macaron.Macaron) {
Put(org.AddTeamRepository). Put(org.AddTeamRepository).
Delete(org.RemoveTeamRepository) Delete(org.RemoveTeamRepository)
}) })
}, orgAssignment(false, true), reqToken(), reqOrgMembership()) }, orgAssignment(false, true), reqToken(), reqTeamMembership())
m.Any("/*", func(ctx *context.Context) { m.Any("/*", func(ctx *context.Context) {
ctx.Error(404) ctx.Error(404)