mirror of
https://github.com/go-gitea/gitea
synced 2024-12-22 02:17:54 +01:00
[API] Add endpount to get user org permissions (#17232)
* Add endpoint * Add swagger response + generate swagger * Stop execution if user / org is not found * Add tests Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
parent
7b8723158e
commit
d0a681fbc3
149
integrations/api_user_org_perm_test.go
Normal file
149
integrations/api_user_org_perm_test.go
Normal file
@ -0,0 +1,149 @@
|
||||
// Copyright 2021 The Gitea Authors. All rights reserved.
|
||||
// Use of this source code is governed by a MIT-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package integrations
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
api "code.gitea.io/gitea/modules/structs"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
type apiUserOrgPermTestCase struct {
|
||||
LoginUser string
|
||||
User string
|
||||
Organization string
|
||||
ExpectedOrganizationPermissions api.OrganizationPermissions
|
||||
}
|
||||
|
||||
func TestTokenNeeded(t *testing.T) {
|
||||
defer prepareTestEnv(t)()
|
||||
|
||||
session := emptyTestSession(t)
|
||||
req := NewRequest(t, "GET", "/api/v1/users/user1/orgs/user6/permissions")
|
||||
session.MakeRequest(t, req, http.StatusUnauthorized)
|
||||
}
|
||||
|
||||
func sampleTest(t *testing.T, auoptc apiUserOrgPermTestCase) {
|
||||
defer prepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, auoptc.LoginUser)
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions?token=%s", auoptc.User, auoptc.Organization, token))
|
||||
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||
|
||||
var apiOP api.OrganizationPermissions
|
||||
DecodeJSON(t, resp, &apiOP)
|
||||
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.IsOwner, apiOP.IsOwner)
|
||||
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.IsAdmin, apiOP.IsAdmin)
|
||||
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.CanWrite, apiOP.CanWrite)
|
||||
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.CanRead, apiOP.CanRead)
|
||||
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.CanCreateRepository, apiOP.CanCreateRepository)
|
||||
}
|
||||
|
||||
func TestWithOwnerUser(t *testing.T) {
|
||||
sampleTest(t, apiUserOrgPermTestCase{
|
||||
LoginUser: "user2",
|
||||
User: "user2",
|
||||
Organization: "user3",
|
||||
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||
IsOwner: true,
|
||||
IsAdmin: true,
|
||||
CanWrite: true,
|
||||
CanRead: true,
|
||||
CanCreateRepository: true,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestCanWriteUser(t *testing.T) {
|
||||
sampleTest(t, apiUserOrgPermTestCase{
|
||||
LoginUser: "user4",
|
||||
User: "user4",
|
||||
Organization: "user3",
|
||||
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||
IsOwner: false,
|
||||
IsAdmin: false,
|
||||
CanWrite: true,
|
||||
CanRead: true,
|
||||
CanCreateRepository: false,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestAdminUser(t *testing.T) {
|
||||
sampleTest(t, apiUserOrgPermTestCase{
|
||||
LoginUser: "user1",
|
||||
User: "user28",
|
||||
Organization: "user3",
|
||||
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||
IsOwner: false,
|
||||
IsAdmin: true,
|
||||
CanWrite: true,
|
||||
CanRead: true,
|
||||
CanCreateRepository: true,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestAdminCanNotCreateRepo(t *testing.T) {
|
||||
sampleTest(t, apiUserOrgPermTestCase{
|
||||
LoginUser: "user1",
|
||||
User: "user28",
|
||||
Organization: "user6",
|
||||
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||
IsOwner: false,
|
||||
IsAdmin: true,
|
||||
CanWrite: true,
|
||||
CanRead: true,
|
||||
CanCreateRepository: false,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestCanReadUser(t *testing.T) {
|
||||
sampleTest(t, apiUserOrgPermTestCase{
|
||||
LoginUser: "user1",
|
||||
User: "user24",
|
||||
Organization: "org25",
|
||||
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||
IsOwner: false,
|
||||
IsAdmin: false,
|
||||
CanWrite: false,
|
||||
CanRead: true,
|
||||
CanCreateRepository: false,
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
func TestUnknowUser(t *testing.T) {
|
||||
defer prepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/unknow/orgs/org25/permissions?token=%s", token))
|
||||
resp := session.MakeRequest(t, req, http.StatusNotFound)
|
||||
|
||||
var apiError api.APIError
|
||||
DecodeJSON(t, resp, &apiError)
|
||||
assert.Equal(t, "GetUserByName", apiError.Message)
|
||||
}
|
||||
|
||||
func TestUnknowOrganization(t *testing.T) {
|
||||
defer prepareTestEnv(t)()
|
||||
|
||||
session := loginUser(t, "user1")
|
||||
token := getTokenForLoggedInUser(t, session)
|
||||
|
||||
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/user1/orgs/unknow/permissions?token=%s", token))
|
||||
resp := session.MakeRequest(t, req, http.StatusNotFound)
|
||||
var apiError api.APIError
|
||||
DecodeJSON(t, resp, &apiError)
|
||||
assert.Equal(t, "GetUserByName", apiError.Message)
|
||||
}
|
@ -392,6 +392,19 @@ func CanCreateOrgRepo(orgID, uid int64) (bool, error) {
|
||||
Exist(new(Team))
|
||||
}
|
||||
|
||||
// GetOrgUserMaxAuthorizeLevel returns highest authorize level of user in an organization
|
||||
func (org *User) GetOrgUserMaxAuthorizeLevel(uid int64) (AccessMode, error) {
|
||||
var authorize AccessMode
|
||||
_, err := db.GetEngine(db.DefaultContext).
|
||||
Select("max(team.authorize)").
|
||||
Table("team").
|
||||
Join("INNER", "team_user", "team_user.team_id = team.id").
|
||||
Where("team_user.uid = ?", uid).
|
||||
And("team_user.org_id = ?", org.ID).
|
||||
Get(&authorize)
|
||||
return authorize, err
|
||||
}
|
||||
|
||||
// GetUsersWhoCanCreateOrgRepo returns users which are able to create repo in organization
|
||||
func GetUsersWhoCanCreateOrgRepo(orgID int64) ([]*User, error) {
|
||||
return getUsersWhoCanCreateOrgRepo(db.GetEngine(db.DefaultContext), orgID)
|
||||
|
@ -17,6 +17,15 @@ type Organization struct {
|
||||
RepoAdminChangeTeamAccess bool `json:"repo_admin_change_team_access"`
|
||||
}
|
||||
|
||||
// OrganizationPermissions list differents users permissions on an organization
|
||||
type OrganizationPermissions struct {
|
||||
IsOwner bool `json:"is_owner"`
|
||||
IsAdmin bool `json:"is_admin"`
|
||||
CanWrite bool `json:"can_write"`
|
||||
CanRead bool `json:"can_read"`
|
||||
CanCreateRepository bool `json:"can_create_repository"`
|
||||
}
|
||||
|
||||
// CreateOrgOption options for creating an organization
|
||||
type CreateOrgOption struct {
|
||||
// required: true
|
||||
|
@ -973,7 +973,10 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
|
||||
|
||||
// Organizations
|
||||
m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
|
||||
m.Get("/users/{username}/orgs", org.ListUserOrgs)
|
||||
m.Group("/users/{username}/orgs", func() {
|
||||
m.Get("", org.ListUserOrgs)
|
||||
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
|
||||
})
|
||||
m.Post("/orgs", reqToken(), bind(api.CreateOrgOption{}), org.Create)
|
||||
m.Get("/orgs", org.GetAll)
|
||||
m.Group("/orgs/{org}", func() {
|
||||
|
@ -97,6 +97,77 @@ func ListUserOrgs(ctx *context.APIContext) {
|
||||
listUserOrgs(ctx, u)
|
||||
}
|
||||
|
||||
// GetUserOrgsPermissions get user permissions in organization
|
||||
func GetUserOrgsPermissions(ctx *context.APIContext) {
|
||||
// swagger:operation GET /users/{username}/orgs/{org}/permissions organization orgGetUserPermissions
|
||||
// ---
|
||||
// summary: Get user permissions in organization
|
||||
// produces:
|
||||
// - application/json
|
||||
// parameters:
|
||||
// - name: username
|
||||
// in: path
|
||||
// description: username of user
|
||||
// type: string
|
||||
// required: true
|
||||
// - name: org
|
||||
// in: path
|
||||
// description: name of the organization
|
||||
// type: string
|
||||
// required: true
|
||||
// responses:
|
||||
// "200":
|
||||
// "$ref": "#/responses/OrganizationPermissions"
|
||||
// "403":
|
||||
// "$ref": "#/responses/forbidden"
|
||||
// "404":
|
||||
// "$ref": "#/responses/notFound"
|
||||
|
||||
var u *models.User
|
||||
if u = user.GetUserByParams(ctx); u == nil {
|
||||
return
|
||||
}
|
||||
|
||||
var o *models.User
|
||||
if o = user.GetUserByParamsName(ctx, ":org"); o == nil {
|
||||
return
|
||||
}
|
||||
|
||||
op := api.OrganizationPermissions{}
|
||||
|
||||
if !models.HasOrgOrUserVisible(o, u) {
|
||||
ctx.NotFound("HasOrgOrUserVisible", nil)
|
||||
return
|
||||
}
|
||||
|
||||
authorizeLevel, err := o.GetOrgUserMaxAuthorizeLevel(u.ID)
|
||||
if err != nil {
|
||||
ctx.Error(http.StatusInternalServerError, "GetOrgUserAuthorizeLevel", err)
|
||||
return
|
||||
}
|
||||
|
||||
if authorizeLevel > models.AccessModeNone {
|
||||
op.CanRead = true
|
||||
}
|
||||
if authorizeLevel > models.AccessModeRead {
|
||||
op.CanWrite = true
|
||||
}
|
||||
if authorizeLevel > models.AccessModeWrite {
|
||||
op.IsAdmin = true
|
||||
}
|
||||
if authorizeLevel > models.AccessModeAdmin {
|
||||
op.IsOwner = true
|
||||
}
|
||||
|
||||
op.CanCreateRepository, err = o.CanCreateOrgRepo(u.ID)
|
||||
if err != nil {
|
||||
ctx.Error(http.StatusInternalServerError, "CanCreateOrgRepo", err)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.JSON(http.StatusOK, op)
|
||||
}
|
||||
|
||||
// GetAll return list of all public organizations
|
||||
func GetAll(ctx *context.APIContext) {
|
||||
// swagger:operation Get /orgs organization orgGetAll
|
||||
|
@ -35,3 +35,10 @@ type swaggerResponseTeamList struct {
|
||||
// in:body
|
||||
Body []api.Team `json:"body"`
|
||||
}
|
||||
|
||||
// OrganizationPermissions
|
||||
// swagger:response OrganizationPermissions
|
||||
type swaggerResponseOrganizationPermissions struct {
|
||||
// in:body
|
||||
Body api.OrganizationPermissions `json:"body"`
|
||||
}
|
||||
|
@ -11856,6 +11856,45 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"/users/{username}/orgs/{org}/permissions": {
|
||||
"get": {
|
||||
"produces": [
|
||||
"application/json"
|
||||
],
|
||||
"tags": [
|
||||
"organization"
|
||||
],
|
||||
"summary": "Get user permissions in organization",
|
||||
"operationId": "orgGetUserPermissions",
|
||||
"parameters": [
|
||||
{
|
||||
"type": "string",
|
||||
"description": "username of user",
|
||||
"name": "username",
|
||||
"in": "path",
|
||||
"required": true
|
||||
},
|
||||
{
|
||||
"type": "string",
|
||||
"description": "name of the organization",
|
||||
"name": "org",
|
||||
"in": "path",
|
||||
"required": true
|
||||
}
|
||||
],
|
||||
"responses": {
|
||||
"200": {
|
||||
"$ref": "#/responses/OrganizationPermissions"
|
||||
},
|
||||
"403": {
|
||||
"$ref": "#/responses/forbidden"
|
||||
},
|
||||
"404": {
|
||||
"$ref": "#/responses/notFound"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"/users/{username}/repos": {
|
||||
"get": {
|
||||
"produces": [
|
||||
@ -15877,6 +15916,33 @@
|
||||
},
|
||||
"x-go-package": "code.gitea.io/gitea/modules/structs"
|
||||
},
|
||||
"OrganizationPermissions": {
|
||||
"description": "OrganizationPermissions list differents users permissions on an organization",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"can_create_repository": {
|
||||
"type": "boolean",
|
||||
"x-go-name": "CanCreateRepository"
|
||||
},
|
||||
"can_read": {
|
||||
"type": "boolean",
|
||||
"x-go-name": "CanRead"
|
||||
},
|
||||
"can_write": {
|
||||
"type": "boolean",
|
||||
"x-go-name": "CanWrite"
|
||||
},
|
||||
"is_admin": {
|
||||
"type": "boolean",
|
||||
"x-go-name": "IsAdmin"
|
||||
},
|
||||
"is_owner": {
|
||||
"type": "boolean",
|
||||
"x-go-name": "IsOwner"
|
||||
}
|
||||
},
|
||||
"x-go-package": "code.gitea.io/gitea/modules/structs"
|
||||
},
|
||||
"PRBranchInfo": {
|
||||
"description": "PRBranchInfo information about a branch",
|
||||
"type": "object",
|
||||
@ -17742,6 +17808,12 @@
|
||||
}
|
||||
}
|
||||
},
|
||||
"OrganizationPermissions": {
|
||||
"description": "OrganizationPermissions",
|
||||
"schema": {
|
||||
"$ref": "#/definitions/OrganizationPermissions"
|
||||
}
|
||||
},
|
||||
"PublicKey": {
|
||||
"description": "PublicKey",
|
||||
"schema": {
|
||||
|
Loading…
Reference in New Issue
Block a user