Skip to content

Commit 2f8932c

Browse files
lunnylunny
committed
Fix team members API (go-gitea#6714)
1 parent b1cb52e commit 2f8932c

File tree

2 files changed

+51
-1
lines changed

2 files changed

+51
-1
lines changed

integrations/api_team_test.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ import (
1616

1717
func TestAPITeam(t *testing.T) {
1818
prepareTestEnv(t)
19+
1920
teamUser := models.AssertExistsAndLoadBean(t, &models.TeamUser{}).(*models.TeamUser)
2021
team := models.AssertExistsAndLoadBean(t, &models.Team{ID: teamUser.TeamID}).(*models.Team)
2122
user := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser.UID}).(*models.User)
@@ -29,4 +30,16 @@ func TestAPITeam(t *testing.T) {
2930
DecodeJSON(t, resp, &apiTeam)
3031
assert.EqualValues(t, team.ID, apiTeam.ID)
3132
assert.Equal(t, team.Name, apiTeam.Name)
33+
34+
// non team member user will not access the teams details
35+
teamUser2 := models.AssertExistsAndLoadBean(t, &models.TeamUser{ID: 3}).(*models.TeamUser)
36+
user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: teamUser2.UID}).(*models.User)
37+
38+
session = loginUser(t, user2.Name)
39+
token = getTokenForLoggedInUser(t, session)
40+
req = NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
41+
resp = session.MakeRequest(t, req, http.StatusForbidden)
42+
43+
req = NewRequestf(t, "GET", "/api/v1/teams/%d", teamUser.TeamID)
44+
resp = session.MakeRequest(t, req, http.StatusUnauthorized)
3245
}

routers/api/v1/api.go

Lines changed: 38 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -280,6 +280,43 @@ func reqOrgMembership() macaron.Handler {
280280
}
281281
}
282282

283+
// reqTeamMembership user should be an team member, or a site admin
284+
func reqTeamMembership() macaron.Handler {
285+
return func(ctx *context.APIContext) {
286+
if ctx.User.IsAdmin {
287+
return
288+
}
289+
if ctx.Org.Team == nil {
290+
ctx.Error(500, "", "reqTeamMembership: unprepared context")
291+
return
292+
}
293+
294+
var orgID = ctx.Org.Team.OrgID
295+
isOwner, err := models.IsOrganizationOwner(orgID, ctx.User.ID)
296+
if err != nil {
297+
ctx.Error(500, "IsOrganizationOwner", err)
298+
return
299+
} else if isOwner {
300+
return
301+
}
302+
303+
if isTeamMember, err := models.IsTeamMember(orgID, ctx.Org.Team.ID, ctx.User.ID); err != nil {
304+
ctx.Error(500, "IsTeamMember", err)
305+
return
306+
} else if !isTeamMember {
307+
isOrgMember, err := models.IsOrganizationMember(orgID, ctx.User.ID)
308+
if err != nil {
309+
ctx.Error(500, "IsOrganizationMember", err)
310+
} else if isOrgMember {
311+
ctx.Error(403, "", "Must be a team member")
312+
} else {
313+
ctx.Status(404)
314+
}
315+
return
316+
}
317+
}
318+
}
319+
283320
func reqOrgOwnership() macaron.Handler {
284321
return func(ctx *context.APIContext) {
285322
var orgID int64
@@ -686,7 +723,7 @@ func RegisterRoutes(m *macaron.Macaron) {
686723
Put(org.AddTeamRepository).
687724
Delete(org.RemoveTeamRepository)
688725
})
689-
}, orgAssignment(false, true), reqToken(), reqOrgMembership())
726+
}, orgAssignment(false, true), reqToken(), reqTeamMembership())
690727

691728
m.Any("/*", func(ctx *context.Context) {
692729
ctx.Error(404)

0 commit comments

Comments
 (0)