gapodo/forgejo
gapodo/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Limit scope for /api/v1/orgs

Browse source
This commit is contained in:
harryzcy 2022-11-01 01:23:17 -04:00
parent 9f2af77f53
commit e8af871f98
No known key found for this signature in database
GPG key ID: CC2953E050C19686
9 changed files with 50 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
routers/api/v1/api.go
View file

@ -1103,41 +1103,41 @@ func Routes(ctx gocontext.Context) *web.Route {
}, context_service.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead)) }, context_service.UserAssignmentAPI(), context.PackageAssignmentAPI(), reqPackageAccess(perm.AccessModeRead))
// Organizations // Organizations
m.Get("/user/orgs", reqToken(""), org.ListMyOrgs) m.Get("/user/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMyOrgs)
m.Group("/users/{username}/orgs", func() { m.Group("/users/{username}/orgs", func() {
m.Get("", org.ListUserOrgs) m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListUserOrgs)
m.Get("/{org}/permissions", reqToken(""), org.GetUserOrgsPermissions) m.Get("/{org}/permissions", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetUserOrgsPermissions)
}, context_service.UserAssignmentAPI()) }, context_service.UserAssignmentAPI())
m.Post("/orgs", reqToken(""), bind(api.CreateOrgOption{}), org.Create) m.Post("/orgs", reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateOrgOption{}), org.Create)
m.Get("/orgs", org.GetAll) m.Get("/orgs", reqToken(auth_model.AccessTokenScopeReadOrg), org.GetAll)
m.Group("/orgs/{org}", func() { m.Group("/orgs/{org}", func() {
m.Combo("").Get(org.Get). m.Combo("").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.Get).
Patch(reqToken(""), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit). Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit).
Delete(reqToken(""), reqOrgOwnership(), org.Delete) Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.Delete)
m.Combo("/repos").Get(user.ListOrgRepos). m.Combo("/repos").Get(reqToken(auth_model.AccessTokenScopeReadOrg), user.ListOrgRepos).
Post(reqToken(""), bind(api.CreateRepoOption{}), repo.CreateOrgRepo) Post(reqToken(auth_model.AccessTokenScopeWriteOrg), bind(api.CreateRepoOption{}), repo.CreateOrgRepo)
m.Group("/members", func() { m.Group("/members", func() {
m.Get("", org.ListMembers) m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListMembers)
m.Combo("/{username}").Get(org.IsMember). m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsMember).
Delete(reqToken(""), reqOrgOwnership(), org.DeleteMember) Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteMember)
}) })
m.Group("/public_members", func() { m.Group("/public_members", func() {
m.Get("", org.ListPublicMembers) m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListPublicMembers)
m.Combo("/{username}").Get(org.IsPublicMember). m.Combo("/{username}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.IsPublicMember).
Put(reqToken(""), reqOrgMembership(), org.PublicizeMember). Put(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.PublicizeMember).
Delete(reqToken(""), reqOrgMembership(), org.ConcealMember) Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership(), org.ConcealMember)
}) })
m.Group("/teams", func() { m.Group("/teams", func() {
m.Get("", org.ListTeams) m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListTeams)
m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam) m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
m.Get("/search", org.SearchTeam) m.Get("/search", org.SearchTeam)
}, reqToken(""), reqOrgMembership()) }, reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgMembership())
m.Group("/labels", func() { m.Group("/labels", func() {
m.Get("", org.ListLabels) m.Get("", reqToken(auth_model.AccessTokenScopeReadOrg), org.ListLabels)
m.Post("", reqToken(""), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel) m.Post("", reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.CreateLabelOption{}), org.CreateLabel)
m.Combo("/{id}").Get(org.GetLabel). m.Combo("/{id}").Get(reqToken(auth_model.AccessTokenScopeReadOrg), org.GetLabel).
Patch(reqToken(""), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel). Patch(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), bind(api.EditLabelOption{}), org.EditLabel).
Delete(reqToken(""), reqOrgOwnership(), org.DeleteLabel) Delete(reqToken(auth_model.AccessTokenScopeWriteOrg), reqOrgOwnership(), org.DeleteLabel)
}) })
m.Group("/hooks", func() { m.Group("/hooks", func() {
m.Combo("").Get(org.ListHooks). m.Combo("").Get(org.ListHooks).
@ -1145,7 +1145,7 @@ func Routes(ctx gocontext.Context) *web.Route {
m.Combo("/{id}").Get(org.GetHook). m.Combo("/{id}").Get(org.GetHook).
Patch(bind(api.EditHookOption{}), org.EditHook). Patch(bind(api.EditHookOption{}), org.EditHook).
Delete(org.DeleteHook) Delete(org.DeleteHook)
}, reqToken(""), reqOrgOwnership(), reqWebhooksEnabled()) }, reqToken(auth_model.AccessTokenScopeAdminOrgHook), reqOrgOwnership(), reqWebhooksEnabled())
}, orgAssignment(true)) }, orgAssignment(true))
m.Group("/teams/{teamid}", func() { m.Group("/teams/{teamid}", func() {
m.Combo("").Get(org.GetTeam). m.Combo("").Get(org.GetTeam).

2
tests/integration/api_issue_label_test.go
View file

@ -144,7 +144,7 @@ func TestAPIModifyOrgLabels(t *testing.T) {
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID}) owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
user := "user1" user := "user1"
session := loginUser(t, user) session := loginUser(t, user)
token := getTokenForLoggedInUser(t, session, "repo") token := getTokenForLoggedInUser(t, session, "repo", "admin_org")
urlStr := fmt.Sprintf("/api/v1/orgs/%s/labels?token=%s", owner.Name, token) urlStr := fmt.Sprintf("/api/v1/orgs/%s/labels?token=%s", owner.Name, token)
// CreateLabel // CreateLabel

20
tests/integration/api_org_test.go
View file

@ -22,7 +22,7 @@ import (
func TestAPIOrgCreate(t *testing.T) { func TestAPIOrgCreate(t *testing.T) {
onGiteaRun(t, func(*testing.T, *url.URL) { onGiteaRun(t, func(*testing.T, *url.URL) {
token := getUserToken(t, "user1") token := getUserToken(t, "user1", "write_org", "read_org")
org := api.CreateOrgOption{ org := api.CreateOrgOption{
UserName: "user1_org", UserName: "user1_org",
@ -80,7 +80,7 @@ func TestAPIOrgEdit(t *testing.T) {
onGiteaRun(t, func(*testing.T, *url.URL) { onGiteaRun(t, func(*testing.T, *url.URL) {
session := loginUser(t, "user1") session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "write_org")
org := api.EditOrgOption{ org := api.EditOrgOption{
FullName: "User3 organization new full name", FullName: "User3 organization new full name",
Description: "A new description", Description: "A new description",
@ -107,7 +107,7 @@ func TestAPIOrgEditBadVisibility(t *testing.T) {
onGiteaRun(t, func(*testing.T, *url.URL) { onGiteaRun(t, func(*testing.T, *url.URL) {
session := loginUser(t, "user1") session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "write_org")
org := api.EditOrgOption{ org := api.EditOrgOption{
FullName: "User3 organization new full name", FullName: "User3 organization new full name",
Description: "A new description", Description: "A new description",
@ -127,14 +127,16 @@ func TestAPIOrgDeny(t *testing.T) {
setting.Service.RequireSignInView = false setting.Service.RequireSignInView = false
}() }()
token := getUserToken(t, "user1", "read_org")
orgName := "user1_org" orgName := "user1_org"
req := NewRequestf(t, "GET", "/api/v1/orgs/%s", orgName) req := NewRequestf(t, "GET", "/api/v1/orgs/%s?token=%s", orgName, token)
MakeRequest(t, req, http.StatusNotFound) MakeRequest(t, req, http.StatusNotFound)
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos", orgName) req = NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token=%s", orgName, token)
MakeRequest(t, req, http.StatusNotFound) MakeRequest(t, req, http.StatusNotFound)
req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members", orgName) req = NewRequestf(t, "GET", "/api/v1/orgs/%s/members?token=%s", orgName, token)
MakeRequest(t, req, http.StatusNotFound) MakeRequest(t, req, http.StatusNotFound)
}) })
} }
@ -142,7 +144,9 @@ func TestAPIOrgDeny(t *testing.T) {
func TestAPIGetAll(t *testing.T) { func TestAPIGetAll(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
req := NewRequestf(t, "GET", "/api/v1/orgs") token := getUserToken(t, "user1", "read_org")
req := NewRequestf(t, "GET", "/api/v1/orgs?token=%s", token)
resp := MakeRequest(t, req, http.StatusOK) resp := MakeRequest(t, req, http.StatusOK)
var apiOrgList []*api.Organization var apiOrgList []*api.Organization
@ -155,7 +159,7 @@ func TestAPIGetAll(t *testing.T) {
func TestAPIOrgSearchEmptyTeam(t *testing.T) { func TestAPIOrgSearchEmptyTeam(t *testing.T) {
onGiteaRun(t, func(*testing.T, *url.URL) { onGiteaRun(t, func(*testing.T, *url.URL) {
token := getUserToken(t, "user1") token := getUserToken(t, "user1", "admin_org")
orgName := "org_with_empty_team" orgName := "org_with_empty_team"
// create org // create org

2
tests/integration/api_repo_test.go
View file

@ -300,7 +300,7 @@ func TestAPIOrgRepos(t *testing.T) {
if userToLogin != nil && userToLogin.ID > 0 { if userToLogin != nil && userToLogin.ID > 0 {
testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID) testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
session = loginUser(t, userToLogin.Name) session = loginUser(t, userToLogin.Name)
token = getTokenForLoggedInUser(t, session) token = getTokenForLoggedInUser(t, session, "read_org")
} else { } else {
testName = "AnonymousUser" testName = "AnonymousUser"
session = emptyTestSession(t) session = emptyTestSession(t)

8
tests/integration/api_team_test.go
View file

@ -30,7 +30,7 @@ func TestAPITeam(t *testing.T) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: teamUser.UID}) user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: teamUser.UID})
session := loginUser(t, user.Name) session := loginUser(t, user.Name)
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "admin_org")
req := NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID) req := NewRequestf(t, "GET", "/api/v1/teams/%d?token="+token, teamUser.TeamID)
resp := session.MakeRequest(t, req, http.StatusOK) resp := session.MakeRequest(t, req, http.StatusOK)
@ -228,7 +228,7 @@ func TestAPITeamSearch(t *testing.T) {
var results TeamSearchResults var results TeamSearchResults
token := getUserToken(t, user.Name) token := getUserToken(t, user.Name, "read_org")
req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s&token=%s", org.Name, "_team", token) req := NewRequestf(t, "GET", "/api/v1/orgs/%s/teams/search?q=%s&token=%s", org.Name, "_team", token)
resp := MakeRequest(t, req, http.StatusOK) resp := MakeRequest(t, req, http.StatusOK)
DecodeJSON(t, resp, &results) DecodeJSON(t, resp, &results)
@ -253,7 +253,7 @@ func TestAPIGetTeamRepo(t *testing.T) {
var results api.Repository var results api.Repository
token := getUserToken(t, user.Name) token := getUserToken(t, user.Name, "read_org")
req := NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token) req := NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token)
resp := MakeRequest(t, req, http.StatusOK) resp := MakeRequest(t, req, http.StatusOK)
DecodeJSON(t, resp, &results) DecodeJSON(t, resp, &results)
@ -261,7 +261,7 @@ func TestAPIGetTeamRepo(t *testing.T) {
// no access if not organization member // no access if not organization member
user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) user5 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
token5 := getUserToken(t, user5.Name) token5 := getUserToken(t, user5.Name, "read_org")
req = NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token5) req = NewRequestf(t, "GET", "/api/v1/teams/%d/repos/%s/?token=%s", team.ID, teamRepo.FullName(), token5)
MakeRequest(t, req, http.StatusNotFound) MakeRequest(t, req, http.StatusNotFound)

6
tests/integration/api_user_org_perm_test.go
View file

@ -34,7 +34,7 @@ func sampleTest(t *testing.T, auoptc apiUserOrgPermTestCase) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
session := loginUser(t, auoptc.LoginUser) session := loginUser(t, auoptc.LoginUser)
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "read_org")
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions?token=%s", auoptc.User, auoptc.Organization, token)) req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions?token=%s", auoptc.User, auoptc.Organization, token))
resp := session.MakeRequest(t, req, http.StatusOK) resp := session.MakeRequest(t, req, http.StatusOK)
@ -127,7 +127,7 @@ func TestUnknowUser(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
session := loginUser(t, "user1") session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "read_org")
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/unknow/orgs/org25/permissions?token=%s", token)) req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/unknow/orgs/org25/permissions?token=%s", token))
resp := session.MakeRequest(t, req, http.StatusNotFound) resp := session.MakeRequest(t, req, http.StatusNotFound)
@ -141,7 +141,7 @@ func TestUnknowOrganization(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
session := loginUser(t, "user1") session := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "read_org")
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/user1/orgs/unknow/permissions?token=%s", token)) req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/user1/orgs/unknow/permissions?token=%s", token))
resp := session.MakeRequest(t, req, http.StatusNotFound) resp := session.MakeRequest(t, req, http.StatusNotFound)

4
tests/integration/api_user_orgs_test.go
View file

@ -72,7 +72,7 @@ func getUserOrgs(t *testing.T, userDoer, userCheck string) (orgs []*api.Organiza
session := emptyTestSession(t) session := emptyTestSession(t)
if len(userDoer) != 0 { if len(userDoer) != 0 {
session = loginUser(t, userDoer) session = loginUser(t, userDoer)
token = getTokenForLoggedInUser(t, session) token = getTokenForLoggedInUser(t, session, "read_org")
} }
urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", userCheck, token) urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", userCheck, token)
req := NewRequest(t, "GET", urlStr) req := NewRequest(t, "GET", urlStr)
@ -90,7 +90,7 @@ func TestMyOrgs(t *testing.T) {
normalUsername := "user2" normalUsername := "user2"
session = loginUser(t, normalUsername) session = loginUser(t, normalUsername)
token := getTokenForLoggedInUser(t, session) token := getTokenForLoggedInUser(t, session, "read_org")
req = NewRequest(t, "GET", "/api/v1/user/orgs?token="+token) req = NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
resp := session.MakeRequest(t, req, http.StatusOK) resp := session.MakeRequest(t, req, http.StatusOK)
var orgs []*api.Organization var orgs []*api.Organization

2
tests/integration/org_count_test.go
View file

@ -25,7 +25,7 @@ func testOrgCounts(t *testing.T, u *url.URL) {
orgOwner := "user2" orgOwner := "user2"
orgName := "testOrg" orgName := "testOrg"
orgCollaborator := "user4" orgCollaborator := "user4"
ctx := NewAPITestContext(t, orgOwner, "repo1") ctx := NewAPITestContext(t, orgOwner, "repo1", "admin_org")
var ownerCountRepos map[string]int var ownerCountRepos map[string]int
var collabCountRepos map[string]int var collabCountRepos map[string]int

2
tests/integration/org_test.go
View file

@ -159,7 +159,7 @@ func TestOrgRestrictedUser(t *testing.T) {
// Therefore create a read-only team // Therefore create a read-only team
adminSession := loginUser(t, "user1") adminSession := loginUser(t, "user1")
token := getTokenForLoggedInUser(t, adminSession) token := getTokenForLoggedInUser(t, adminSession, "admin_org")
teamToCreate := &api.CreateTeamOption{ teamToCreate := &api.CreateTeamOption{
Name: "codereader", Name: "codereader",