Merge pull request #1905 from ethantkoenig/fix/org_api_auth

Require token before checking membership/ownership
This commit is contained in:
Andrey Nering 2017-06-07 16:49:52 -03:00 committed by GitHub
commit 65cf6cc848

View File

@ -453,19 +453,19 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Get("/users/:username/orgs", org.ListUserOrgs) m.Get("/users/:username/orgs", org.ListUserOrgs)
m.Group("/orgs/:orgname", func() { m.Group("/orgs/:orgname", func() {
m.Combo("").Get(org.Get). m.Combo("").Get(org.Get).
Patch(reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit) Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
m.Group("/members", func() { m.Group("/members", func() {
m.Get("", org.ListMembers) m.Get("", org.ListMembers)
m.Combo("/:username").Get(org.IsMember). m.Combo("/:username").Get(org.IsMember).
Delete(reqOrgOwnership(), org.DeleteMember) Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)
}) })
m.Group("/public_members", func() { m.Group("/public_members", func() {
m.Get("", org.ListPublicMembers) m.Get("", org.ListPublicMembers)
m.Combo("/:username").Get(org.IsPublicMember). m.Combo("/:username").Get(org.IsPublicMember).
Put(reqOrgMembership(), org.PublicizeMember). Put(reqToken(), reqOrgMembership(), org.PublicizeMember).
Delete(reqOrgMembership(), org.ConcealMember) Delete(reqToken(), reqOrgMembership(), org.ConcealMember)
}) })
m.Combo("/teams", reqOrgMembership()).Get(org.ListTeams). m.Combo("/teams", reqToken(), reqOrgMembership()).Get(org.ListTeams).
Post(bind(api.CreateTeamOption{}), org.CreateTeam) Post(bind(api.CreateTeamOption{}), org.CreateTeam)
m.Group("/hooks", func() { m.Group("/hooks", func() {
m.Combo("").Get(org.ListHooks). m.Combo("").Get(org.ListHooks).
@ -473,7 +473,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Combo("/:id").Get(org.GetHook). m.Combo("/:id").Get(org.GetHook).
Patch(reqOrgOwnership(), bind(api.EditHookOption{}), org.EditHook). Patch(reqOrgOwnership(), bind(api.EditHookOption{}), org.EditHook).
Delete(reqOrgOwnership(), org.DeleteHook) Delete(reqOrgOwnership(), org.DeleteHook)
}, reqOrgMembership()) }, reqToken(), reqOrgMembership())
}, orgAssignment(true)) }, orgAssignment(true))
m.Group("/teams/:teamid", func() { m.Group("/teams/:teamid", func() {
m.Combo("").Get(org.GetTeam). m.Combo("").Get(org.GetTeam).
@ -491,7 +491,7 @@ func RegisterRoutes(m *macaron.Macaron) {
Put(org.AddTeamRepository). Put(org.AddTeamRepository).
Delete(org.RemoveTeamRepository) Delete(org.RemoveTeamRepository)
}) })
}, orgAssignment(false, true), reqOrgMembership()) }, orgAssignment(false, true), reqToken(), reqOrgMembership())
m.Any("/*", func(ctx *context.Context) { m.Any("/*", func(ctx *context.Context) {
ctx.Error(404) ctx.Error(404)