forked from gitea/gitea
[API] Add endpount to get user org permissions (#17232)
* Add endpoint * Add swagger response + generate swagger * Stop execution if user / org is not found * Add tests Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
parent
7b8723158e
commit
d0a681fbc3
|
@ -0,0 +1,149 @@
|
||||||
|
// Copyright 2021 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package integrations
|
||||||
|
|
||||||
|
import (
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
api "code.gitea.io/gitea/modules/structs"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
type apiUserOrgPermTestCase struct {
|
||||||
|
LoginUser string
|
||||||
|
User string
|
||||||
|
Organization string
|
||||||
|
ExpectedOrganizationPermissions api.OrganizationPermissions
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestTokenNeeded(t *testing.T) {
|
||||||
|
defer prepareTestEnv(t)()
|
||||||
|
|
||||||
|
session := emptyTestSession(t)
|
||||||
|
req := NewRequest(t, "GET", "/api/v1/users/user1/orgs/user6/permissions")
|
||||||
|
session.MakeRequest(t, req, http.StatusUnauthorized)
|
||||||
|
}
|
||||||
|
|
||||||
|
func sampleTest(t *testing.T, auoptc apiUserOrgPermTestCase) {
|
||||||
|
defer prepareTestEnv(t)()
|
||||||
|
|
||||||
|
session := loginUser(t, auoptc.LoginUser)
|
||||||
|
token := getTokenForLoggedInUser(t, session)
|
||||||
|
|
||||||
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/%s/orgs/%s/permissions?token=%s", auoptc.User, auoptc.Organization, token))
|
||||||
|
resp := session.MakeRequest(t, req, http.StatusOK)
|
||||||
|
|
||||||
|
var apiOP api.OrganizationPermissions
|
||||||
|
DecodeJSON(t, resp, &apiOP)
|
||||||
|
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.IsOwner, apiOP.IsOwner)
|
||||||
|
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.IsAdmin, apiOP.IsAdmin)
|
||||||
|
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.CanWrite, apiOP.CanWrite)
|
||||||
|
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.CanRead, apiOP.CanRead)
|
||||||
|
assert.Equal(t, auoptc.ExpectedOrganizationPermissions.CanCreateRepository, apiOP.CanCreateRepository)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestWithOwnerUser(t *testing.T) {
|
||||||
|
sampleTest(t, apiUserOrgPermTestCase{
|
||||||
|
LoginUser: "user2",
|
||||||
|
User: "user2",
|
||||||
|
Organization: "user3",
|
||||||
|
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||||
|
IsOwner: true,
|
||||||
|
IsAdmin: true,
|
||||||
|
CanWrite: true,
|
||||||
|
CanRead: true,
|
||||||
|
CanCreateRepository: true,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestCanWriteUser(t *testing.T) {
|
||||||
|
sampleTest(t, apiUserOrgPermTestCase{
|
||||||
|
LoginUser: "user4",
|
||||||
|
User: "user4",
|
||||||
|
Organization: "user3",
|
||||||
|
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||||
|
IsOwner: false,
|
||||||
|
IsAdmin: false,
|
||||||
|
CanWrite: true,
|
||||||
|
CanRead: true,
|
||||||
|
CanCreateRepository: false,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAdminUser(t *testing.T) {
|
||||||
|
sampleTest(t, apiUserOrgPermTestCase{
|
||||||
|
LoginUser: "user1",
|
||||||
|
User: "user28",
|
||||||
|
Organization: "user3",
|
||||||
|
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||||
|
IsOwner: false,
|
||||||
|
IsAdmin: true,
|
||||||
|
CanWrite: true,
|
||||||
|
CanRead: true,
|
||||||
|
CanCreateRepository: true,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAdminCanNotCreateRepo(t *testing.T) {
|
||||||
|
sampleTest(t, apiUserOrgPermTestCase{
|
||||||
|
LoginUser: "user1",
|
||||||
|
User: "user28",
|
||||||
|
Organization: "user6",
|
||||||
|
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||||
|
IsOwner: false,
|
||||||
|
IsAdmin: true,
|
||||||
|
CanWrite: true,
|
||||||
|
CanRead: true,
|
||||||
|
CanCreateRepository: false,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestCanReadUser(t *testing.T) {
|
||||||
|
sampleTest(t, apiUserOrgPermTestCase{
|
||||||
|
LoginUser: "user1",
|
||||||
|
User: "user24",
|
||||||
|
Organization: "org25",
|
||||||
|
ExpectedOrganizationPermissions: api.OrganizationPermissions{
|
||||||
|
IsOwner: false,
|
||||||
|
IsAdmin: false,
|
||||||
|
CanWrite: false,
|
||||||
|
CanRead: true,
|
||||||
|
CanCreateRepository: false,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUnknowUser(t *testing.T) {
|
||||||
|
defer prepareTestEnv(t)()
|
||||||
|
|
||||||
|
session := loginUser(t, "user1")
|
||||||
|
token := getTokenForLoggedInUser(t, session)
|
||||||
|
|
||||||
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/unknow/orgs/org25/permissions?token=%s", token))
|
||||||
|
resp := session.MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
|
||||||
|
var apiError api.APIError
|
||||||
|
DecodeJSON(t, resp, &apiError)
|
||||||
|
assert.Equal(t, "GetUserByName", apiError.Message)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestUnknowOrganization(t *testing.T) {
|
||||||
|
defer prepareTestEnv(t)()
|
||||||
|
|
||||||
|
session := loginUser(t, "user1")
|
||||||
|
token := getTokenForLoggedInUser(t, session)
|
||||||
|
|
||||||
|
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/users/user1/orgs/unknow/permissions?token=%s", token))
|
||||||
|
resp := session.MakeRequest(t, req, http.StatusNotFound)
|
||||||
|
var apiError api.APIError
|
||||||
|
DecodeJSON(t, resp, &apiError)
|
||||||
|
assert.Equal(t, "GetUserByName", apiError.Message)
|
||||||
|
}
|
|
@ -392,6 +392,19 @@ func CanCreateOrgRepo(orgID, uid int64) (bool, error) {
|
||||||
Exist(new(Team))
|
Exist(new(Team))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetOrgUserMaxAuthorizeLevel returns highest authorize level of user in an organization
|
||||||
|
func (org *User) GetOrgUserMaxAuthorizeLevel(uid int64) (AccessMode, error) {
|
||||||
|
var authorize AccessMode
|
||||||
|
_, err := db.GetEngine(db.DefaultContext).
|
||||||
|
Select("max(team.authorize)").
|
||||||
|
Table("team").
|
||||||
|
Join("INNER", "team_user", "team_user.team_id = team.id").
|
||||||
|
Where("team_user.uid = ?", uid).
|
||||||
|
And("team_user.org_id = ?", org.ID).
|
||||||
|
Get(&authorize)
|
||||||
|
return authorize, err
|
||||||
|
}
|
||||||
|
|
||||||
// GetUsersWhoCanCreateOrgRepo returns users which are able to create repo in organization
|
// GetUsersWhoCanCreateOrgRepo returns users which are able to create repo in organization
|
||||||
func GetUsersWhoCanCreateOrgRepo(orgID int64) ([]*User, error) {
|
func GetUsersWhoCanCreateOrgRepo(orgID int64) ([]*User, error) {
|
||||||
return getUsersWhoCanCreateOrgRepo(db.GetEngine(db.DefaultContext), orgID)
|
return getUsersWhoCanCreateOrgRepo(db.GetEngine(db.DefaultContext), orgID)
|
||||||
|
|
|
@ -17,6 +17,15 @@ type Organization struct {
|
||||||
RepoAdminChangeTeamAccess bool `json:"repo_admin_change_team_access"`
|
RepoAdminChangeTeamAccess bool `json:"repo_admin_change_team_access"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// OrganizationPermissions list differents users permissions on an organization
|
||||||
|
type OrganizationPermissions struct {
|
||||||
|
IsOwner bool `json:"is_owner"`
|
||||||
|
IsAdmin bool `json:"is_admin"`
|
||||||
|
CanWrite bool `json:"can_write"`
|
||||||
|
CanRead bool `json:"can_read"`
|
||||||
|
CanCreateRepository bool `json:"can_create_repository"`
|
||||||
|
}
|
||||||
|
|
||||||
// CreateOrgOption options for creating an organization
|
// CreateOrgOption options for creating an organization
|
||||||
type CreateOrgOption struct {
|
type CreateOrgOption struct {
|
||||||
// required: true
|
// required: true
|
||||||
|
|
|
@ -973,7 +973,10 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
|
||||||
|
|
||||||
// Organizations
|
// Organizations
|
||||||
m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
|
m.Get("/user/orgs", reqToken(), org.ListMyOrgs)
|
||||||
m.Get("/users/{username}/orgs", org.ListUserOrgs)
|
m.Group("/users/{username}/orgs", func() {
|
||||||
|
m.Get("", org.ListUserOrgs)
|
||||||
|
m.Get("/{org}/permissions", reqToken(), org.GetUserOrgsPermissions)
|
||||||
|
})
|
||||||
m.Post("/orgs", reqToken(), bind(api.CreateOrgOption{}), org.Create)
|
m.Post("/orgs", reqToken(), bind(api.CreateOrgOption{}), org.Create)
|
||||||
m.Get("/orgs", org.GetAll)
|
m.Get("/orgs", org.GetAll)
|
||||||
m.Group("/orgs/{org}", func() {
|
m.Group("/orgs/{org}", func() {
|
||||||
|
|
|
@ -97,6 +97,77 @@ func ListUserOrgs(ctx *context.APIContext) {
|
||||||
listUserOrgs(ctx, u)
|
listUserOrgs(ctx, u)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetUserOrgsPermissions get user permissions in organization
|
||||||
|
func GetUserOrgsPermissions(ctx *context.APIContext) {
|
||||||
|
// swagger:operation GET /users/{username}/orgs/{org}/permissions organization orgGetUserPermissions
|
||||||
|
// ---
|
||||||
|
// summary: Get user permissions in organization
|
||||||
|
// produces:
|
||||||
|
// - application/json
|
||||||
|
// parameters:
|
||||||
|
// - name: username
|
||||||
|
// in: path
|
||||||
|
// description: username of user
|
||||||
|
// type: string
|
||||||
|
// required: true
|
||||||
|
// - name: org
|
||||||
|
// in: path
|
||||||
|
// description: name of the organization
|
||||||
|
// type: string
|
||||||
|
// required: true
|
||||||
|
// responses:
|
||||||
|
// "200":
|
||||||
|
// "$ref": "#/responses/OrganizationPermissions"
|
||||||
|
// "403":
|
||||||
|
// "$ref": "#/responses/forbidden"
|
||||||
|
// "404":
|
||||||
|
// "$ref": "#/responses/notFound"
|
||||||
|
|
||||||
|
var u *models.User
|
||||||
|
if u = user.GetUserByParams(ctx); u == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
var o *models.User
|
||||||
|
if o = user.GetUserByParamsName(ctx, ":org"); o == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
op := api.OrganizationPermissions{}
|
||||||
|
|
||||||
|
if !models.HasOrgOrUserVisible(o, u) {
|
||||||
|
ctx.NotFound("HasOrgOrUserVisible", nil)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
authorizeLevel, err := o.GetOrgUserMaxAuthorizeLevel(u.ID)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "GetOrgUserAuthorizeLevel", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if authorizeLevel > models.AccessModeNone {
|
||||||
|
op.CanRead = true
|
||||||
|
}
|
||||||
|
if authorizeLevel > models.AccessModeRead {
|
||||||
|
op.CanWrite = true
|
||||||
|
}
|
||||||
|
if authorizeLevel > models.AccessModeWrite {
|
||||||
|
op.IsAdmin = true
|
||||||
|
}
|
||||||
|
if authorizeLevel > models.AccessModeAdmin {
|
||||||
|
op.IsOwner = true
|
||||||
|
}
|
||||||
|
|
||||||
|
op.CanCreateRepository, err = o.CanCreateOrgRepo(u.ID)
|
||||||
|
if err != nil {
|
||||||
|
ctx.Error(http.StatusInternalServerError, "CanCreateOrgRepo", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx.JSON(http.StatusOK, op)
|
||||||
|
}
|
||||||
|
|
||||||
// GetAll return list of all public organizations
|
// GetAll return list of all public organizations
|
||||||
func GetAll(ctx *context.APIContext) {
|
func GetAll(ctx *context.APIContext) {
|
||||||
// swagger:operation Get /orgs organization orgGetAll
|
// swagger:operation Get /orgs organization orgGetAll
|
||||||
|
|
|
@ -35,3 +35,10 @@ type swaggerResponseTeamList struct {
|
||||||
// in:body
|
// in:body
|
||||||
Body []api.Team `json:"body"`
|
Body []api.Team `json:"body"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// OrganizationPermissions
|
||||||
|
// swagger:response OrganizationPermissions
|
||||||
|
type swaggerResponseOrganizationPermissions struct {
|
||||||
|
// in:body
|
||||||
|
Body api.OrganizationPermissions `json:"body"`
|
||||||
|
}
|
||||||
|
|
|
@ -11856,6 +11856,45 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"/users/{username}/orgs/{org}/permissions": {
|
||||||
|
"get": {
|
||||||
|
"produces": [
|
||||||
|
"application/json"
|
||||||
|
],
|
||||||
|
"tags": [
|
||||||
|
"organization"
|
||||||
|
],
|
||||||
|
"summary": "Get user permissions in organization",
|
||||||
|
"operationId": "orgGetUserPermissions",
|
||||||
|
"parameters": [
|
||||||
|
{
|
||||||
|
"type": "string",
|
||||||
|
"description": "username of user",
|
||||||
|
"name": "username",
|
||||||
|
"in": "path",
|
||||||
|
"required": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"type": "string",
|
||||||
|
"description": "name of the organization",
|
||||||
|
"name": "org",
|
||||||
|
"in": "path",
|
||||||
|
"required": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"responses": {
|
||||||
|
"200": {
|
||||||
|
"$ref": "#/responses/OrganizationPermissions"
|
||||||
|
},
|
||||||
|
"403": {
|
||||||
|
"$ref": "#/responses/forbidden"
|
||||||
|
},
|
||||||
|
"404": {
|
||||||
|
"$ref": "#/responses/notFound"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
"/users/{username}/repos": {
|
"/users/{username}/repos": {
|
||||||
"get": {
|
"get": {
|
||||||
"produces": [
|
"produces": [
|
||||||
|
@ -15877,6 +15916,33 @@
|
||||||
},
|
},
|
||||||
"x-go-package": "code.gitea.io/gitea/modules/structs"
|
"x-go-package": "code.gitea.io/gitea/modules/structs"
|
||||||
},
|
},
|
||||||
|
"OrganizationPermissions": {
|
||||||
|
"description": "OrganizationPermissions list differents users permissions on an organization",
|
||||||
|
"type": "object",
|
||||||
|
"properties": {
|
||||||
|
"can_create_repository": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "CanCreateRepository"
|
||||||
|
},
|
||||||
|
"can_read": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "CanRead"
|
||||||
|
},
|
||||||
|
"can_write": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "CanWrite"
|
||||||
|
},
|
||||||
|
"is_admin": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "IsAdmin"
|
||||||
|
},
|
||||||
|
"is_owner": {
|
||||||
|
"type": "boolean",
|
||||||
|
"x-go-name": "IsOwner"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"x-go-package": "code.gitea.io/gitea/modules/structs"
|
||||||
|
},
|
||||||
"PRBranchInfo": {
|
"PRBranchInfo": {
|
||||||
"description": "PRBranchInfo information about a branch",
|
"description": "PRBranchInfo information about a branch",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
@ -17742,6 +17808,12 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"OrganizationPermissions": {
|
||||||
|
"description": "OrganizationPermissions",
|
||||||
|
"schema": {
|
||||||
|
"$ref": "#/definitions/OrganizationPermissions"
|
||||||
|
}
|
||||||
|
},
|
||||||
"PublicKey": {
|
"PublicKey": {
|
||||||
"description": "PublicKey",
|
"description": "PublicKey",
|
||||||
"schema": {
|
"schema": {
|
||||||
|
|
Loading…
Reference in New Issue