Skip to content

Commit 65cf6cc

Browse files
andreyneringandreynering
authored
Merge pull request #1905 from ethantkoenig/fix/org_api_auth
Require token before checking membership/ownership
2 parents a70073e + 971e3a3 commit 65cf6cc

File tree

1 file changed

+7
-7
lines changed

1 file changed

+7
-7
lines changed

routers/api/v1/api.go

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -453,27 +453,27 @@ func RegisterRoutes(m *macaron.Macaron) {
453453
m.Get("/users/:username/orgs", org.ListUserOrgs)
454454
m.Group("/orgs/:orgname", func() {
455455
m.Combo("").Get(org.Get).
456-
Patch(reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
456+
Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
457457
m.Group("/members", func() {
458458
m.Get("", org.ListMembers)
459459
m.Combo("/:username").Get(org.IsMember).
460-
Delete(reqOrgOwnership(), org.DeleteMember)
460+
Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)
461461
})
462462
m.Group("/public_members", func() {
463463
m.Get("", org.ListPublicMembers)
464464
m.Combo("/:username").Get(org.IsPublicMember).
465-
Put(reqOrgMembership(), org.PublicizeMember).
466-
Delete(reqOrgMembership(), org.ConcealMember)
465+
Put(reqToken(), reqOrgMembership(), org.PublicizeMember).
466+
Delete(reqToken(), reqOrgMembership(), org.ConcealMember)
467467
})
468-
m.Combo("/teams", reqOrgMembership()).Get(org.ListTeams).
468+
m.Combo("/teams", reqToken(), reqOrgMembership()).Get(org.ListTeams).
469469
Post(bind(api.CreateTeamOption{}), org.CreateTeam)
470470
m.Group("/hooks", func() {
471471
m.Combo("").Get(org.ListHooks).
472472
Post(bind(api.CreateHookOption{}), org.CreateHook)
473473
m.Combo("/:id").Get(org.GetHook).
474474
Patch(reqOrgOwnership(), bind(api.EditHookOption{}), org.EditHook).
475475
Delete(reqOrgOwnership(), org.DeleteHook)
476-
}, reqOrgMembership())
476+
}, reqToken(), reqOrgMembership())
477477
}, orgAssignment(true))
478478
m.Group("/teams/:teamid", func() {
479479
m.Combo("").Get(org.GetTeam).
@@ -491,7 +491,7 @@ func RegisterRoutes(m *macaron.Macaron) {
491491
Put(org.AddTeamRepository).
492492
Delete(org.RemoveTeamRepository)
493493
})
494-
}, orgAssignment(false, true), reqOrgMembership())
494+
}, orgAssignment(false, true), reqToken(), reqOrgMembership())
495495

496496
m.Any("/*", func(ctx *context.Context) {
497497
ctx.Error(404)

0 commit comments

Comments
 (0)