Require token before checking membership/ownership

This commit is contained in:
Ethan Koenig 2017-06-07 12:20:32 -04:00
parent d9a8eff2de
commit 971e3a35c1
1 changed files with 7 additions and 7 deletions

View File

@ -453,19 +453,19 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Get("/users/:username/orgs", org.ListUserOrgs)
m.Group("/orgs/:orgname", func() {
m.Combo("").Get(org.Get).
Patch(reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
Patch(reqToken(), reqOrgOwnership(), bind(api.EditOrgOption{}), org.Edit)
m.Group("/members", func() {
m.Get("", org.ListMembers)
m.Combo("/:username").Get(org.IsMember).
Delete(reqOrgOwnership(), org.DeleteMember)
Delete(reqToken(), reqOrgOwnership(), org.DeleteMember)
})
m.Group("/public_members", func() {
m.Get("", org.ListPublicMembers)
m.Combo("/:username").Get(org.IsPublicMember).
Put(reqOrgMembership(), org.PublicizeMember).
Delete(reqOrgMembership(), org.ConcealMember)
Put(reqToken(), reqOrgMembership(), org.PublicizeMember).
Delete(reqToken(), reqOrgMembership(), org.ConcealMember)
})
m.Combo("/teams", reqOrgMembership()).Get(org.ListTeams).
m.Combo("/teams", reqToken(), reqOrgMembership()).Get(org.ListTeams).
Post(bind(api.CreateTeamOption{}), org.CreateTeam)
m.Group("/hooks", func() {
m.Combo("").Get(org.ListHooks).
@ -473,7 +473,7 @@ func RegisterRoutes(m *macaron.Macaron) {
m.Combo("/:id").Get(org.GetHook).
Patch(reqOrgOwnership(), bind(api.EditHookOption{}), org.EditHook).
Delete(reqOrgOwnership(), org.DeleteHook)
}, reqOrgMembership())
}, reqToken(), reqOrgMembership())
}, orgAssignment(true))
m.Group("/teams/:teamid", func() {
m.Combo("").Get(org.GetTeam).
@ -491,7 +491,7 @@ func RegisterRoutes(m *macaron.Macaron) {
Put(org.AddTeamRepository).
Delete(org.RemoveTeamRepository)
})
}, orgAssignment(false, true), reqOrgMembership())
}, orgAssignment(false, true), reqToken(), reqOrgMembership())
m.Any("/*", func(ctx *context.Context) {
ctx.Error(404)