Merge branch 'orgs' of https://bitbucket.org/yackob03/quay into orgs
This commit is contained in:
Joseph Schorr
commit
0175bd91bf
12 changed files with 13723 additions and 129 deletions
201
endpoints/api.py
201
endpoints/api.py
|
|
@ -23,7 +23,11 @@ from util.names import parse_repository_name
|
|||
from util.gravatar import compute_hash
|
||||
from auth.permissions import (ReadRepositoryPermission,
|
||||
ModifyRepositoryPermission,
|
||||
AdministerRepositoryPermission)
|
||||
AdministerRepositoryPermission,
|
||||
CreateRepositoryPermission,
|
||||
AdministerOrganizationPermission,
|
||||
OrganizationMemberPermission,
|
||||
ViewTeamPermission)
|
||||
from endpoints import registry
|
||||
from endpoints.web import common_login
|
||||
from util.cache import cache_control
|
||||
|
|
@ -57,11 +61,11 @@ def plans_list():
|
|||
@app.route('/api/user/', methods=['GET'])
|
||||
def get_logged_in_user():
|
||||
def org_view(o):
|
||||
# TODO: return whether the user is really the admin of the organization
|
||||
admin_org = AdministerOrganizationPermission(o.username)
|
||||
return {
|
||||
'name': o.username,
|
||||
'gravatar': compute_hash(o.email),
|
||||
'is_org_admin': True
|
||||
'is_org_admin': admin_org.can()
|
||||
}
|
||||
|
||||
if current_user.is_anonymous():
|
||||
|
|
@ -234,6 +238,7 @@ user_files = UserRequestFiles(app.config['AWS_ACCESS_KEY'],
|
|||
app.config['AWS_SECRET_KEY'],
|
||||
app.config['REGISTRY_S3_BUCKET'])
|
||||
|
||||
|
||||
@app.route('/api/organization/<orgname>', methods=['GET'])
|
||||
def get_organization(orgname):
|
||||
def team_view(t):
|
||||
|
|
@ -293,111 +298,120 @@ def member_view(m):
|
|||
'username': m.username
|
||||
}
|
||||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members', methods=['GET'])
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members',
|
||||
methods=['GET'])
|
||||
def get_organization_team_members(orgname, teamname):
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
view_permission = ViewTeamPermission(orgname, teamname)
|
||||
edit_permission = AdministerOrganizationPermission(orgname)
|
||||
|
||||
# TODO: determine whether the user has permission to view the members of this team
|
||||
# (i.e. they are a member of the team OR they are an admin of the org)
|
||||
user = current_user.db_user()
|
||||
team = None
|
||||
if view_permission.can():
|
||||
user = current_user.db_user()
|
||||
team = None
|
||||
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
members = model.get_organization_team_members(team.id)
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
members = model.get_organization_team_members(team.id)
|
||||
return jsonify({
|
||||
'members': { m.username : member_view(m) for m in members },
|
||||
'can_edit': edit_permission.can()
|
||||
})
|
||||
|
||||
# TODO: determine whether the user has permission to *edit* the members of this team.
|
||||
return jsonify({
|
||||
'members': { m.username : member_view(m) for m in members },
|
||||
'can_edit': True
|
||||
})
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>', methods=['PUT', 'POST'])
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>',
|
||||
methods=['PUT', 'POST'])
|
||||
def update_organization_team_member(orgname, teamname, membername):
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
team = None
|
||||
user = None
|
||||
|
||||
# TODO: determine whether the user has permission to put this user as a member of the team.
|
||||
team = None
|
||||
user = None
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Add the user to the team.
|
||||
model.add_user_to_team(user, team)
|
||||
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Add the user to the team.
|
||||
model.add_user_to_team(user, team)
|
||||
return jsonify(member_view(user))
|
||||
|
||||
return jsonify(member_view(user))
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>', methods=['DELETE'])
|
||||
@app.route('/api/organization/<orgname>/team/<teamname>/members/<membername>',
|
||||
methods=['DELETE'])
|
||||
def delete_organization_team_member(orgname, teamname, membername):
|
||||
if current_user.is_anonymous():
|
||||
abort(404)
|
||||
permission = AdministerOrganizationPermission(orgname)
|
||||
if permission.can():
|
||||
team = None
|
||||
user = None
|
||||
|
||||
# TODO: determine whether the user has permission to delete this user as a member of the team.
|
||||
team = None
|
||||
user = None
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
# Find the team.
|
||||
try:
|
||||
team = model.get_organization_team(orgname, teamname)
|
||||
except:
|
||||
abort(404)
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Remote the user from the team.
|
||||
model.remove_user_from_team(user, team)
|
||||
|
||||
# Find the user.
|
||||
user = model.get_user(membername)
|
||||
if not user:
|
||||
abort(400)
|
||||
|
||||
# Remote the user from the team.
|
||||
model.remove_user_from_team(user, team)
|
||||
|
||||
return jsonify({
|
||||
'success': True
|
||||
})
|
||||
return jsonify({
|
||||
'success': True
|
||||
})
|
||||
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/repository', methods=['POST'])
|
||||
@api_login_required
|
||||
def create_repo_api():
|
||||
owner = current_user.db_user()
|
||||
|
||||
# TODO(jake): Verify that the user can create a repo in this namespace.
|
||||
json = request.get_json()
|
||||
namespace_name = json['namespace'] if 'namespace' in json else owner.username
|
||||
repository_name = json['repository']
|
||||
visibility = json['visibility']
|
||||
namespace_name = json['namespace'] if 'namespace' in json else owner.username
|
||||
|
||||
existing = model.get_repository(namespace_name, repository_name)
|
||||
if existing:
|
||||
return make_response('Repository already exists', 400)
|
||||
permission = CreateRepositoryPermission(namespace_name)
|
||||
if permission.can():
|
||||
repository_name = json['repository']
|
||||
visibility = json['visibility']
|
||||
|
||||
visibility = request.get_json()['visibility']
|
||||
existing = model.get_repository(namespace_name, repository_name)
|
||||
if existing:
|
||||
return make_response('Repository already exists', 400)
|
||||
|
||||
repo = model.create_repository(namespace_name, repository_name, owner,
|
||||
visibility)
|
||||
repo.description = json['description']
|
||||
repo.save()
|
||||
visibility = request.get_json()['visibility']
|
||||
|
||||
return jsonify({
|
||||
'namespace': namespace_name,
|
||||
'name': repository_name
|
||||
})
|
||||
repo = model.create_repository(namespace_name, repository_name, owner,
|
||||
visibility)
|
||||
repo.description = json['description']
|
||||
repo.save()
|
||||
|
||||
repo = model.create_repository(namespace_name, repository_name, owner,
|
||||
visibility)
|
||||
repo.description = json['description']
|
||||
repo.save()
|
||||
|
||||
return jsonify({
|
||||
'namespace': namespace_name,
|
||||
'name': repository_name
|
||||
})
|
||||
|
||||
abort(403)
|
||||
|
||||
|
||||
@app.route('/api/find/repository', methods=['GET'])
|
||||
|
|
@ -642,11 +656,10 @@ def request_repo_build(namespace, repository):
|
|||
abort(403) # Permissions denied
|
||||
|
||||
|
||||
def role_view(repo_perm_obj, username=None):
|
||||
# TODO: Determine whether the user (if given) is outside of the organization.
|
||||
def role_view(repo_perm_obj, org_member):
|
||||
return {
|
||||
'role': repo_perm_obj.role.name,
|
||||
'outside_org': username != 'devtable'
|
||||
'outside_org': org_member
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -727,32 +740,36 @@ def list_tag_images(namespace, repository, tag):
|
|||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/', methods=['GET'])
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_team_permissions(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
repo_perms = model.get_all_repo_teams(namespace, repository)
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
|
||||
return jsonify({
|
||||
'permissions': {repo_perm.team.name: role_view(repo_perm)
|
||||
'permissions': {repo_perm.team.name: role_view(repo_perm, org_member)
|
||||
for repo_perm in repo_perms}
|
||||
})
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/', methods=['GET'])
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_user_permissions(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
repo_perms = model.get_all_repo_users(namespace, repository)
|
||||
member = OrganizationMemberPermission(namespace).can()
|
||||
|
||||
return jsonify({
|
||||
'permissions': {repo_perm.user.username: role_view(repo_perm, username=repo_perm.user.username)
|
||||
'permissions': {repo_perm.user.username: role_view(repo_perm, member)
|
||||
for repo_perm in repo_perms}
|
||||
})
|
||||
|
||||
|
|
@ -769,7 +786,8 @@ def get_user_permissions(namespace, repository, username):
|
|||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_user_reponame_permission(username, namespace, repository)
|
||||
return jsonify(role_view(perm, username=username))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
return jsonify(role_view(perm, org_member))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
|
@ -784,7 +802,8 @@ def get_team_permissions(namespace, repository, teamname):
|
|||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_team_reponame_permission(username, namespace, repository)
|
||||
return jsonify(role_view(perm))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
return jsonify(role_view(perm, org_member))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
|
@ -808,7 +827,8 @@ def change_user_permissions(namespace, repository, username):
|
|||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
resp = jsonify(role_view(perm, username=username))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
resp = jsonify(role_view(perm, org_member))
|
||||
if request.method == 'POST':
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
|
@ -835,7 +855,8 @@ def change_team_permissions(namespace, repository, teamname):
|
|||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
resp = jsonify(role_view(perm))
|
||||
org_member = OrganizationMemberPermission(namespace).can()
|
||||
resp = jsonify(role_view(perm, org_member))
|
||||
if request.method == 'POST':
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
|
|
|||
Reference in a new issue