- Add an entity-search directive for adding a nice search box for users or teams
- Add support for team-based permissions to the repos
This commit is contained in:
Joseph Schorr
parent
09afe0753f
commit
100ec563fa
7 changed files with 362 additions and 93 deletions
159
endpoints/api.py
159
endpoints/api.py
|
|
@ -188,6 +188,46 @@ def get_matching_users(prefix):
|
|||
})
|
||||
|
||||
|
||||
@app.route('/api/entities/<prefix>', methods=['GET'])
|
||||
@api_login_required
|
||||
def get_matching_entities(prefix):
|
||||
users = model.get_matching_users(prefix)
|
||||
teams = []
|
||||
|
||||
organization_name = request.args.get('organization', None)
|
||||
organization = None
|
||||
if organization_name:
|
||||
try:
|
||||
organization = model.get_organization(organization_name)
|
||||
except:
|
||||
pass
|
||||
|
||||
if organization:
|
||||
# TODO: ensure that the user has access to the organization
|
||||
teams = model.get_matching_teams(prefix, organization)
|
||||
|
||||
def team_view(team):
|
||||
return {
|
||||
'name': team.name,
|
||||
'kind': 'team'
|
||||
}
|
||||
|
||||
def user_view(user):
|
||||
# TODO: Return whether the user is outside the organization (if one is
|
||||
# specified)
|
||||
return {
|
||||
'name': user.username,
|
||||
'kind': 'user',
|
||||
'outside_org': True
|
||||
}
|
||||
|
||||
team_data = [team_view(team) for team in teams]
|
||||
user_data = [user_view(user) for user in users]
|
||||
return jsonify({
|
||||
'results': team_data + user_data
|
||||
})
|
||||
|
||||
|
||||
user_files = UserRequestFiles(app.config['AWS_ACCESS_KEY'],
|
||||
app.config['AWS_SECRET_KEY'],
|
||||
app.config['REGISTRY_S3_BUCKET'])
|
||||
|
|
@ -225,8 +265,10 @@ def get_organization_private_allowed(orgname):
|
|||
abort(404)
|
||||
|
||||
user = current_user.db_user()
|
||||
organization = model.lookup_organization(orgname, username = user.username)
|
||||
if not organization:
|
||||
|
||||
try:
|
||||
organization = model.get_organization(orgname, username = user.username)
|
||||
except:
|
||||
abort(404)
|
||||
|
||||
private_repos = model.get_private_repo_count(organization.username)
|
||||
|
|
@ -405,6 +447,12 @@ def get_repo_api(namespace, repository):
|
|||
'image': image_view(image),
|
||||
}
|
||||
|
||||
organization = None
|
||||
try:
|
||||
organization = model.get_organization(namespace)
|
||||
except:
|
||||
pass
|
||||
|
||||
permission = ReadRepositoryPermission(namespace, repository)
|
||||
is_public = model.repository_is_public(namespace, repository)
|
||||
if permission.can() or is_public:
|
||||
|
|
@ -426,6 +474,7 @@ def get_repo_api(namespace, repository):
|
|||
'can_admin': can_admin,
|
||||
'is_public': is_public,
|
||||
'is_building': len(active_builds) > 0,
|
||||
'is_organization': bool(organization)
|
||||
})
|
||||
|
||||
abort(404) # Not fount
|
||||
|
|
@ -501,11 +550,11 @@ def request_repo_build(namespace, repository):
|
|||
abort(403) # Permissions denied
|
||||
|
||||
|
||||
def user_role_view(repo_perm_obj, username):
|
||||
# TODO: Determine whether the user is outside of the organization.
|
||||
def role_view(repo_perm_obj, username=None):
|
||||
# TODO: Determine whether the user (if given) is outside of the organization.
|
||||
return {
|
||||
'role': repo_perm_obj.role.name,
|
||||
'outside_org': False
|
||||
'outside_org': username != 'devtable'
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -586,42 +635,73 @@ def list_tag_images(namespace, repository, tag):
|
|||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/', methods=['GET'])
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/', methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_permissions(namespace, repository):
|
||||
def list_repo_team_permissions(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
repo_perms = model.get_all_repo_users(namespace, repository)
|
||||
repo_perms = model.get_all_repo_teams(namespace, repository)
|
||||
|
||||
return jsonify({
|
||||
'permissions': {repo_perm.user.username: user_role_view(repo_perm, repo_perm.user.username)
|
||||
'permissions': {repo_perm.team.name: role_view(repo_perm)
|
||||
for repo_perm in repo_perms}
|
||||
})
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/<username>',
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/', methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def list_repo_user_permissions(namespace, repository):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
repo_perms = model.get_all_repo_users(namespace, repository)
|
||||
|
||||
return jsonify({
|
||||
'permissions': {repo_perm.user.username: role_view(repo_perm, username=repo_perm.user.username)
|
||||
for repo_perm in repo_perms}
|
||||
})
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/<username>',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def get_permissions(namespace, repository, username):
|
||||
def get_user_permissions(namespace, repository, username):
|
||||
logger.debug('Get repo: %s/%s permissions for user %s' %
|
||||
(namespace, repository, username))
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_user_reponame_permission(username, namespace, repository)
|
||||
return jsonify(user_role_view(perm, username))
|
||||
return jsonify(role_view(perm, username=username))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/<username>',
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/<teamname>',
|
||||
methods=['GET'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def get_team_permissions(namespace, repository, teamname):
|
||||
logger.debug('Get repo: %s/%s permissions for team %s' %
|
||||
(namespace, repository, teamname))
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
perm = model.get_team_reponame_permission(username, namespace, repository)
|
||||
return jsonify(role_view(perm))
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/<username>',
|
||||
methods=['PUT', 'POST'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def change_permissions(namespace, repository, username):
|
||||
def change_user_permissions(namespace, repository, username):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
new_permission = request.get_json()
|
||||
|
|
@ -636,7 +716,7 @@ def change_permissions(namespace, repository, username):
|
|||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
resp = jsonify(user_role_view(perm, username))
|
||||
resp = jsonify(role_view(perm, username=username))
|
||||
if request.method == 'POST':
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
|
@ -644,11 +724,38 @@ def change_permissions(namespace, repository, username):
|
|||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/<username>',
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/<teamname>',
|
||||
methods=['PUT', 'POST'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def change_team_permissions(namespace, repository, teamname):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
new_permission = request.get_json()
|
||||
|
||||
logger.debug('Setting permission to: %s for team %s' %
|
||||
(new_permission['role'], teamname))
|
||||
|
||||
try:
|
||||
perm = model.set_team_repo_permission(teamname, namespace, repository,
|
||||
new_permission['role'])
|
||||
except model.DataModelException:
|
||||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
resp = jsonify(role_view(perm))
|
||||
if request.method == 'POST':
|
||||
resp.status_code = 201
|
||||
return resp
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/user/<username>',
|
||||
methods=['DELETE'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def delete_permissions(namespace, repository, username):
|
||||
def delete_user_permissions(namespace, repository, username):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
try:
|
||||
|
|
@ -662,6 +769,24 @@ def delete_permissions(namespace, repository, username):
|
|||
abort(403) # Permission denied
|
||||
|
||||
|
||||
@app.route('/api/repository/<path:repository>/permissions/team/<teamname>',
|
||||
methods=['DELETE'])
|
||||
@api_login_required
|
||||
@parse_repository_name
|
||||
def delete_team_permissions(namespace, repository, teamname):
|
||||
permission = AdministerRepositoryPermission(namespace, repository)
|
||||
if permission.can():
|
||||
try:
|
||||
model.delete_team_permission(teamname, namespace, repository)
|
||||
except model.DataModelException:
|
||||
logger.warning('User tried to remove themselves as admin.')
|
||||
abort(409)
|
||||
|
||||
return make_response('Deleted', 204)
|
||||
|
||||
abort(403) # Permission denied
|
||||
|
||||
|
||||
def token_view(token_obj):
|
||||
return {
|
||||
'friendlyName': token_obj.friendly_name,
|
||||
|
|
|
|||
Reference in a new issue