Add a user info scope and thread it through the code. Protect the org modification API.

2014-03-18 19:21:27 -04:00 · 2014-03-18 19:21:27 -04:00 · 64071b9e8e
commit 64071b9e8e
parent 89556172d5
13 changed files with 144 additions and 115 deletions
--- a/endpoints/api/organization.py
+++ b/endpoints/api/organization.py
@ -4,7 +4,8 @@ import stripe
 from flask import request

 from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
-                           related_user_resource, internal_only, Unauthorized, NotFound)
+                           related_user_resource, internal_only, Unauthorized, NotFound,
+                           require_user_admin)
 from endpoints.api.team import team_view
 from endpoints.api.user import User, PrivateRepositories
 from auth.permissions import (AdministerOrganizationPermission,  OrganizationMemberPermission,
@ -62,14 +63,12 @@ class OrganizationList(ApiResource):
    },
  }

+  @require_user_admin
  @nickname('createOrganization')
  @validate_json_request('NewOrg')
  def post(self):
    """ Create a new organization. """
    user = get_authenticated_user()
-    if not user:
-      raise Unauthorized()
-
    org_data = request.get_json()
    existing = None

@ -135,26 +134,29 @@ class Organization(ApiResource):
  @validate_json_request('UpdateOrg')
  def put(self, orgname):
    """ Change the details for the specified organization. """
-    try:
-      org = model.get_organization(orgname)
-    except model.InvalidOrganizationException:
-      raise NotFound()
-      
-    org_data = request.get_json()
-    if 'invoice_email' in org_data:
-      logger.debug('Changing invoice_email for organization: %s', org.username)
-      model.change_invoice_email(org, org_data['invoice_email'])
+    permission = AdministerOrganizationPermission(orgname)
+    if permission.can():
+      try:
+        org = model.get_organization(orgname)
+      except model.InvalidOrganizationException:
+        raise NotFound()
+        
+      org_data = request.get_json()
+      if 'invoice_email' in org_data:
+        logger.debug('Changing invoice_email for organization: %s', org.username)
+        model.change_invoice_email(org, org_data['invoice_email'])

-    if 'email' in org_data and org_data['email'] != org.email:
-      new_email = org_data['email']
-      if model.find_user_by_email(new_email):
-        raise request_error(message='E-mail address already used')
-      
-      logger.debug('Changing email address for organization: %s', org.username)
-      model.update_email(org, new_email)
-      
-    teams = model.get_teams_within_org(org)
-    return org_view(org, teams)
+      if 'email' in org_data and org_data['email'] != org.email:
+        new_email = org_data['email']
+        if model.find_user_by_email(new_email):
+          raise request_error(message='E-mail address already used')
+        
+        logger.debug('Changing email address for organization: %s', org.username)
+        model.update_email(org, new_email)
+        
+      teams = model.get_teams_within_org(org)
+      return org_view(org, teams)
+    raise Unauthorized()


@resource('/v1/organization/<orgname>/private')