43aed7c6f4
Return an empty body on API requests with status code 204, which means "No content". Incorrect 'Deleted' responses were being returned after successful DELETE operations despite the "No Content" definition of 204.
421 lines
14 KiB
Python
421 lines
14 KiB
Python
""" Create, list and manage an organization's teams. """
|
|
|
|
from flask import request
|
|
|
|
import features
|
|
|
|
from endpoints.api import (resource, nickname, ApiResource, validate_json_request, request_error,
|
|
log_action, internal_only, require_scope, path_param, query_param,
|
|
truthy_bool, parse_args, require_user_admin, show_if)
|
|
from endpoints.exception import Unauthorized, NotFound
|
|
from auth.permissions import AdministerOrganizationPermission, ViewTeamPermission
|
|
from auth.auth_context import get_authenticated_user
|
|
from auth import scopes
|
|
from data import model
|
|
from util.useremails import send_org_invite_email
|
|
from app import avatar
|
|
|
|
def permission_view(permission):
|
|
return {
|
|
'repository': {
|
|
'name': permission.repository.name,
|
|
'is_public': permission.repository.visibility.name == 'public'
|
|
},
|
|
'role': permission.role.name
|
|
}
|
|
|
|
|
|
def try_accept_invite(code, user):
|
|
(team, inviter) = model.team.confirm_team_invite(code, user)
|
|
|
|
model.notification.delete_matching_notifications(user, 'org_team_invite',
|
|
org=team.organization.username)
|
|
|
|
orgname = team.organization.username
|
|
log_action('org_team_member_invite_accepted', orgname, {
|
|
'member': user.username,
|
|
'team': team.name,
|
|
'inviter': inviter.username
|
|
})
|
|
|
|
return team
|
|
|
|
|
|
def handle_addinvite_team(inviter, team, user=None, email=None):
|
|
requires_invite = features.MAILING and features.REQUIRE_TEAM_INVITE
|
|
invite = model.team.add_or_invite_to_team(inviter, team, user, email,
|
|
requires_invite=requires_invite)
|
|
if not invite:
|
|
# User was added to the team directly.
|
|
return
|
|
|
|
orgname = team.organization.username
|
|
if user:
|
|
model.notification.create_notification('org_team_invite', user, metadata={
|
|
'code': invite.invite_token,
|
|
'inviter': inviter.username,
|
|
'org': orgname,
|
|
'team': team.name
|
|
})
|
|
|
|
send_org_invite_email(user.username if user else email, user.email if user else email,
|
|
orgname, team.name, inviter.username, invite.invite_token)
|
|
return invite
|
|
|
|
def team_view(orgname, team):
|
|
view_permission = ViewTeamPermission(orgname, team.name)
|
|
role = model.team.get_team_org_role(team).name
|
|
return {
|
|
'name': team.name,
|
|
'description': team.description,
|
|
'can_view': view_permission.can(),
|
|
'role': role,
|
|
'avatar': avatar.get_data_for_team(team)
|
|
}
|
|
|
|
def member_view(member, invited=False):
|
|
return {
|
|
'name': member.username,
|
|
'kind': 'user',
|
|
'is_robot': member.robot,
|
|
'avatar': avatar.get_data_for_user(member),
|
|
'invited': invited,
|
|
}
|
|
|
|
|
|
def invite_view(invite):
|
|
if invite.user:
|
|
return member_view(invite.user, invited=True)
|
|
else:
|
|
return {
|
|
'email': invite.email,
|
|
'kind': 'invite',
|
|
'avatar': avatar.get_data(invite.email, invite.email, 'user'),
|
|
'invited': True
|
|
}
|
|
|
|
|
|
@resource('/v1/organization/<orgname>/team/<teamname>')
|
|
@path_param('orgname', 'The name of the organization')
|
|
@path_param('teamname', 'The name of the team')
|
|
class OrganizationTeam(ApiResource):
|
|
""" Resource for manging an organization's teams. """
|
|
schemas = {
|
|
'TeamDescription': {
|
|
'type': 'object',
|
|
'description': 'Description of a team',
|
|
'required': [
|
|
'role',
|
|
],
|
|
'properties': {
|
|
'role': {
|
|
'type': 'string',
|
|
'description': 'Org wide permissions that should apply to the team',
|
|
'enum': [
|
|
'member',
|
|
'creator',
|
|
'admin',
|
|
],
|
|
},
|
|
'description': {
|
|
'type': 'string',
|
|
'description': 'Markdown description for the team',
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@nickname('updateOrganizationTeam')
|
|
@validate_json_request('TeamDescription')
|
|
def put(self, orgname, teamname):
|
|
""" Update the org-wide permission for the specified team. """
|
|
edit_permission = AdministerOrganizationPermission(orgname)
|
|
if edit_permission.can():
|
|
team = None
|
|
|
|
details = request.get_json()
|
|
is_existing = False
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
is_existing = True
|
|
except model.InvalidTeamException:
|
|
# Create the new team.
|
|
description = details['description'] if 'description' in details else ''
|
|
role = details['role'] if 'role' in details else 'member'
|
|
|
|
org = model.organization.get_organization(orgname)
|
|
team = model.team.create_team(teamname, org, role, description)
|
|
log_action('org_create_team', orgname, {'team': teamname})
|
|
|
|
if is_existing:
|
|
if ('description' in details and
|
|
team.description != details['description']):
|
|
team.description = details['description']
|
|
team.save()
|
|
log_action('org_set_team_description', orgname,
|
|
{'team': teamname, 'description': team.description})
|
|
|
|
if 'role' in details:
|
|
role = model.team.get_team_org_role(team).name
|
|
if role != details['role']:
|
|
team = model.team.set_team_org_permission(team, details['role'],
|
|
get_authenticated_user().username)
|
|
log_action('org_set_team_role', orgname, {'team': teamname, 'role': details['role']})
|
|
|
|
return team_view(orgname, team), 200
|
|
|
|
raise Unauthorized()
|
|
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@nickname('deleteOrganizationTeam')
|
|
def delete(self, orgname, teamname):
|
|
""" Delete the specified team. """
|
|
permission = AdministerOrganizationPermission(orgname)
|
|
if permission.can():
|
|
model.team.remove_team(orgname, teamname, get_authenticated_user().username)
|
|
log_action('org_delete_team', orgname, {'team': teamname})
|
|
return '', 204
|
|
|
|
raise Unauthorized()
|
|
|
|
|
|
@resource('/v1/organization/<orgname>/team/<teamname>/members')
|
|
@path_param('orgname', 'The name of the organization')
|
|
@path_param('teamname', 'The name of the team')
|
|
class TeamMemberList(ApiResource):
|
|
""" Resource for managing the list of members for a team. """
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@parse_args()
|
|
@query_param('includePending', 'Whether to include pending members', type=truthy_bool,
|
|
default=False)
|
|
@nickname('getOrganizationTeamMembers')
|
|
def get(self, orgname, teamname, parsed_args):
|
|
""" Retrieve the list of members for the specified team. """
|
|
view_permission = ViewTeamPermission(orgname, teamname)
|
|
edit_permission = AdministerOrganizationPermission(orgname)
|
|
|
|
if view_permission.can():
|
|
team = None
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
except model.InvalidTeamException:
|
|
raise NotFound()
|
|
|
|
members = model.organization.get_organization_team_members(team.id)
|
|
invites = []
|
|
|
|
if parsed_args['includePending'] and edit_permission.can():
|
|
invites = model.team.get_organization_team_member_invites(team.id)
|
|
|
|
data = {
|
|
'name': teamname,
|
|
'members': [member_view(m) for m in members] + [invite_view(i) for i in invites],
|
|
'can_edit': edit_permission.can()
|
|
}
|
|
|
|
return data
|
|
|
|
raise Unauthorized()
|
|
|
|
|
|
@resource('/v1/organization/<orgname>/team/<teamname>/members/<membername>')
|
|
@path_param('orgname', 'The name of the organization')
|
|
@path_param('teamname', 'The name of the team')
|
|
@path_param('membername', 'The username of the team member')
|
|
class TeamMember(ApiResource):
|
|
""" Resource for managing individual members of a team. """
|
|
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@nickname('updateOrganizationTeamMember')
|
|
def put(self, orgname, teamname, membername):
|
|
""" Adds or invites a member to an existing team. """
|
|
permission = AdministerOrganizationPermission(orgname)
|
|
if permission.can():
|
|
team = None
|
|
user = None
|
|
|
|
# Find the team.
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
except model.InvalidTeamException:
|
|
raise NotFound()
|
|
|
|
# Find the user.
|
|
user = model.user.get_user(membername)
|
|
if not user:
|
|
raise request_error(message='Unknown user')
|
|
|
|
# Add or invite the user to the team.
|
|
inviter = get_authenticated_user()
|
|
invite = handle_addinvite_team(inviter, team, user=user)
|
|
if not invite:
|
|
log_action('org_add_team_member', orgname, {'member': membername, 'team': teamname})
|
|
return member_view(user, invited=False)
|
|
|
|
# User was invited.
|
|
log_action('org_invite_team_member', orgname, {
|
|
'user': membername,
|
|
'member': membername,
|
|
'team': teamname
|
|
})
|
|
return member_view(user, invited=True)
|
|
|
|
raise Unauthorized()
|
|
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@nickname('deleteOrganizationTeamMember')
|
|
def delete(self, orgname, teamname, membername):
|
|
""" Delete a member of a team. If the user is merely invited to join
|
|
the team, then the invite is removed instead.
|
|
"""
|
|
permission = AdministerOrganizationPermission(orgname)
|
|
if permission.can():
|
|
# Remote the user from the team.
|
|
invoking_user = get_authenticated_user().username
|
|
|
|
# Find the team.
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
except model.InvalidTeamException:
|
|
raise NotFound()
|
|
|
|
# Find the member.
|
|
member = model.user.get_user(membername)
|
|
if not member:
|
|
raise NotFound()
|
|
|
|
# First attempt to delete an invite for the user to this team. If none found,
|
|
# then we try to remove the user directly.
|
|
if model.team.delete_team_user_invite(team, member):
|
|
log_action('org_delete_team_member_invite', orgname, {
|
|
'user': membername,
|
|
'team': teamname,
|
|
'member': membername
|
|
})
|
|
return '', 204
|
|
|
|
model.team.remove_user_from_team(orgname, teamname, membername, invoking_user)
|
|
log_action('org_remove_team_member', orgname, {'member': membername, 'team': teamname})
|
|
return '', 204
|
|
|
|
raise Unauthorized()
|
|
|
|
|
|
@resource('/v1/organization/<orgname>/team/<teamname>/invite/<email>')
|
|
@show_if(features.MAILING)
|
|
class InviteTeamMember(ApiResource):
|
|
""" Resource for inviting a team member via email address. """
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@nickname('inviteTeamMemberEmail')
|
|
def put(self, orgname, teamname, email):
|
|
""" Invites an email address to an existing team. """
|
|
permission = AdministerOrganizationPermission(orgname)
|
|
if permission.can():
|
|
team = None
|
|
|
|
# Find the team.
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
except model.InvalidTeamException:
|
|
raise NotFound()
|
|
|
|
# Invite the email to the team.
|
|
inviter = get_authenticated_user()
|
|
invite = handle_addinvite_team(inviter, team, email=email)
|
|
log_action('org_invite_team_member', orgname, {
|
|
'email': email,
|
|
'team': teamname,
|
|
'member': email
|
|
})
|
|
return invite_view(invite)
|
|
|
|
raise Unauthorized()
|
|
|
|
@require_scope(scopes.ORG_ADMIN)
|
|
@nickname('deleteTeamMemberEmailInvite')
|
|
def delete(self, orgname, teamname, email):
|
|
""" Delete an invite of an email address to join a team. """
|
|
permission = AdministerOrganizationPermission(orgname)
|
|
if permission.can():
|
|
team = None
|
|
|
|
# Find the team.
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
except model.InvalidTeamException:
|
|
raise NotFound()
|
|
|
|
# Delete the invite.
|
|
model.team.delete_team_email_invite(team, email)
|
|
log_action('org_delete_team_member_invite', orgname, {
|
|
'email': email,
|
|
'team': teamname,
|
|
'member': email
|
|
})
|
|
return '', 204
|
|
|
|
raise Unauthorized()
|
|
|
|
|
|
@resource('/v1/organization/<orgname>/team/<teamname>/permissions')
|
|
@path_param('orgname', 'The name of the organization')
|
|
@path_param('teamname', 'The name of the team')
|
|
class TeamPermissions(ApiResource):
|
|
""" Resource for listing the permissions an org's team has in the system. """
|
|
@nickname('getOrganizationTeamPermissions')
|
|
def get(self, orgname, teamname):
|
|
""" Returns the list of repository permissions for the org's team. """
|
|
permission = AdministerOrganizationPermission(orgname)
|
|
if permission.can():
|
|
try:
|
|
team = model.team.get_organization_team(orgname, teamname)
|
|
except model.InvalidTeamException:
|
|
raise NotFound()
|
|
|
|
permissions = model.permission.list_team_permissions(team)
|
|
|
|
return {
|
|
'permissions': [permission_view(permission) for permission in permissions]
|
|
}
|
|
|
|
raise Unauthorized()
|
|
|
|
|
|
@resource('/v1/teaminvite/<code>')
|
|
@internal_only
|
|
@show_if(features.MAILING)
|
|
class TeamMemberInvite(ApiResource):
|
|
""" Resource for managing invites to join a team. """
|
|
@require_user_admin
|
|
@nickname('acceptOrganizationTeamInvite')
|
|
def put(self, code):
|
|
""" Accepts an invite to join a team in an organization. """
|
|
# Accept the invite for the current user.
|
|
team = try_accept_invite(code, get_authenticated_user())
|
|
if not team:
|
|
raise NotFound()
|
|
|
|
orgname = team.organization.username
|
|
return {
|
|
'org': orgname,
|
|
'team': team.name
|
|
}
|
|
|
|
@nickname('declineOrganizationTeamInvite')
|
|
@require_user_admin
|
|
def delete(self, code):
|
|
""" Delete an existing member of a team. """
|
|
(team, inviter) = model.team.delete_team_invite(code, user_obj=get_authenticated_user())
|
|
|
|
model.notification.delete_matching_notifications(get_authenticated_user(), 'org_team_invite',
|
|
code=code)
|
|
|
|
orgname = team.organization.username
|
|
log_action('org_team_member_invite_declined', orgname, {
|
|
'member': get_authenticated_user().username,
|
|
'team': team.name,
|
|
'inviter': inviter.username
|
|
})
|
|
|
|
return '', 204
|