Home Explore Help
Register Sign In
oscarleiva
/
energylink
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

teams: teams guard on all teams update methods.

Leonard Gram 6 years ago
parent
23231e6d51
commit
1f949e58e1
2 changed files with 36 additions and 6 deletions
Split View Show Diff Stats
  1. 8 1
      pkg/api/team.go
  2. 28 5
      pkg/api/team_members.go

+ 8 - 1
pkg/api/team.go
View File 

@@ -131,5 +131,12 @@ func GetTeamPreferences(c *m.ReqContext) Response {
 
 
 // PUT /api/teams/:teamId/preferences
 
 func UpdateTeamPreferences(c *m.ReqContext, dtoCmd dtos.UpdatePrefsCmd) Response {
 
-	return updatePreferencesFor(c.OrgId, 0, c.ParamsInt64(":teamId"), &dtoCmd)
 
+	teamId := c.ParamsInt64(":teamId")
 
+	orgId := c.OrgId
 
+
 
+	if err := teams.CanUpdateTeam(orgId, teamId, c.SignedInUser); err != nil {
 
+		return Error(403, "Not allowed to update team preferences.", err)
 
+	}
 
+
 
+	return updatePreferencesFor(orgId, 0, teamId, &dtoCmd)
 
 }

+ 28 - 5
pkg/api/team_members.go
View File 

@@ -4,6 +4,7 @@ import (
 
 	"github.com/grafana/grafana/pkg/api/dtos"
 
 	"github.com/grafana/grafana/pkg/bus"
 
 	m "github.com/grafana/grafana/pkg/models"
 
+	"github.com/grafana/grafana/pkg/services/teams"
 
 	"github.com/grafana/grafana/pkg/setting"
 
 	"github.com/grafana/grafana/pkg/util"
 
 )
 
@@ -30,8 +31,15 @@ func GetTeamMembers(c *m.ReqContext) Response {
 
 
 // POST /api/teams/:teamId/members
 
 func AddTeamMember(c *m.ReqContext, cmd m.AddTeamMemberCommand) Response {
 
-	cmd.TeamId = c.ParamsInt64(":teamId")
 
-	cmd.OrgId = c.OrgId
 
+	teamId := c.ParamsInt64(":teamId")
 
+	orgId := c.OrgId
 
+
 
+	if err := teams.CanUpdateTeam(orgId, teamId, c.SignedInUser); err != nil {
 
+		return Error(403, "Not allowed to add team member", err)
 
+	}
 
+
 
+	cmd.TeamId = teamId
 
+	cmd.OrgId = orgId
 
 
 	if err := bus.Dispatch(&cmd); err != nil {
 
 		if err == m.ErrTeamNotFound {
 
@@ -52,9 +60,16 @@ func AddTeamMember(c *m.ReqContext, cmd m.AddTeamMemberCommand) Response {
 
 
 // PUT /:teamId/members/:userId
 
 func UpdateTeamMember(c *m.ReqContext, cmd m.UpdateTeamMemberCommand) Response {
 
-	cmd.TeamId = c.ParamsInt64(":teamId")
 
+	teamId := c.ParamsInt64(":teamId")
 
+	orgId := c.OrgId
 
+
 
+	if err := teams.CanUpdateTeam(orgId, teamId, c.SignedInUser); err != nil {
 
+		return Error(403, "Not allowed to update team member", err)
 
+	}
 
+
 
+	cmd.TeamId = teamId
 
 	cmd.UserId = c.ParamsInt64(":userId")
 
-	cmd.OrgId = c.OrgId
 
+	cmd.OrgId = orgId
 
 
 	if err := bus.Dispatch(&cmd); err != nil {
 
 		if err == m.ErrTeamMemberNotFound {
 
@@ -67,7 +82,15 @@ func UpdateTeamMember(c *m.ReqContext, cmd m.UpdateTeamMemberCommand) Response {
 
 
 // DELETE /api/teams/:teamId/members/:userId
 
 func RemoveTeamMember(c *m.ReqContext) Response {
 
-	if err := bus.Dispatch(&m.RemoveTeamMemberCommand{OrgId: c.OrgId, TeamId: c.ParamsInt64(":teamId"), UserId: c.ParamsInt64(":userId")}); err != nil {
 
+	orgId := c.OrgId
 
+	teamId := c.ParamsInt64(":teamId")
 
+	userId := c.ParamsInt64(":userId")
 
+
 
+	if err := teams.CanUpdateTeam(orgId, teamId, c.SignedInUser); err != nil {
 
+		return Error(403, "Not allowed to remove team member", err)
 
+	}
 
+
 
+	if err := bus.Dispatch(&m.RemoveTeamMemberCommand{OrgId: orgId, TeamId: teamId, UserId: userId}); err != nil {
 
 		if err == m.ErrTeamNotFound {
 
 			return Error(404, "Team not found", nil)
 
 		}