Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow admins and org owners to change org member public status #28294

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Allow admins and org owners to change org member public status #28294

wants to merge 7 commits into from
+20 −6

Conversation

Tomeamis
Copy link

@Tomeamis Tomeamis commented Nov 29, 2023
edited
Loading

Allows admins and org owners to change org member public status.

Before, this would return Error 403: Cannot publicize another member despite the fact that the same user could make the same change through the GUI.

Fixes #28372

@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 29, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 29, 2023
@github-actions github-actions bot added the modifies/api This PR adds API routes or modifies them label Nov 29, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 6, 2023
@yp05327
Copy link
Contributor

yp05327 commented Feb 1, 2024

Use organization.IsOrganizationOwner or ctx.Org.Organization.IsOwnedBy?

@pull-request-size pull-request-size bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 1, 2024
@Tomeamis
Copy link
Author

Tomeamis commented Feb 1, 2024

@yp05327 Like this?

@yp05327
Copy link
Contributor

yp05327 commented Feb 2, 2024
edited
Loading

Can be simpler.

if userToPublicize.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin {
	isOwner, err := ctx.Org.Organization.IsOwnedBy(ctx, ctx.Doer.ID)
	if err != nil {
		ctx.Error(http.StatusInternalServerError, "IsOwnedBy", err)
		return
	}
	if !isOwner {
		ctx.Error(http.StatusForbidden, "", "Cannot publicize another member")
		return
	}
}

@Tomeamis
Copy link
Author

Tomeamis commented Feb 2, 2024

@yp05327 That is indeed better, updated. Thanks for the suggestion.

lunny
lunny reviewed Feb 2, 2024
View reviewed changes
routers/api/v1/org/member.go
@@ -236,18 +236,16 @@ func PublicizeMember(ctx *context.APIContext) {
if ctx.Written() {
return
}
allowed := userToPublicize.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin
if !allowed {
if userToPublicize.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the same as before.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lunny Indeed, the first commit was correct, then in the second I inadvertently broke it (notice how previously allowed would be true if the Doer was neither the user to publicize nor an admin). This actually fixes that error. Feel free to check the logic, and that it's now correct, yourself.

lunny
lunny reviewed Feb 2, 2024
View reviewed changes
routers/api/v1/org/member.go
@@ -287,18 +285,16 @@ func ConcealMember(ctx *context.APIContext) {
if ctx.Written() {
return
}
allowed := userToConceal.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin
if !allowed {
if userToConceal.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny left review comments

@a1012112796 a1012112796 a1012112796 approved these changes

Assignees
No one assigned
Labels
lgtm/need 1 This PR needs approval from one additional maintainer to be merged. modifies/api This PR adds API routes or modifies them size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Admin cannot make org member visible via API
6 participants
@Tomeamis @yp05327 @lunny @a1012112796 @GiteaBot @zencak-ica