From 23231e6d510b60f5609ee76343f808a5dd5becf6 Mon Sep 17 00:00:00 2001 From: Leonard Gram Date: Mon, 11 Mar 2019 12:03:15 +0100 Subject: [PATCH] teams: added delete team guard --- pkg/api/api.go | 2 +- pkg/api/team.go | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/pkg/api/api.go b/pkg/api/api.go index c004d600b1b..e5d725342fe 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -155,7 +155,7 @@ func (hs *HTTPServer) registerRoutes() { // team (admin permission required) apiRoute.Group("/teams", func(teamsRoute routing.RouteRegister) { teamsRoute.Post("/", bind(m.CreateTeamCommand{}), Wrap(hs.CreateTeam)) - teamsRoute.Put("/:teamId", bind(m.UpdateTeamCommand{}), Wrap(hs.UpdateTeam)) + teamsRoute.Put("/:teamId", bind(m.UpdateTeamCommand{}), Wrap(UpdateTeam)) teamsRoute.Delete("/:teamId", Wrap(DeleteTeamByID)) teamsRoute.Get("/:teamId/members", Wrap(GetTeamMembers)) teamsRoute.Post("/:teamId/members", bind(m.AddTeamMemberCommand{}), Wrap(AddTeamMember)) diff --git a/pkg/api/team.go b/pkg/api/team.go index 6d74b11e588..61d966c2a8b 100644 --- a/pkg/api/team.go +++ b/pkg/api/team.go @@ -38,12 +38,12 @@ func (hs *HTTPServer) CreateTeam(c *m.ReqContext, cmd m.CreateTeamCommand) Respo } // PUT /api/teams/:teamId -func (hs *HTTPServer) UpdateTeam(c *m.ReqContext, cmd m.UpdateTeamCommand) Response { +func UpdateTeam(c *m.ReqContext, cmd m.UpdateTeamCommand) Response { cmd.OrgId = c.OrgId cmd.Id = c.ParamsInt64(":teamId") if err := teams.CanUpdateTeam(cmd.OrgId, cmd.Id, c.SignedInUser); err != nil { - return Error(403, "User not allowed to update team", err) + return Error(403, "Not allowed to update team", err) } if err := bus.Dispatch(&cmd); err != nil { @@ -58,11 +58,19 @@ func (hs *HTTPServer) UpdateTeam(c *m.ReqContext, cmd m.UpdateTeamCommand) Respo // DELETE /api/teams/:teamId func DeleteTeamByID(c *m.ReqContext) Response { - if err := bus.Dispatch(&m.DeleteTeamCommand{OrgId: c.OrgId, Id: c.ParamsInt64(":teamId")}); err != nil { + orgId := c.OrgId + teamId := c.ParamsInt64(":teamId") + user := c.SignedInUser + + if err := teams.CanUpdateTeam(orgId, teamId, user); err != nil { + return Error(403, "Not allowed to delete team", err) + } + + if err := bus.Dispatch(&m.DeleteTeamCommand{OrgId: orgId, Id: teamId}); err != nil { if err == m.ErrTeamNotFound { return Error(404, "Failed to delete Team. ID not found", nil) } - return Error(500, "Failed to update Team", err) + return Error(500, "Failed to delete Team", err) } return Success("Team deleted") }