fix #976

README.md

@@ -5,7 +5,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](public/img/gogs-large-resize.png)
 
-##### Current version: 0.7.27 Beta
+##### Current version: 0.7.28 Beta
 
 <table>
     <tr>

cmd/web.go

@@ -197,14 +197,14 @@ func runWeb(ctx *cli.Context) {
 	m.Get("/^:type(issues|pulls)$", reqSignIn, user.Issues)
 
 	// ***** START: API *****
-	// FIXME: custom form error response.
+	// FIXME: custom form error response
 	m.Group("/api", func() {
 		m.Group("/v1", func() {
-			// Miscellaneous.
+			// Miscellaneous
 			m.Post("/markdown", bindIgnErr(apiv1.MarkdownForm{}), v1.Markdown)
 			m.Post("/markdown/raw", v1.MarkdownRaw)
 
-			// Users.
+			// Users
 			m.Group("/users", func() {
 				m.Get("/search", v1.SearchUsers)
 
@@ -218,7 +218,22 @@ func runWeb(ctx *cli.Context) {
 				})
 			})
 
-			// Repositories.
+			m.Group("/users", func() {
+				m.Group("/:username", func() {
+					m.Get("/keys", v1.ListUserPublicKeys)
+				})
+			}, middleware.ApiReqToken())
+
+			m.Group("/user", func() {
+				m.Group("/keys", func() {
+					m.Combo("").Get(v1.ListMyPublicKeys).
+						Post(bind(api.CreateKeyOption{}), v1.CreateUserPublicKey)
+					m.Combo("/:id").Get(v1.GetUserPublicKey).
+						Delete(v1.DeleteUserPublicKey)
+				})
+			}, middleware.ApiReqToken())
+
+			// Repositories
 			m.Combo("/user/repos", middleware.ApiReqToken()).Get(v1.ListMyRepos).
 				Post(bind(api.CreateRepoOption{}), v1.CreateRepo)
 			m.Post("/org/:org/repos", middleware.ApiReqToken(), bind(api.CreateRepoOption{}), v1.CreateOrgRepo)
@@ -241,7 +256,7 @@ func runWeb(ctx *cli.Context) {
 
 					m.Group("/keys", func() {
 						m.Combo("").Get(v1.ListRepoDeployKeys).
-							Post(bind(api.CreateDeployKeyOption{}), v1.CreateRepoDeployKey)
+							Post(bind(api.CreateKeyOption{}), v1.CreateRepoDeployKey)
 						m.Combo("/:id").Get(v1.GetRepoDeployKey).
 							Delete(v1.DeleteRepoDeploykey)
 					})

gogs.go

@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.7.27.1202 Beta"
+const APP_VER = "0.7.28.1203 Beta"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())

models/error.go

@@ -188,6 +188,22 @@ func (err ErrKeyNameAlreadyUsed) Error() string {
 	return fmt.Sprintf("public key already exists [owner_id: %d, name: %s]", err.OwnerID, err.Name)
 }
 
+type ErrKeyAccessDenied struct {
+	UserID int64
+	KeyID  int64
+	Note   string
+}
+
+func IsErrKeyAccessDenied(err error) bool {
+	_, ok := err.(ErrKeyAccessDenied)
+	return ok
+}
+
+func (err ErrKeyAccessDenied) Error() string {
+	return fmt.Sprintf("user does not have access to the key [user_id: %d, key_id: %d, note: %s]",
+		err.UserID, err.KeyID, err.Note)
+}
+
 type ErrDeployKeyNotExist struct {
 	ID     int64
 	KeyID  int64

models/publickey.go

@@ -303,23 +303,23 @@ func addKey(e Engine, key *PublicKey) (err error) {
 }
 
 // AddPublicKey adds new public key to database and authorized_keys file.
-func AddPublicKey(ownerID int64, name, content string) (err error) {
+func AddPublicKey(ownerID int64, name, content string) (*PublicKey, error) {
-	if err = checkKeyContent(content); err != nil {
+	if err := checkKeyContent(content); err != nil {
-		return err
+		return nil, err
 	}
 
 	// Key name of same user cannot be duplicated.
 	has, err := x.Where("owner_id=? AND name=?", ownerID, name).Get(new(PublicKey))
 	if err != nil {
-		return err
+		return nil, err
 	} else if has {
-		return ErrKeyNameAlreadyUsed{ownerID, name}
+		return nil, ErrKeyNameAlreadyUsed{ownerID, name}
 	}
 
 	sess := x.NewSession()
 	defer sessionRelease(sess)
 	if err = sess.Begin(); err != nil {
-		return err
+		return nil, err
 	}
 
 	key := &PublicKey{
@@ -330,10 +330,10 @@ func AddPublicKey(ownerID int64, name, content string) (err error) {
 		Type:    KEY_TYPE_USER,
 	}
 	if err = addKey(sess, key); err != nil {
-		return fmt.Errorf("addKey: %v", err)
+		return nil, fmt.Errorf("addKey: %v", err)
 	}
 
-	return sess.Commit()
+	return key, sess.Commit()
 }
 
 // GetPublicKeyByID returns public key by given ID.
@@ -450,12 +450,18 @@ func deletePublicKey(e *xorm.Session, keyID int64) error {
 }
 
 // DeletePublicKey deletes SSH key information both in database and authorized_keys file.
-func DeletePublicKey(id int64) (err error) {
+func DeletePublicKey(doer *User, id int64) (err error) {
-	has, err := x.Id(id).Get(new(PublicKey))
+	key, err := GetPublicKeyByID(id)
 	if err != nil {
-		return err
+		if IsErrKeyNotExist(err) {
-	} else if !has {
+			return nil
-		return nil
+		}
+		return fmt.Errorf("GetPublicKeyByID: %v", err)
+	}
+
+	// Check if user has access to delete this key.
+	if doer.Id != key.OwnerID {
+		return ErrKeyAccessDenied{doer.Id, key.ID, "public"}
 	}
 
 	sess := x.NewSession()
@@ -656,13 +662,25 @@ func UpdateDeployKey(key *DeployKey) error {
 }
 
 // DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed.
-func DeleteDeployKey(id int64) error {
+func DeleteDeployKey(doer *User, id int64) error {
-	key := &DeployKey{ID: id}
+	key, err := GetDeployKeyByID(id)
-	has, err := x.Id(key.ID).Get(key)
 	if err != nil {
-		return err
+		if IsErrDeployKeyNotExist(err) {
-	} else if !has {
+			return nil
-		return nil
+		}
+		return fmt.Errorf("GetDeployKeyByID: %v", err)
+	}
+
+	// Check if user has access to delete this key.
+	repo, err := GetRepositoryByID(key.RepoID)
+	if err != nil {
+		return fmt.Errorf("GetRepositoryByID: %v", err)
+	}
+	yes, err := HasAccess(doer, repo, ACCESS_MODE_ADMIN)
+	if err != nil {
+		return fmt.Errorf("HasAccess: %v", err)
+	} else if !yes {
+		return ErrKeyAccessDenied{doer.Id, key.ID, "deploy"}
 	}
 
 	sess := x.NewSession()
@@ -676,7 +694,7 @@ func DeleteDeployKey(id int64) error {
 	}
 
 	// Check if this is the last reference to same key content.
-	has, err = sess.Where("key_id=?", key.KeyID).Get(new(DeployKey))
+	has, err := sess.Where("key_id=?", key.KeyID).Get(new(DeployKey))
 	if err != nil {
 		return err
 	} else if !has {

routers/api/v1/miscellaneous.go

@@ -10,7 +10,7 @@ import (
 	"github.com/gogits/gogs/modules/middleware"
 )
 
-// Render an arbitrary Markdown document.
+// https://github.com/gogits/go-gogs-client/wiki/Miscellaneous#render-an-arbitrary-markdown-document
 func Markdown(ctx *middleware.Context, form apiv1.MarkdownForm) {
 	if ctx.HasApiError() {
 		ctx.APIError(422, "", ctx.GetErrMsg())
@@ -30,7 +30,7 @@ func Markdown(ctx *middleware.Context, form apiv1.MarkdownForm) {
 	}
 }
 
-// Render a Markdown document in raw mode.
+// https://github.com/gogits/go-gogs-client/wiki/Miscellaneous#render-a-markdown-document-in-raw-mode
 func MarkdownRaw(ctx *middleware.Context) {
 	body, err := ctx.Req.Body().Bytes()
 	if err != nil {

routers/api/v1/repo.go

@@ -34,6 +34,7 @@ func ToApiRepository(owner *models.User, repo *models.Repository, permission api
 	}
 }
 
+// https://github.com/gogits/go-gogs-client/wiki/Repositories#search-repositories
 func SearchRepos(ctx *middleware.Context) {
 	opt := models.SearchOption{
 		Keyword: path.Base(ctx.Query("q")),
@@ -184,6 +185,7 @@ func CreateOrgRepo(ctx *middleware.Context, opt api.CreateRepoOption) {
 	createRepo(ctx, org, opt)
 }
 
+// https://github.com/gogits/go-gogs-client/wiki/Repositories#migrate
 func MigrateRepo(ctx *middleware.Context, form auth.MigrateRepoForm) {
 	ctxUser := ctx.User
 	// Not equal means context user is an organization,
@@ -279,6 +281,7 @@ func parseOwnerAndRepo(ctx *middleware.Context) (*models.User, *models.Repositor
 	return owner, repo
 }
 
+// https://github.com/gogits/go-gogs-client/wiki/Repositories#get
 func GetRepo(ctx *middleware.Context) {
 	owner, repo := parseOwnerAndRepo(ctx)
 	if ctx.Written() {
@@ -288,6 +291,7 @@ func GetRepo(ctx *middleware.Context) {
 	ctx.JSON(200, ToApiRepository(owner, repo, api.Permission{true, true, true}))
 }
 
+// https://github.com/gogits/go-gogs-client/wiki/Repositories#delete
 func DeleteRepo(ctx *middleware.Context) {
 	owner, repo := parseOwnerAndRepo(ctx)
 	if ctx.Written() {

routers/api/v1/repo_file.go

@@ -11,6 +11,7 @@ import (
 	"github.com/gogits/gogs/routers/repo"
 )
 
+// https://github.com/gogits/go-gogs-client/wiki/Repositories-Contents#download-raw-content
 func GetRepoRawFile(ctx *middleware.Context) {
 	if !ctx.Repo.HasAccess() {
 		ctx.Error(404)
@@ -31,6 +32,7 @@ func GetRepoRawFile(ctx *middleware.Context) {
 	}
 }
 
+// https://github.com/gogits/go-gogs-client/wiki/Repositories-Contents#download-archive
 func GetRepoArchive(ctx *middleware.Context) {
 	repoPath := models.RepoPath(ctx.Params(":username"), ctx.Params(":reponame"))
 	gitRepo, err := git.OpenRepository(repoPath)

routers/api/v1/repo_keys.go

@@ -31,7 +31,7 @@ func composeDeployKeysAPILink(repoPath string) string {
 	return setting.AppUrl + "api/v1/repos/" + repoPath + "/keys/"
 }
 
-// https://github.com/gogits/go-gogs-client/wiki/Repositories---Deploy-Keys#list-deploy-keys
+// https://github.com/gogits/go-gogs-client/wiki/Repositories-Deploy-Keys#list-deploy-keys
 func ListRepoDeployKeys(ctx *middleware.Context) {
 	keys, err := models.ListDeployKeys(ctx.Repo.Repository.ID)
 	if err != nil {
@@ -52,7 +52,7 @@ func ListRepoDeployKeys(ctx *middleware.Context) {
 	ctx.JSON(200, &apiKeys)
 }
 
-// https://github.com/gogits/go-gogs-client/wiki/Repositories---Deploy-Keys#get-a-deploy-key
+// https://github.com/gogits/go-gogs-client/wiki/Repositories-Deploy-Keys#get-a-deploy-key
 func GetRepoDeployKey(ctx *middleware.Context) {
 	key, err := models.GetDeployKeyByID(ctx.ParamsInt64(":id"))
 	if err != nil {
@@ -73,29 +73,36 @@ func GetRepoDeployKey(ctx *middleware.Context) {
 	ctx.JSON(200, ToApiDeployKey(apiLink, key))
 }
 
-// https://github.com/gogits/go-gogs-client/wiki/Repositories---Deploy-Keys#add-a-new-deploy-key
+func handleCheckKeyStringError(ctx *middleware.Context, err error) {
-func CreateRepoDeployKey(ctx *middleware.Context, form api.CreateDeployKeyOption) {
+	if models.IsErrKeyUnableVerify(err) {
+		ctx.APIError(422, "", "Unable to verify key content")
+	} else {
+		ctx.APIError(422, "", fmt.Errorf("Invalid key content: %v", err))
+	}
+}
+
+func handleAddKeyError(ctx *middleware.Context, err error) {
+	switch {
+	case models.IsErrKeyAlreadyExist(err):
+		ctx.APIError(422, "", "Key content has been used as non-deploy key")
+	case models.IsErrKeyNameAlreadyUsed(err):
+		ctx.APIError(422, "", "Key title has been used")
+	default:
+		ctx.APIError(500, "AddKey", err)
+	}
+}
+
+// https://github.com/gogits/go-gogs-client/wiki/Repositories-Deploy-Keys#add-a-new-deploy-key
+func CreateRepoDeployKey(ctx *middleware.Context, form api.CreateKeyOption) {
 	content, err := models.CheckPublicKeyString(form.Key)
 	if err != nil {
-		if models.IsErrKeyUnableVerify(err) {
+		handleCheckKeyStringError(ctx, err)
-			ctx.APIError(422, "", "Unable to verify key content")
-		} else {
-			ctx.APIError(422, "", fmt.Errorf("Invalid key content: %v", err))
-		}
 		return
 	}
 
 	key, err := models.AddDeployKey(ctx.Repo.Repository.ID, form.Title, content)
 	if err != nil {
-		ctx.Data["HasError"] = true
+		handleAddKeyError(ctx, err)
-		switch {
-		case models.IsErrKeyAlreadyExist(err):
-			ctx.APIError(422, "", "Key content has been used as non-deploy key")
-		case models.IsErrKeyNameAlreadyUsed(err):
-			ctx.APIError(422, "", "Key title has been used")
-		default:
-			ctx.APIError(500, "AddDeployKey", err)
-		}
 		return
 	}
 
@@ -104,10 +111,14 @@ func CreateRepoDeployKey(ctx *middleware.Context, form api.CreateDeployKeyOption
 	ctx.JSON(201, ToApiDeployKey(apiLink, key))
 }
 
-// https://github.com/gogits/go-gogs-client/wiki/Repositories---Deploy-Keys#remove-a-deploy-key
+// https://github.com/gogits/go-gogs-client/wiki/Repositories-Deploy-Keys#remove-a-deploy-key
 func DeleteRepoDeploykey(ctx *middleware.Context) {
-	if err := models.DeleteDeployKey(ctx.ParamsInt64(":id")); err != nil {
+	if err := models.DeleteDeployKey(ctx.User, ctx.ParamsInt64(":id")); err != nil {
-		ctx.APIError(500, "DeleteDeployKey", err)
+		if models.IsErrKeyAccessDenied(err) {
+			ctx.APIError(403, "", "You do not have access to this key")
+		} else {
+			ctx.APIError(500, "DeleteDeployKey", err)
+		}
 		return
 	}
 

routers/api/v1/user.go

@@ -24,6 +24,7 @@ func ToApiUser(u *models.User) *api.User {
 	}
 }
 
+// https://github.com/gogits/go-gogs-client/wiki/Users#search-users
 func SearchUsers(ctx *middleware.Context) {
 	opt := models.SearchOption{
 		Keyword: ctx.Query("q"),
@@ -61,7 +62,7 @@ func SearchUsers(ctx *middleware.Context) {
 	})
 }
 
-// GET /users/:username
+// https://github.com/gogits/go-gogs-client/wiki/Users#get-a-single-user
 func GetUserInfo(ctx *middleware.Context) {
 	u, err := models.GetUserByName(ctx.Params(":username"))
 	if err != nil {

routers/api/v1/user_app.go

@@ -11,7 +11,7 @@ import (
 	"github.com/gogits/gogs/modules/middleware"
 )
 
-// GET /users/:username/tokens
+// https://github.com/gogits/go-gogs-client/wiki/Users#list-access-tokens-for-a-user
 func ListAccessTokens(ctx *middleware.Context) {
 	tokens, err := models.ListAccessTokens(ctx.User.Id)
 	if err != nil {
@@ -30,7 +30,7 @@ type CreateAccessTokenForm struct {
 	Name string `json:"name" binding:"Required"`
 }
 
-// POST /users/:username/tokens
+// https://github.com/gogits/go-gogs-client/wiki/Users#create-a-access-token
 func CreateAccessToken(ctx *middleware.Context, form CreateAccessTokenForm) {
 	t := &models.AccessToken{
 		UID:  ctx.User.Id,

routers/api/v1/user_keys.go

@@ -0,0 +1,111 @@
+// Copyright 2015 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package v1
+
+import (
+	"github.com/Unknwon/com"
+
+	api "github.com/gogits/go-gogs-client"
+
+	"github.com/gogits/gogs/models"
+	"github.com/gogits/gogs/modules/middleware"
+	"github.com/gogits/gogs/modules/setting"
+)
+
+func ToApiPublicKey(apiLink string, key *models.PublicKey) *api.PublicKey {
+	return &api.PublicKey{
+		ID:      key.ID,
+		Key:     key.Content,
+		URL:     apiLink + com.ToStr(key.ID),
+		Title:   key.Name,
+		Created: key.Created,
+	}
+}
+
+func composePublicKeysAPILink() string {
+	return setting.AppUrl + "api/v1/user/keys/"
+}
+
+func listUserPublicKeys(ctx *middleware.Context, uid int64) {
+	keys, err := models.ListPublicKeys(uid)
+	if err != nil {
+		ctx.APIError(500, "ListPublicKeys", err)
+		return
+	}
+
+	apiLink := composePublicKeysAPILink()
+	apiKeys := make([]*api.PublicKey, len(keys))
+	for i := range keys {
+		apiKeys[i] = ToApiPublicKey(apiLink, keys[i])
+	}
+
+	ctx.JSON(200, &apiKeys)
+}
+
+// https://github.com/gogits/go-gogs-client/wiki/Users-Public-Keys#list-public-keys-for-a-user
+func ListUserPublicKeys(ctx *middleware.Context) {
+	user, err := models.GetUserByName(ctx.Params(":username"))
+	if err != nil {
+		if models.IsErrUserNotExist(err) {
+			ctx.Error(404)
+		} else {
+			ctx.APIError(500, "GetUserByName", err)
+		}
+		return
+	}
+	listUserPublicKeys(ctx, user.Id)
+}
+
+// https://github.com/gogits/go-gogs-client/wiki/Users-Public-Keys#list-your-public-keys
+func ListMyPublicKeys(ctx *middleware.Context) {
+	listUserPublicKeys(ctx, ctx.User.Id)
+}
+
+// https://github.com/gogits/go-gogs-client/wiki/Users-Public-Keys#get-a-single-public-key
+func GetUserPublicKey(ctx *middleware.Context) {
+	key, err := models.GetPublicKeyByID(ctx.ParamsInt64(":id"))
+	if err != nil {
+		if models.IsErrKeyNotExist(err) {
+			ctx.Error(404)
+		} else {
+			ctx.Handle(500, "GetPublicKeyByID", err)
+		}
+		return
+	}
+
+	apiLink := composePublicKeysAPILink()
+	ctx.JSON(200, ToApiPublicKey(apiLink, key))
+}
+
+// https://github.com/gogits/go-gogs-client/wiki/Users-Public-Keys#create-a-public-key
+func CreateUserPublicKey(ctx *middleware.Context, form api.CreateKeyOption) {
+	content, err := models.CheckPublicKeyString(form.Key)
+	if err != nil {
+		handleCheckKeyStringError(ctx, err)
+		return
+	}
+
+	key, err := models.AddPublicKey(ctx.User.Id, form.Title, content)
+	if err != nil {
+		handleAddKeyError(ctx, err)
+		return
+	}
+	apiLink := composePublicKeysAPILink()
+	ctx.JSON(201, ToApiPublicKey(apiLink, key))
+}
+
+// https://github.com/gogits/go-gogs-client/wiki/Users-Public-Keys#delete-a-public-key
+func DeleteUserPublicKey(ctx *middleware.Context) {
+	if err := models.DeletePublicKey(ctx.User, ctx.ParamsInt64(":id")); err != nil {
+		if models.IsErrKeyAccessDenied(err) {
+			ctx.APIError(403, "", "You do not have access to this key")
+		} else {
+			ctx.APIError(500, "DeletePublicKey", err)
+		}
+		return
+	}
+
+	ctx.Status(204)
+}

routers/repo/setting.go

@@ -717,7 +717,7 @@ func DeployKeysPost(ctx *middleware.Context, form auth.AddSSHKeyForm) {
 }
 
 func DeleteDeployKey(ctx *middleware.Context) {
-	if err := models.DeleteDeployKey(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeleteDeployKey(ctx.User, ctx.QueryInt64("id")); err != nil {
 		ctx.Flash.Error("DeleteDeployKey: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("repo.settings.deploy_key_deletion_success"))

routers/user/setting.go

@@ -295,7 +295,7 @@ func SettingsSSHKeysPost(ctx *middleware.Context, form auth.AddSSHKeyForm) {
 		}
 	}
 
-	if err = models.AddPublicKey(ctx.User.Id, form.Title, content); err != nil {
+	if _, err = models.AddPublicKey(ctx.User.Id, form.Title, content); err != nil {
 		ctx.Data["HasError"] = true
 		switch {
 		case models.IsErrKeyAlreadyExist(err):
@@ -315,7 +315,7 @@ func SettingsSSHKeysPost(ctx *middleware.Context, form auth.AddSSHKeyForm) {
 }
 
 func DeleteSSHKey(ctx *middleware.Context) {
-	if err := models.DeletePublicKey(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeletePublicKey(ctx.User, ctx.QueryInt64("id")); err != nil {
 		ctx.Flash.Error("DeletePublicKey: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("settings.ssh_key_deletion_success"))

templates/.VERSION

@@ -1 +1 @@
-0.7.27.1202 Beta
+0.7.28.1203 Beta