Teams search in API does not return team unless user is a direct member

[FlyveHest]

Description

An organisation I created has a team called php-packages

The team is listed on a call to teams endpoint: <APIURL>/orgs/<ORGNAME>/teams

But when I am calling this endpoint: <APIURL>/orgs/<ORGNAME>/teams/search?q=php

I get no results, unless I am an explicit member of the team.

The users token querying the API is for the user owning the organisation.

Also, I am sure this endpoint has behaved differently in the past, as the script that now fails have worked prior. (Its been a while since I last used it, so I unfortunately do not know what version Gitea this was)

Gitea Version

1.17.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

N/A

Operating System

Docker on Ubuntu

How are you running Gitea?

Official docker image

Database

None

[henrygoodman]

Bump, even a user with admin access in org and an API token with full read/write access cannot query members of a team without being in the team itself. (Using endpoint teams/{id}/members in v1.20.0)

We have a use case where we programmatically assign reviewers by querying members of a Review team using our service/bot account to perform API queries. But we can't do this unless we add the bot account to the Review team too.

[lng2020]

I checked the code: now <APIURL>/orgs/<ORGNAME>/teams and <APIURL>/orgs/<ORGNAME>/teams/search?q=php are using same permission. So I think this issue can be closed.

gitea/routers/api/v1/api.go

Lines 1410 to 1414 in 4d7c063

	m.Group("/teams", func() {
	m.Get("", org.ListTeams)
	m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
	m.Get("/search", org.SearchTeam)
	}, reqToken(), reqOrgMembership())

As @henrygoodman

even a user with admin access in org and an API token with full read/write access cannot query members of a team without being in the team itself. (Using endpoint teams/{id}/members in v1.20.0)

According to the code, only site admin, org owner, and members of the team are considered a member. Not sure if this is the right behavior but as a workaround you can add this bot to Owner.

gitea/routers/api/v1/api.go

Lines 458 to 492 in 4d7c063

	func reqTeamMembership() func(ctx *context.APIContext) {
	return func(ctx *context.APIContext) {
	if ctx.IsUserSiteAdmin() {
	return
	}
	if ctx.Org.Team == nil {
	ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")
	return
	}
	orgID := ctx.Org.Team.OrgID
	isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)
	if err != nil {
	ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)
	return
	} else if isOwner {
	return
	}
	if isTeamMember, err := organization.IsTeamMember(ctx, orgID, ctx.Org.Team.ID, ctx.Doer.ID); err != nil {
	ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)
	return
	} else if !isTeamMember {
	isOrgMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID)
	if err != nil {
	ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)
	} else if isOrgMember {
	ctx.Error(http.StatusForbidden, "", "Must be a team member")
	} else {
	ctx.NotFound()
	}
	return
	}
	}
	}

[henrygoodman]

I checked the code: now <APIURL>/orgs/<ORGNAME>/teams and <APIURL>/orgs/<ORGNAME>/teams/search?q=php are using same permission. So I think this issue can be closed.

gitea/routers/api/v1/api.go

Lines 1410 to 1414 in 4d7c063

	m.Group("/teams", func() {
	m.Get("", org.ListTeams)
	m.Post("", reqOrgOwnership(), bind(api.CreateTeamOption{}), org.CreateTeam)
	m.Get("/search", org.SearchTeam)
	}, reqToken(), reqOrgMembership())

As @henrygoodman

even a user with admin access in org and an API token with full read/write access cannot query members of a team without being in the team itself. (Using endpoint teams/{id}/members in v1.20.0)

According to the code, only site admin, org owner, and members of the team are considered a member. Not sure if this is the right behavior but as a workaround you can add this bot to Owner.

gitea/routers/api/v1/api.go

Lines 458 to 492 in 4d7c063

	func reqTeamMembership() func(ctx *context.APIContext) {
	return func(ctx *context.APIContext) {
	if ctx.IsUserSiteAdmin() {
	return
	}
	if ctx.Org.Team == nil {
	ctx.Error(http.StatusInternalServerError, "", "reqTeamMembership: unprepared context")
	return
	}
	orgID := ctx.Org.Team.OrgID
	isOwner, err := organization.IsOrganizationOwner(ctx, orgID, ctx.Doer.ID)
	if err != nil {
	ctx.Error(http.StatusInternalServerError, "IsOrganizationOwner", err)
	return
	} else if isOwner {
	return
	}
	if isTeamMember, err := organization.IsTeamMember(ctx, orgID, ctx.Org.Team.ID, ctx.Doer.ID); err != nil {
	ctx.Error(http.StatusInternalServerError, "IsTeamMember", err)
	return
	} else if !isTeamMember {
	isOrgMember, err := organization.IsOrganizationMember(ctx, orgID, ctx.Doer.ID)
	if err != nil {
	ctx.Error(http.StatusInternalServerError, "IsOrganizationMember", err)
	} else if isOrgMember {
	ctx.Error(http.StatusForbidden, "", "Must be a team member")
	} else {
	ctx.NotFound()
	}
	return
	}
	}
	}

Thanks, adding the bot to Owners team is currently what we are doing now.

I originally thought creating a new team with the exact same site permissions as Owner (i.e. all admin perms) would still allow it to work in the same manner, however it seems the Owner team is special in this regard, moreso than just the permissions it grants. Would have been a nice approach as I could differentiate human owners/admins from service accounts