synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Use membership endpoint to ensure user exists in team (#3129)

Browse Source 
This was using the incorrect GitHub endpoint prior, which fetched a team
by slug. Any user in a GitHub organization can view all teams, so this
didn't block signups like intended.

I've verified this API returns an error when the calling user is not a
member  of the team requested.

Fixes #3105.
This commit is contained in:
Kyle Carberry
2022-07-22 13:54:08 -05:00
committed by GitHub
parent 471564df7d
commit fd4954b4e5
3 changed files with 22 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cli/server.go
View File

@ -796,8 +796,8 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al
})
return memberships, err
},
Team: func(ctx context.Context, client *http.Client, org, teamSlug string) (*github.Team, error) {
team, _, err := github.NewClient(client).Teams.GetTeamBySlug(ctx, org, teamSlug)
TeamMembership: func(ctx context.Context, client *http.Client, org, teamSlug, username string) (*github.Membership, error) {
team, _, err := github.NewClient(client).Teams.GetTeamMembershipBySlug(ctx, org, teamSlug, username)
return team, err
},
}, nil