Merge branch 'main' into f/email_templates

vocdoni · Nov 20, 2024 · 41efdd2 · 41efdd2
2 parents 9ba7026 + d3130eb
commit 41efdd2
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/api/api.go b/api/api.go
@@ -144,6 +144,9 @@ func (a *API) initRouter() http.Handler {
 		// update the organization
 		log.Infow("new route", "method", "PUT", "path", organizationEndpoint)
 		r.Put(organizationEndpoint, a.updateOrganizationHandler)
+		// get organization members
+		log.Infow("new route", "method", "GET", "path", organizationMembersEndpoint)
+		r.Get(organizationMembersEndpoint, a.organizationMembersHandler)
 		// get organization subscription
 		log.Infow("new route", "method", "GET", "path", organizationSubscriptionEndpoint)
 		r.Get(organizationSubscriptionEndpoint, a.getOrganizationSubscriptionHandler)
@@ -186,9 +189,6 @@ func (a *API) initRouter() http.Handler {
 		// get organization information
 		log.Infow("new route", "method", "GET", "path", organizationEndpoint)
 		r.Get(organizationEndpoint, a.organizationInfoHandler)
-		// get organization members
-		log.Infow("new route", "method", "GET", "path", organizationMembersEndpoint)
-		r.Get(organizationMembersEndpoint, a.organizationMembersHandler)
 		// accept organization invitation
 		log.Infow("new route", "method", "POST", "path", organizationAcceptMemberEndpoint)
 		r.Post(organizationAcceptMemberEndpoint, a.acceptOrganizationMemberInvitationHandler)

diff --git a/api/organizations.go b/api/organizations.go
@@ -123,12 +123,22 @@ func (a *API) organizationInfoHandler(w http.ResponseWriter, r *http.Request) {
 // organization. It returns the list of members with their role in the
 // organization with the address provided in the request.
 func (a *API) organizationMembersHandler(w http.ResponseWriter, r *http.Request) {
+	// get the user from the request context
+	user, ok := userFromContext(r.Context())
+	if !ok {
+		ErrUnauthorized.Write(w)
+		return
+	}
 	// get the organization info from the request context
 	org, _, ok := a.organizationFromRequest(r)
 	if !ok {
 		ErrNoOrganizationProvided.Write(w)
 		return
 	}
+	if !user.HasRoleFor(org.Address, db.AdminRole) {
+		ErrUnauthorized.Withf("user is not admin of organization").Write(w)
+		return
+	}
 	// send the organization back to the user
 	members, err := a.db.OrganizationsMembers(org.Address)
 	if err != nil {