gitlab-org--gitlab-foss/lib/api/helpers.rb

module API
  module APIHelpers
    PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN"
    PRIVATE_TOKEN_PARAM = :private_token
    SUDO_HEADER ="HTTP_SUDO"
    SUDO_PARAM = :sudo

    def current_user
      @current_user ||= User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER])
      identifier = sudo_identifier()
      # If the sudo is the current user do nothing
      if (identifier && !(@current_user.id == identifier || @current_user.username == identifier))
        render_api_error!('403 Forbidden: Must be admin to use sudo', 403) unless @current_user.is_admin?
        @current_user = User.by_username_or_id(identifier)
        not_found!("No user id or username for: #{identifier}") if @current_user.nil?
      end
      @current_user
    end

    def sudo_identifier()
      identifier ||= params[SUDO_PARAM] ||= env[SUDO_HEADER]
      # Regex for integers
      if (!!(identifier =~ /^[0-9]+$/))
        identifier.to_i
      else
        identifier
      end
    end

    def set_current_user_for_thread
      Thread.current[:current_user] = current_user
      begin
        yield
      ensure
        Thread.current[:current_user] = nil
      end
    end

    def user_project
      @project ||= find_project(params[:id])
      @project || not_found!
    end

    def find_project(id)
      project = Project.find_by_id(id) || Project.find_with_namespace(id)

      if project && can?(current_user, :read_project, project)
        project
      else
        nil
      end
    end

    def paginate(object)
      object.page(params[:page]).per(params[:per_page].to_i)
    end

    def authenticate!
      unauthorized! unless current_user
    end

    def authenticated_as_admin!
      forbidden! unless current_user.is_admin?
    end

    def authorize! action, subject
      unless abilities.allowed?(current_user, action, subject)
        forbidden!
      end
    end

    def authorize_admin_project
      authorize! :admin_project, user_project
    end

    def can?(object, action, subject)
      abilities.allowed?(object, action, subject)
    end

    # Checks the occurrences of required attributes, each attribute must be present in the params hash
    # or a Bad Request error is invoked.
    #
    # Parameters:
    #   keys (required) - A hash consisting of keys that must be present
    def required_attributes!(keys)
      keys.each do |key|
        bad_request!(key) unless params[key].present?
      end
    end

    def attributes_for_keys(keys)
      attrs = {}
      keys.each do |key|
        attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
      end
      attrs
    end

    # error helpers

    def forbidden!
      render_api_error!('403 Forbidden', 403)
    end

    def bad_request!(attribute)
      message = ["400 (Bad request)"]
      message << "\"" + attribute.to_s + "\" not given"
      render_api_error!(message.join(' '), 400)
    end

    def not_found!(resource = nil)
      message = ["404"]
      message << resource if resource
      message << "Not Found"
      render_api_error!(message.join(' '), 404)
    end

    def unauthorized!
      render_api_error!('401 Unauthorized', 401)
    end

    def not_allowed!
      render_api_error!('Method Not Allowed', 405)
    end

    def render_api_error!(message, status)
      error!({'message' => message}, status)
    end

    private

    def abilities
      @abilities ||= begin
                       abilities = Six.new
                       abilities << Ability
                       abilities
                     end
    end
  end
end
Refactor API classes. So api classes like Gitlab::Issues become API::Issues 2013-05-14 08:33:31 -04:00			`module API`
add users API 2012-06-27 07:32:56 -04:00			`module APIHelpers`
API: admin users can sudo commands as other users -Specifying a header of SUDO or adding a :sudo with either user id, or username of the user will set the current_user to be that user if your identifying private_token/PRIVATE_TOKEN is an administrator token 2013-03-28 14:37:44 -04:00			`PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN"`
			`PRIVATE_TOKEN_PARAM = :private_token`
			`SUDO_HEADER ="HTTP_SUDO"`
			`SUDO_PARAM = :sudo`

add users API 2012-06-27 07:32:56 -04:00			`def current_user`
API: admin users can sudo commands as other users -Specifying a header of SUDO or adding a :sudo with either user id, or username of the user will set the current_user to be that user if your identifying private_token/PRIVATE_TOKEN is an administrator token 2013-03-28 14:37:44 -04:00			`@current_user \|\|= User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] \|\| env[PRIVATE_TOKEN_HEADER])`
			`identifier = sudo_identifier()`
			`# If the sudo is the current user do nothing`
			`if (identifier && !(@current_user.id == identifier \|\| @current_user.username == identifier))`
			`render_api_error!('403 Forbidden: Must be admin to use sudo', 403) unless @current_user.is_admin?`
refactor by_username_or_id 2013-10-16 13:31:46 -04:00			`@current_user = User.by_username_or_id(identifier)`
fix variable name 2013-10-16 13:28:39 -04:00			`not_found!("No user id or username for: #{identifier}") if @current_user.nil?`
API: admin users can sudo commands as other users -Specifying a header of SUDO or adding a :sudo with either user id, or username of the user will set the current_user to be that user if your identifying private_token/PRIVATE_TOKEN is an administrator token 2013-03-28 14:37:44 -04:00			`end`
			`@current_user`
			`end`

			`def sudo_identifier()`
Some of the requested updates, rebase on master Change-Id: I305266fe9acbbb5136adeeb52e7e4e1d6629a30a 2013-06-28 08:59:05 -04:00			`identifier \|\|= params[SUDO_PARAM] \|\|= env[SUDO_HEADER]`
			`# Regex for integers`
API: admin users can sudo commands as other users -Specifying a header of SUDO or adding a :sudo with either user id, or username of the user will set the current_user to be that user if your identifying private_token/PRIVATE_TOKEN is an administrator token 2013-03-28 14:37:44 -04:00			`if (!!(identifier =~ /^[0-9]+$/))`
			`identifier.to_i`
			`else`
			`identifier`
			`end`
add users API 2012-06-27 07:32:56 -04:00			`end`

Fixing unsafe use of Thread.current variable :current_user 2013-10-04 15:11:50 -04:00			`def set_current_user_for_thread`
			`Thread.current[:current_user] = current_user`
			`begin`
			`yield`
			`ensure`
			`Thread.current[:current_user] = nil`
			`end`
			`end`

refactor projects API 2012-07-06 09:08:17 -04:00			`def user_project`
Additon of apis for fork administration. Added ability to add and remove the forked from/to relatioinship between existing repos. 2013-06-27 17:49:26 -04:00			`@project \|\|= find_project(params[:id])`
Fix namespace api autocomplete 2012-12-12 05:54:28 -05:00			`@project \|\| not_found!`
			`end`

Additon of apis for fork administration. Added ability to add and remove the forked from/to relatioinship between existing repos. 2013-06-27 17:49:26 -04:00			`def find_project(id)`
			`project = Project.find_by_id(id) \|\| Project.find_with_namespace(id)`
Fix namespace api autocomplete 2012-12-12 05:54:28 -05:00
			`if project && can?(current_user, :read_project, project)`
			`project`
return 404 if project not found 2012-07-25 08:24:28 -04:00			`else`
Fix namespace api autocomplete 2012-12-12 05:54:28 -05:00			`nil`
return 404 if project not found 2012-07-25 08:24:28 -04:00			`end`
refactor projects API 2012-07-06 09:08:17 -04:00			`end`

add pagination to API 2012-09-03 07:46:29 -04:00			`def paginate(object)`
			`object.page(params[:page]).per(params[:per_page].to_i)`
			`end`

add users API 2012-06-27 07:32:56 -04:00			`def authenticate!`
Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`unauthorized! unless current_user`
add users API 2012-06-27 07:32:56 -04:00			`end`
Auth for API 2012-09-10 02:06:11 -04:00
#1585 Api for user creation: base implementation 2012-10-02 05:46:01 -04:00			`def authenticated_as_admin!`
			`forbidden! unless current_user.is_admin?`
			`end`

Auth for API 2012-09-10 02:06:11 -04:00			`def authorize! action, subject`
			`unless abilities.allowed?(current_user, action, subject)`
Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`forbidden!`
Auth for API 2012-09-10 02:06:11 -04:00			`end`
			`end`

Respect authorization in Repository API * dont allow protect/unprotect branches for users without master permissions * dont allow access to Repository api for guests 2013-09-29 09:04:57 -04:00			`def authorize_admin_project`
			`authorize! :admin_project, user_project`
			`end`

Fix namespace api autocomplete 2012-12-12 05:54:28 -05:00			`def can?(object, action, subject)`
			`abilities.allowed?(object, action, subject)`
			`end`

API: extracted helper method to validate required parameters, code clean up Added a helper method to check if required parameters are given in an API call. Can be used to return a `400 Bad Request` return code if a required attribute is missing. Code clean up and fixed tests. 2013-02-27 11:50:30 -05:00			`# Checks the occurrences of required attributes, each attribute must be present in the params hash`
			`# or a Bad Request error is invoked.`
			`#`
			`# Parameters:`
			`# keys (required) - A hash consisting of keys that must be present`
			`def required_attributes!(keys)`
			`keys.each do \|key\|`
			`bad_request!(key) unless params[key].present?`
			`end`
			`end`

Method name changed 2012-09-16 13:08:57 -04:00			`def attributes_for_keys(keys)`
API attributes refactored 2012-09-16 12:51:04 -04:00			`attrs = {}`
			`keys.each do \|key\|`
Extended User API to expose admin and can_create_group for user creation/updating. Also, is_admin and can_create_group are exposed in the user information. Fixed attributes_for_keys to process properly keys with boolean values (since false.present? is false). 2013-07-31 06:52:23 -04:00			`attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)`
API attributes refactored 2012-09-16 12:51:04 -04:00			`end`
			`attrs`
			`end`

Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`# error helpers`

			`def forbidden!`
Common errors method added 2012-09-10 06:49:00 -04:00			`render_api_error!('403 Forbidden', 403)`
Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`end`

API: extracted helper method to provide 400 bad request error with description Extracted a method for 400 error (Bad request) and adjusted code accordingly. The name of the missing attribute is used to show which one was missing from the request. It is used to give an appropriate message in the json response. 2013-02-13 09:48:52 -05:00			`def bad_request!(attribute)`
			`message = ["400 (Bad request)"]`
			`message << "\"" + attribute.to_s + "\" not given"`
			`render_api_error!(message.join(' '), 400)`
			`end`

Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`def not_found!(resource = nil)`
			`message = ["404"]`
			`message << resource if resource`
			`message << "Not Found"`
Common errors method added 2012-09-10 06:49:00 -04:00			`render_api_error!(message.join(' '), 404)`
Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`end`

			`def unauthorized!`
Common errors method added 2012-09-10 06:49:00 -04:00			`render_api_error!('401 Unauthorized', 401)`
Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`end`

			`def not_allowed!`
Common errors method added 2012-09-10 06:49:00 -04:00			`render_api_error!('Method Not Allowed', 405)`
			`end`

			`def render_api_error!(message, status)`
			`error!({'message' => message}, status)`
Error throwing moved to api_helper 2012-09-10 03:41:46 -04:00			`end`

APi for commits. Better api docs 2012-09-21 06:22:30 -04:00			`private`
Auth for API 2012-09-10 02:06:11 -04:00
			`def abilities`
			`@abilities \|\|= begin`
Some of the requested updates, rebase on master Change-Id: I305266fe9acbbb5136adeeb52e7e4e1d6629a30a 2013-06-28 08:59:05 -04:00			`abilities = Six.new`
			`abilities << Ability`
			`abilities`
			`end`
Auth for API 2012-09-10 02:06:11 -04:00			`end`
add users API 2012-06-27 07:32:56 -04:00			`end`
			`end`