Merge branch '54826-use-read_repository-scope-on-read-only-files-endpoints' into 'master'
Resolve "Use read_repository scope on read-only files endpoints" Closes #54826 See merge request gitlab-org/gitlab-ce!23534
This commit is contained in:
commit
1c9b10016a
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: Use read_repository scope on read-only files API
|
||||
merge_request: 23534
|
||||
author:
|
||||
type: fixed
|
|
@ -4,6 +4,16 @@
|
|||
|
||||
**Create, read, update and delete repository files using this API**
|
||||
|
||||
The different scopes available using [personal access tokens](../user/profile/personal_access_tokens.md) are depicted
|
||||
in the following table.
|
||||
|
||||
| Scope | Description |
|
||||
| ----- | ----------- |
|
||||
| `read_repository` | Allows read-access to the repository files. |
|
||||
| `api` | Allows read-write access to the repository files. |
|
||||
|
||||
> `read_repository` scope was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23534) in GitLab 11.6.
|
||||
|
||||
## Get file from repository
|
||||
|
||||
Allows you to receive information about file in repository like name, size,
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
module API
|
||||
class Files < Grape::API
|
||||
include APIGuard
|
||||
|
||||
FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)
|
||||
|
||||
# Prevents returning plain/text responses for files with .txt extension
|
||||
|
@ -79,6 +81,8 @@ module API
|
|||
requires :id, type: String, desc: 'The project ID'
|
||||
end
|
||||
resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do
|
||||
allow_access_with_scope :read_repository, if: -> (request) { request.get? || request.head? }
|
||||
|
||||
desc 'Get raw file metadata from repository'
|
||||
params do
|
||||
requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb'
|
||||
|
|
|
@ -121,6 +121,13 @@ describe API::Files do
|
|||
end
|
||||
end
|
||||
|
||||
context 'when PATs are used' do
|
||||
it_behaves_like 'repository files' do
|
||||
let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
|
||||
let(:current_user) { { personal_access_token: token } }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when authenticated', 'as a developer' do
|
||||
it_behaves_like 'repository files' do
|
||||
let(:current_user) { user }
|
||||
|
@ -217,6 +224,13 @@ describe API::Files do
|
|||
end
|
||||
end
|
||||
|
||||
context 'when PATs are used' do
|
||||
it_behaves_like 'repository files' do
|
||||
let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
|
||||
let(:current_user) { { personal_access_token: token } }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when unauthenticated', 'and project is private' do
|
||||
it_behaves_like '404 response' do
|
||||
let(:request) { get api(route(file_path)), params }
|
||||
|
@ -317,6 +331,21 @@ describe API::Files do
|
|||
let(:request) { get api(route(file_path), guest), params }
|
||||
end
|
||||
end
|
||||
|
||||
context 'when PATs are used' do
|
||||
it 'returns file by commit sha' do
|
||||
token = create(:personal_access_token, scopes: ['read_repository'], user: user)
|
||||
|
||||
# This file is deleted on HEAD
|
||||
file_path = "files%2Fjs%2Fcommit%2Ejs%2Ecoffee"
|
||||
params[:ref] = "6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9"
|
||||
expect(Gitlab::Workhorse).to receive(:send_git_blob)
|
||||
|
||||
get api(route(file_path) + "/raw", personal_access_token: token), params
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe "POST /projects/:id/repository/files/:file_path" do
|
||||
|
@ -362,6 +391,24 @@ describe API::Files do
|
|||
expect(response).to have_gitlab_http_status(400)
|
||||
end
|
||||
|
||||
context 'with PATs' do
|
||||
it 'returns 403 with `read_repository` scope' do
|
||||
token = create(:personal_access_token, scopes: ['read_repository'], user: user)
|
||||
|
||||
post api(route(file_path), personal_access_token: token), params
|
||||
|
||||
expect(response).to have_gitlab_http_status(403)
|
||||
end
|
||||
|
||||
it 'returns 201 with `api` scope' do
|
||||
token = create(:personal_access_token, scopes: ['api'], user: user)
|
||||
|
||||
post api(route(file_path), personal_access_token: token), params
|
||||
|
||||
expect(response).to have_gitlab_http_status(201)
|
||||
end
|
||||
end
|
||||
|
||||
context "when specifying an author" do
|
||||
it "creates a new file with the specified author" do
|
||||
params.merge!(author_email: author_email, author_name: author_name)
|
||||
|
|
Loading…
Reference in New Issue