return 400 on users search and feature is disabled

as the params block is evaluated when loading the class and the db connection is not available yet we can't use the feature toggle inside that block.
2019-01-17 19:27:20 +01:00 · 2019-01-17 19:27:20 +01:00 · b0981097c3
parent 6385c7229c
commit b0981097c3
3 changed files with 55 additions and 13 deletions
--- a/lib/api/search.rb
+++ b/lib/api/search.rb
@ -53,15 +53,14 @@ module API
        # EE, without having to modify this file directly.
      end

-      params :scope do |options|
-        scope_entities =
-          if Feature.enabled?(:users_search, default_enabled: true)
-            SCOPE_ENTITY
-          else
-            SCOPE_ENTITY.reject { |key, value| key == :users }
-          end
+      def check_users_search_allowed!
+        if Feature.disabled?(:users_search, default_enabled: true) && params[:scope].to_sym == :users
+          render_api_error!({ error: _("Scope not supported with disabled 'users_search' feature!") }, 400)
+        end
+      end

-        values = scope_entities.stringify_keys.slice(*options[:values]).keys
+      params :scope do |options|
+        values = SCOPE_ENTITY.stringify_keys.slice(*options[:values]).keys

        requires :scope,
          type: String,
@ -81,6 +80,7 @@ module API
      end
      get do
        verify_search_scope!
+        check_users_search_allowed!

        present search, with: entity
      end
@ -98,6 +98,7 @@ module API
      end
      get ':id/(-/)search' do
        verify_search_scope!
+        check_users_search_allowed!

        present search(group_id: user_group.id), with: entity
      end
@ -114,6 +115,8 @@ module API
        use :pagination
      end
      get ':id/(-/)search' do
+        check_users_search_allowed!
+
        present search(project_id: user_project.id), with: entity
      end
    end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@ -6632,6 +6632,9 @@ msgstr ""
 msgid "Scope"
 msgstr ""

+msgid "Scope not supported with disabled 'users_search' feature!"
+msgstr ""
+
 msgid "Scroll down to <strong>Google Code Project Hosting</strong> and enable the switch on the right."
 msgstr ""

--- a/spec/requests/api/search_spec.rb
+++ b/spec/requests/api/search_spec.rb
@ -81,10 +81,22 @@ describe API::Search do
        before do
          create(:user, name: 'billy')

-          get api('/search', user), scope: 'users', search: 'billy'
+          get api('/search', user), params: { scope: 'users', search: 'billy' }
        end

        it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
+
+        context 'when users search feature is disabled' do
+          before do
+            allow(Feature).to receive(:disabled?).with(:users_search, default_enabled: true).and_return(true)
+
+            get api('/search', user), params: { scope: 'users', search: 'billy' }
+          end
+
+          it 'returns 400 error' do
+            expect(response).to have_gitlab_http_status(400)
+          end
+        end
      end

      context 'for snippet_titles scope' do
@ -203,15 +215,27 @@ describe API::Search do
        it_behaves_like 'response is correct', schema: 'public_api/v4/milestones'
      end

-      context 'for user scope' do
+      context 'for users scope' do
        before do
          user = create(:user, name: 'billy')
          create(:group_member, :developer, user: user, group: group)

-          get api("/groups/#{group.id}/search", user), scope: 'users', search: 'billy'
+          get api("/groups/#{group.id}/search", user), params: { scope: 'users', search: 'billy' }
        end

        it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
+
+        context 'when users search feature is disabled' do
+          before do
+            allow(Feature).to receive(:disabled?).with(:users_search, default_enabled: true).and_return(true)
+
+            get api("/groups/#{group.id}/search", user), params: { scope: 'users', search: 'billy' }
+          end
+
+          it 'returns 400 error' do
+            expect(response).to have_gitlab_http_status(400)
+          end
+        end
      end

      context 'for users scope with group path as id' do
@ -219,7 +243,7 @@ describe API::Search do
          user1 = create(:user, name: 'billy')
          create(:group_member, :developer, user: user1, group: group)

-          get api("/groups/#{CGI.escape(group.full_path)}/search", user), scope: 'users', search: 'billy'
+          get api("/groups/#{CGI.escape(group.full_path)}/search", user), params: { scope: 'users', search: 'billy' }
        end

        it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
@ -306,10 +330,22 @@ describe API::Search do
          user1 = create(:user, name: 'billy')
          create(:project_member, :developer, user: user1, project: project)

-          get api("/projects/#{project.id}/search", user), scope: 'users', search: 'billy'
+          get api("/projects/#{project.id}/search", user), params: { scope: 'users', search: 'billy' }
        end

        it_behaves_like 'response is correct', schema: 'public_api/v4/user/basics'
+
+        context 'when users search feature is disabled' do
+          before do
+            allow(Feature).to receive(:disabled?).with(:users_search, default_enabled: true).and_return(true)
+
+            get api("/projects/#{project.id}/search", user), params: { scope: 'users', search: 'billy' }
+          end
+
+          it 'returns 400 error' do
+            expect(response).to have_gitlab_http_status(400)
+          end
+        end
      end

      context 'for notes scope' do