Merge branch 'fix_events_permission_#49255' into 'master'
Add authenticate to events api. fix #49255 Closes #49255 See merge request gitlab-org/gitlab-ce!20627
This commit is contained in:
commit
edf7d1d4c7
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
title: 'Events API now requires the read_user or api scope.'
|
||||
merge_request: 20627
|
||||
author: Warren Parad
|
||||
type: fixed
|
|
@ -48,9 +48,11 @@ GitLab removes events older than 1 year from the events table for performance re
|
|||
|
||||
## List currently authenticated user's events
|
||||
|
||||
>**Note:** This endpoint was introduced in GitLab 9.3.
|
||||
>**Notes:**
|
||||
> This endpoint was introduced in GitLab 9.3.
|
||||
> `read_user` access was introduced in GitLab 11.3.
|
||||
|
||||
Get a list of events for the authenticated user.
|
||||
Get a list of events for the authenticated user. Scope `read_user` or `api` is required.
|
||||
|
||||
```
|
||||
GET /events
|
||||
|
@ -119,9 +121,11 @@ Example response:
|
|||
|
||||
### Get user contribution events
|
||||
|
||||
>**Note:** Documentation was formerly located in the [Users API pages][users-api].
|
||||
>**Notes:**
|
||||
> Documentation was formerly located in the [Users API pages][users-api].
|
||||
> `read_user` access was introduced in GitLab 11.3.
|
||||
|
||||
Get the contribution events for the specified user, sorted from newest to oldest.
|
||||
Get the contribution events for the specified user, sorted from newest to oldest. Scope `read_user` or `api` is required.
|
||||
|
||||
```
|
||||
GET /users/:id/events
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
module API
|
||||
class Events < Grape::API
|
||||
include PaginationParams
|
||||
include APIGuard
|
||||
|
||||
helpers do
|
||||
params :event_filter_params do
|
||||
|
@ -24,6 +25,8 @@ module API
|
|||
end
|
||||
|
||||
resource :events do
|
||||
allow_access_with_scope :read_user, if: -> (request) { request.get? }
|
||||
|
||||
desc "List currently authenticated user's events" do
|
||||
detail 'This feature was introduced in GitLab 9.3.'
|
||||
success Entities::Event
|
||||
|
@ -46,6 +49,8 @@ module API
|
|||
requires :id, type: String, desc: 'The ID or Username of the user'
|
||||
end
|
||||
resource :users do
|
||||
allow_access_with_scope :read_user, if: -> (request) { request.get? }
|
||||
|
||||
desc 'Get the contribution events of a specified user' do
|
||||
detail 'This feature was introduced in GitLab 8.13.'
|
||||
success Entities::Event
|
||||
|
|
|
@ -2,9 +2,9 @@ require 'spec_helper'
|
|||
|
||||
describe API::Events do
|
||||
include ApiHelpers
|
||||
|
||||
let(:user) { create(:user) }
|
||||
let(:non_member) { create(:user) }
|
||||
let(:other_user) { create(:user, username: 'otheruser') }
|
||||
let(:private_project) { create(:project, :private, creator_id: user.id, namespace: user.namespace) }
|
||||
let(:closed_issue) { create(:closed_issue, project: private_project, author: user) }
|
||||
let!(:closed_issue_event) { create(:event, project: private_project, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 12, 30)) }
|
||||
|
@ -28,12 +28,52 @@ describe API::Events do
|
|||
expect(json_response.size).to eq(1)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the requesting token has "read_user" scope' do
|
||||
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
|
||||
|
||||
it 'returns users events' do
|
||||
get api('/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31', personal_access_token: token)
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(response).to include_pagination_headers
|
||||
expect(json_response).to be_an Array
|
||||
expect(json_response.size).to eq(1)
|
||||
end
|
||||
end
|
||||
|
||||
context 'when the requesting token does not have "read_user" or "api" scope' do
|
||||
let(:token_without_scopes) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
|
||||
|
||||
it 'returns a "403" response' do
|
||||
get api('/events', personal_access_token: token_without_scopes)
|
||||
|
||||
expect(response).to have_gitlab_http_status(403)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'GET /users/:id/events' do
|
||||
context "as a user that cannot see the event's project" do
|
||||
it 'returns no events' do
|
||||
get api("/users/#{user.id}/events", other_user)
|
||||
context "as a user that cannot see another user" do
|
||||
it 'returns a "404" response' do
|
||||
allow(Ability).to receive(:allowed?).and_call_original
|
||||
allow(Ability).to receive(:allowed?).with(non_member, :read_user, user).and_return(false)
|
||||
|
||||
get api("/users/#{user.id}/events", non_member)
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(json_response).to be_empty
|
||||
end
|
||||
end
|
||||
|
||||
context "as a user token that cannot see another user" do
|
||||
let(:non_member_token) { create(:personal_access_token, scopes: ['read_user'], user: non_member) }
|
||||
|
||||
it 'returns a "404" response' do
|
||||
allow(Ability).to receive(:allowed?).and_call_original
|
||||
allow(Ability).to receive(:allowed?).with(non_member, :read_user, user).and_return(false)
|
||||
|
||||
get api("/users/#{user.id}/events", personal_access_token: non_member_token)
|
||||
|
||||
expect(response).to have_gitlab_http_status(200)
|
||||
expect(json_response).to be_empty
|
||||
|
|
Loading…
Reference in New Issue