gitlab-org--gitlab-foss/lib/api
Dmitriy Zaporozhets 648f38cd98 Merge branch 'fix-restricted-visibility' into 'master'
Restricted visibility levels - bug fix and new feature

This allows admin users to override restricted visibility settings when creating and updating projects and snippets, and moves the restricted visibility configuration from gitlab.yml to the web UI.  See #1903.

## Move configuration location

I added a new section to the application settings page for restricted visibility levels.  Each level has a checkbox, styled with Bootstrap to look like a toggle button.  A checked box means that the level is restricted.  I added a glowing text shadow and changed the background color for checked buttons because the default styles made it hard to distinguish between checked and unchecked.  This image shows the new section with the "Public" box checked:

![restricted_visibility_settings](https://dev.gitlab.org/Okada/gitlabhq/uploads/629562e4313f89b795e81c3bb0f95893/restricted_visibility_settings.png)

## Allow admins to override

To allow admin users to override the restricted visibility levels, I had to remove the `visibility_level` validation from the `Project` class.  The model doesn't know about the `current_user`, which should determine whether the restrictions can be overridden.  We could use the creator in the validation, but that wouldn't work correctly for projects where a non-admin user is the creator and an admin tries to change the project to a restricted visibility level.

The `Project::UpdateService` and `Project::CreateService` classes already had code to determine whether the current user is allowed to use a given visibility level; now all visibility level validation is done in those classes.  Currently, when a non-admin tries to create or update a project using a restricted level, these classes silently set the visibility level to the global default (create) or the project's existing value (update).  I changed this behavior to be more like an Active Model validation, where using a restricted level causes the entire request to be rejected.

Project and personal snippets didn't have service classes, and restricted visibility levels weren't being enforced in the model or the controllers.  The UI disabled radio buttons for restricted levels, but that wouldn't be difficult to circumvent.  I created the `CreateSnippetService` and `UpdateSnippetService` classes to do the same restricted visibility check that the project classes do.  And since I was dealing with snippet visibility levels, I updated the API endpoints for project snippets to allow users to set and update the visibility level.

## TODO

* [x] Add more tests for restricted visibility functionality

cc @sytse @dzaporozhets

See merge request !1655
2015-03-16 17:49:46 +00:00
..
api.rb Rubocop enabled for: Use spaces inside hash literal braces 2015-02-02 20:36:54 -08:00
api_guard.rb Rubocop: Style/CaseIndentation enabled 2015-02-02 21:26:40 -08:00
branches.rb Update branch api not found messages to 'Branch not found'. 2014-12-30 13:37:14 +01:00
commits.rb Add a message when unable to save an object through api. 2015-01-07 10:46:00 +01:00
deploy_keys.rb Fix failing tests due to updates on the return messages. 2015-01-07 11:39:20 +01:00
entities.rb Enable ParenthesesAsGroupedExpression rule 2015-03-02 18:45:28 -08:00
files.rb Improve error messages when file editing fails 2015-02-22 16:01:49 -07:00
group_members.rb Use group_member instead of users_group or membership. 2015-03-15 13:49:41 +01:00
groups.rb Remove Group#owner_id from API since it is not used any more 2015-02-17 16:23:44 -08:00
helpers.rb Merge branch 'master' into fix-restricted-visibility 2015-03-14 10:49:11 -06:00
internal.rb Don't leak information about private project existence via Git-over-SSH/HTTP. 2015-03-02 17:52:48 +01:00
issues.rb Refactor and improve sorting objects in API for projects, issues and merge requests 2015-02-05 22:00:54 -08:00
labels.rb Fix failing tests due to updates on the return messages. 2015-01-07 11:39:20 +01:00
merge_requests.rb Refactor and improve sorting objects in API for projects, issues and merge requests 2015-02-05 22:00:54 -08:00
milestones.rb Fix the test and add documentation for the "per-milestone issues API call" 2015-01-22 12:14:53 +01:00
namespaces.rb Avoid using {...} for multi-line blocks 2015-02-02 21:22:57 -08:00
notes.rb Add a message when unable to save an object through api. 2015-01-07 10:46:00 +01:00
project_hooks.rb Forward the messages in api response. 2014-12-30 15:17:46 +01:00
project_members.rb Use project_member instead of team_member. 2015-03-15 13:50:38 +01:00
project_snippets.rb More restricted visibility changes 2015-03-10 18:36:43 -06:00
projects.rb Allow admins to override restricted visibility 2015-03-08 16:10:05 -06:00
repositories.rb Handle errors on API when a project does not have a repository (Closes #6289) 2015-01-19 14:13:30 +01:00
services.rb Add Hipchat services API 2014-10-14 19:07:34 +02:00
session.rb Add LDAP support to /api/session 2013-07-16 11:28:19 +03:00
system_hooks.rb Avoid using {...} for multi-line blocks 2015-02-02 21:22:57 -08:00
users.rb Merge branch 'master' into mmonaco/gitlab-ce-api-user-noconfirm 2015-02-27 13:01:57 -08:00