gitlab-org--gitlab-foss/lib/api/v3/todos.rb
Robert Speicher fec9fb05a5 Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'
Restrict Todo API mark_as_done endpoint to the user's todos only
2018-02-09 12:16:25 -06:00

30 lines
821 B
Ruby

module API
module V3
class Todos < Grape::API
before { authenticate! }
resource :todos do
desc 'Mark a todo as done' do
success ::API::Entities::Todo
end
params do
requires :id, type: Integer, desc: 'The ID of the todo being marked as done'
end
delete ':id' do
TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
todo = current_user.todos.find(params[:id])
present todo, with: ::API::Entities::Todo, current_user: current_user
end
desc 'Mark all todos as done'
delete do
status(200)
todos = TodosFinder.new(current_user, params).execute
TodoService.new.mark_todos_as_done(todos, current_user).size
end
end
end
end
end