Commit edf7d1d4 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Merge branch 'fix_events_permission_#49255' into 'master'

Add authenticate to events api. fix #49255

Closes #49255

See merge request gitlab-org/gitlab-ce!20627
parents b755753c 8aed9f08
---
title: 'Events API now requires the read_user or api scope.'
merge_request: 20627
author: Warren Parad
type: fixed
...@@ -48,9 +48,11 @@ GitLab removes events older than 1 year from the events table for performance re ...@@ -48,9 +48,11 @@ GitLab removes events older than 1 year from the events table for performance re
## List currently authenticated user's events ## List currently authenticated user's events
>**Note:** This endpoint was introduced in GitLab 9.3. >**Notes:**
> This endpoint was introduced in GitLab 9.3.
> `read_user` access was introduced in GitLab 11.3.
Get a list of events for the authenticated user. Get a list of events for the authenticated user. Scope `read_user` or `api` is required.
``` ```
GET /events GET /events
...@@ -119,9 +121,11 @@ Example response: ...@@ -119,9 +121,11 @@ Example response:
### Get user contribution events ### Get user contribution events
>**Note:** Documentation was formerly located in the [Users API pages][users-api]. >**Notes:**
> Documentation was formerly located in the [Users API pages][users-api].
> `read_user` access was introduced in GitLab 11.3.
Get the contribution events for the specified user, sorted from newest to oldest. Get the contribution events for the specified user, sorted from newest to oldest. Scope `read_user` or `api` is required.
``` ```
GET /users/:id/events GET /users/:id/events
......
module API module API
class Events < Grape::API class Events < Grape::API
include PaginationParams include PaginationParams
include APIGuard
helpers do helpers do
params :event_filter_params do params :event_filter_params do
...@@ -24,6 +25,8 @@ module API ...@@ -24,6 +25,8 @@ module API
end end
resource :events do resource :events do
allow_access_with_scope :read_user, if: -> (request) { request.get? }
desc "List currently authenticated user's events" do desc "List currently authenticated user's events" do
detail 'This feature was introduced in GitLab 9.3.' detail 'This feature was introduced in GitLab 9.3.'
success Entities::Event success Entities::Event
...@@ -46,6 +49,8 @@ module API ...@@ -46,6 +49,8 @@ module API
requires :id, type: String, desc: 'The ID or Username of the user' requires :id, type: String, desc: 'The ID or Username of the user'
end end
resource :users do resource :users do
allow_access_with_scope :read_user, if: -> (request) { request.get? }
desc 'Get the contribution events of a specified user' do desc 'Get the contribution events of a specified user' do
detail 'This feature was introduced in GitLab 8.13.' detail 'This feature was introduced in GitLab 8.13.'
success Entities::Event success Entities::Event
......
...@@ -2,9 +2,9 @@ require 'spec_helper' ...@@ -2,9 +2,9 @@ require 'spec_helper'
describe API::Events do describe API::Events do
include ApiHelpers include ApiHelpers
let(:user) { create(:user) } let(:user) { create(:user) }
let(:non_member) { create(:user) } let(:non_member) { create(:user) }
let(:other_user) { create(:user, username: 'otheruser') }
let(:private_project) { create(:project, :private, creator_id: user.id, namespace: user.namespace) } let(:private_project) { create(:project, :private, creator_id: user.id, namespace: user.namespace) }
let(:closed_issue) { create(:closed_issue, project: private_project, author: user) } let(:closed_issue) { create(:closed_issue, project: private_project, author: user) }
let!(:closed_issue_event) { create(:event, project: private_project, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 12, 30)) } let!(:closed_issue_event) { create(:event, project: private_project, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 12, 30)) }
...@@ -28,12 +28,52 @@ describe API::Events do ...@@ -28,12 +28,52 @@ describe API::Events do
expect(json_response.size).to eq(1) expect(json_response.size).to eq(1)
end end
end end
context 'when the requesting token has "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
it 'returns users events' do
get api('/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31', personal_access_token: token)
expect(response).to have_gitlab_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response.size).to eq(1)
end
end
context 'when the requesting token does not have "read_user" or "api" scope' do
let(:token_without_scopes) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
it 'returns a "403" response' do
get api('/events', personal_access_token: token_without_scopes)
expect(response).to have_gitlab_http_status(403)
end
end
end end
describe 'GET /users/:id/events' do describe 'GET /users/:id/events' do
context "as a user that cannot see the event's project" do context "as a user that cannot see another user" do
it 'returns no events' do it 'returns a "404" response' do
get api("/users/#{user.id}/events", other_user) allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(non_member, :read_user, user).and_return(false)
get api("/users/#{user.id}/events", non_member)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_empty
end
end
context "as a user token that cannot see another user" do
let(:non_member_token) { create(:personal_access_token, scopes: ['read_user'], user: non_member) }
it 'returns a "404" response' do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(non_member, :read_user, user).and_return(false)
get api("/users/#{user.id}/events", personal_access_token: non_member_token)
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_empty expect(json_response).to be_empty
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment