Add cr remarks

4ade06ec · Małgorzata Ksionek · 958a3d67 · 4ade06ec · 4ade06ec · 4ade06ec
Commit 4ade06ec authored Apr 08, 2020 by Małgorzata Ksionek
3 changed files
--- a/changelogs/unreleased/20440-limit-the-api-scope-of-personal-access-tokens.yml
+++ b/changelogs/unreleased/20440-limit-the-api-scope-of-personal-access-tokens.yml
 ---
-title: Add read_api read only scope
+title: Add read_api scope to personal access tokens for granting read only API access
 merge_request: 28944
 author:
 type: added
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -43,6 +43,7 @@ the following table.
 | ------------------ | ------------- | ----------- |
 | `read_user`        | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951)   | Allows access to the read-only endpoints under `/users`. Essentially, any of the `GET` requests in the [Users API][users] are allowed. |
 | `api`              | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951)   | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
+| `read_api`           | [GitLab 12.10](https://https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944)  | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_registry`    | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845)   | Allows to read (pull) [container registry] images if a project is private and authorization is required. |
 | `sudo`             | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838)  | Allows performing API actions as any user in the system (if the authenticated user is an admin). |
 | `read_repository`  | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894)  | Allows read-only access (pull) to the repository through `git clone`. |

--- a/spec/requests/api/api_spec.rb
+++ b/spec/requests/api/api_spec.rb
@@ -11,7 +11,7 @@ describe API::API do
    # to represent any API endpoint
    let(:user) { create(:user, last_activity_on: Date.yesterday) }
-    it 'updates the users last_activity_on date' do
+    it 'updates the users last_activity_on to the current date' do
      expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)
    end
@@ -25,7 +25,7 @@ describe API::API do
  end
  describe 'User with only read_api scope personal access token' do
-    # It does not matter which endpoint is used because this should
+    # It does not matter which endpoint is used because this should behave
    # in the same way for every request. `/groups` is used as an example
    # to represent any API endpoint
@@ -45,9 +45,9 @@ describe API::API do
      end
      it 'does not authorize user for post request' do
-        group_attributes = attributes_for_group_api
+        params = attributes_for_group_api
-        post api("/groups", personal_access_token: token), params: group_attributes
+        post api("/groups", personal_access_token: token), params: params
        expect(response).to have_gitlab_http_status(:forbidden)
      end