Authorize create snippet through API request

Test create snippet abilities for external users for both personal snippets and project snippets.

Authorize create snippet through API request
Test create snippet abilities for external users for both personal snippets and project snippets.
802bbbfa · Alex Pooley · 354366ff · 802bbbfa · 802bbbfa · 802bbbfa
Commit 802bbbfa authored Feb 11, 2020 by Alex Pooley
4 changed files
--- a/changelogs/unreleased/security-59-prevent-create-api-snippet.yml
+++ b/changelogs/unreleased/security-59-prevent-create-api-snippet.yml
+---
+title: External user can not create personal snippet through API
+merge_request:
+author:
+type: security
--- a/lib/api/snippets.rb
+++ b/lib/api/snippets.rb
@@ -74,6 +74,8 @@ module API
                              desc: 'The visibility of the snippet'
      end
      post do
+        authorize! :create_snippet
+
        attrs = declared_params(include_missing: false).merge(request: request, api: true)
        service_response = ::Snippets::CreateService.new(nil, current_user, attrs).execute
        snippet = service_response.payload[:snippet]

--- a/spec/requests/api/project_snippets_spec.rb
+++ b/spec/requests/api/project_snippets_spec.rb
@@ -164,6 +164,30 @@ describe API::ProjectSnippets do
      end
    end

+    context 'with an external user' do
+      let(:user) { create(:user, :external) }
+
+      context 'that belongs to the project' do
+        before do
+          project.add_developer(user)
+        end
+
+        it 'creates a new snippet' do
+          post api("/projects/#{project.id}/snippets/", user), params: params
+
+          expect(response).to have_gitlab_http_status(:created)
+        end
+      end
+
+      context 'that does not belong to the project' do
+        it 'does not create a new snippet' do
+          post api("/projects/#{project.id}/snippets/", user), params: params
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
    context 'with a regular user' do
      let(:user) { create(:user) }


--- a/spec/requests/api/snippets_spec.rb
+++ b/spec/requests/api/snippets_spec.rb
@@ -266,6 +266,16 @@ describe API::Snippets do

    it_behaves_like 'snippet creation'

+    context 'with an external user' do
+      let(:user) { create(:user, :external) }
+
+      it 'does not create a new snippet' do
+        post api("/snippets/", user), params: params
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
+
    it 'returns 400 for missing parameters' do
      params.delete(:title)