Commit ce664d2f authored by charlie ablett's avatar charlie ablett

Merge branch 'lm-fix-authorization-lint' into 'master'

Updates authorization for lint

See merge request gitlab-org/gitlab!54492
parents 07a41b53 e2a5f98e
---
title: Updates authorization for linting endpoint
merge_request: 54492
author:
type: changed
...@@ -11,7 +11,7 @@ module API ...@@ -11,7 +11,7 @@ module API
optional :include_merged_yaml, type: Boolean, desc: 'Whether or not to include merged CI config yaml in the response' optional :include_merged_yaml, type: Boolean, desc: 'Whether or not to include merged CI config yaml in the response'
end end
post '/lint' do post '/lint' do
unauthorized! unless Gitlab::CurrentSettings.signup_enabled? && current_user unauthorized! if Gitlab::CurrentSettings.signup_disabled? && current_user.nil?
result = Gitlab::Ci::YamlProcessor.new(params[:content], user: current_user).execute result = Gitlab::Ci::YamlProcessor.new(params[:content], user: current_user).execute
......
...@@ -3,6 +3,10 @@ ...@@ -3,6 +3,10 @@
module Gitlab module Gitlab
module CurrentSettings module CurrentSettings
class << self class << self
def signup_disabled?
!signup_enabled?
end
def current_application_settings def current_application_settings
Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! } Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! }
end end
......
...@@ -24,6 +24,26 @@ RSpec.describe Gitlab::CurrentSettings do ...@@ -24,6 +24,26 @@ RSpec.describe Gitlab::CurrentSettings do
end end
end end
describe '.signup_disabled?' do
subject { described_class.signup_disabled? }
context 'when signup is enabled' do
before do
create(:application_setting, signup_enabled: true)
end
it { is_expected.to be_falsey }
end
context 'when signup is disabled' do
before do
create(:application_setting, signup_enabled: false)
end
it { is_expected.to be_truthy }
end
end
describe '#current_application_settings', :use_clean_rails_memory_store_caching do describe '#current_application_settings', :use_clean_rails_memory_store_caching do
it 'allows keys to be called directly' do it 'allows keys to be called directly' do
db_settings = create(:application_setting, db_settings = create(:application_setting,
......
...@@ -5,7 +5,9 @@ require 'spec_helper' ...@@ -5,7 +5,9 @@ require 'spec_helper'
RSpec.describe API::Lint do RSpec.describe API::Lint do
describe 'POST /ci/lint' do describe 'POST /ci/lint' do
context 'when signup settings are disabled' do context 'when signup settings are disabled' do
Gitlab::CurrentSettings.signup_enabled = false before do
Gitlab::CurrentSettings.signup_enabled = false
end
context 'when unauthenticated' do context 'when unauthenticated' do
it 'returns authentication error' do it 'returns authentication error' do
...@@ -16,22 +18,25 @@ RSpec.describe API::Lint do ...@@ -16,22 +18,25 @@ RSpec.describe API::Lint do
end end
context 'when authenticated' do context 'when authenticated' do
it 'returns unauthorized error' do let_it_be(:api_user) { create(:user) }
post api('/ci/lint'), params: { content: 'content' } it 'returns authorized' do
post api('/ci/lint', api_user), params: { content: 'content' }
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:ok)
end end
end end
end end
context 'when signup settings are enabled' do context 'when signup settings are enabled' do
Gitlab::CurrentSettings.signup_enabled = true before do
Gitlab::CurrentSettings.signup_enabled = true
end
context 'when unauthenticated' do context 'when unauthenticated' do
it 'returns authentication error' do it 'returns authorized success' do
post api('/ci/lint'), params: { content: 'content' } post api('/ci/lint'), params: { content: 'content' }
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:ok)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment