Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
d7572472
Commit
d7572472
authored
Nov 30, 2016
by
Rémy Coutable
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Allow public access to some Project API endpoints
Signed-off-by:
Rémy Coutable
<
remy@rymai.me
>
parent
e91afc0d
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
315 additions
and
152 deletions
+315
-152
changelogs/unreleased/4269-public-api.yml
changelogs/unreleased/4269-public-api.yml
+4
-0
lib/api/helpers.rb
lib/api/helpers.rb
+5
-0
lib/api/projects.rb
lib/api/projects.rb
+18
-10
spec/requests/api/api_helpers_spec.rb
spec/requests/api/api_helpers_spec.rb
+53
-1
spec/requests/api/projects_spec.rb
spec/requests/api/projects_spec.rb
+235
-141
No files found.
changelogs/unreleased/4269-public-api.yml
0 → 100644
View file @
d7572472
---
title
:
Allow public access to some Project API endpoints
merge_request
:
7843
author
:
lib/api/helpers.rb
View file @
d7572472
...
...
@@ -141,6 +141,10 @@ module API
unauthorized!
unless
current_user
end
def
authenticate_non_get!
authenticate!
unless
%w[GET HEAD]
.
include?
(
route
.
route_method
)
end
def
authenticate_by_gitlab_shell_token!
input
=
params
[
'secret_token'
].
try
(
:chomp
)
unless
Devise
.
secure_compare
(
secret_token
,
input
)
...
...
@@ -149,6 +153,7 @@ module API
end
def
authenticated_as_admin!
authenticate!
forbidden!
unless
current_user
.
is_admin?
end
...
...
lib/api/projects.rb
View file @
d7572472
...
...
@@ -3,7 +3,7 @@ module API
class
Projects
<
Grape
::
API
include
PaginationParams
before
{
authenticate!
}
before
{
authenticate
_non_get
!
}
helpers
do
params
:optional_params
do
...
...
@@ -61,7 +61,7 @@ module API
end
end
desc
'Get a
projects list
for authenticated user'
do
desc
'Get a
list of visible projects
for authenticated user'
do
success
Entities
::
BasicProjectDetails
end
params
do
...
...
@@ -70,15 +70,15 @@ module API
use
:filter_params
use
:pagination
end
get
do
projects
=
current_user
.
authorized_projects
get
'/visible'
do
projects
=
ProjectsFinder
.
new
.
execute
(
current_user
)
projects
=
filter_projects
(
projects
)
entity
=
params
[
:simple
]
?
Entities
::
BasicProjectDetails
:
Entities
::
ProjectWithAccess
entity
=
params
[
:simple
]
||
!
current_user
?
Entities
::
BasicProjectDetails
:
Entities
::
ProjectWithAccess
present
paginate
(
projects
),
with:
entity
,
user:
current_user
end
desc
'Get a
list of visible projects
for authenticated user'
do
desc
'Get a
projects list
for authenticated user'
do
success
Entities
::
BasicProjectDetails
end
params
do
...
...
@@ -87,8 +87,10 @@ module API
use
:filter_params
use
:pagination
end
get
'/visible'
do
projects
=
ProjectsFinder
.
new
.
execute
(
current_user
)
get
do
authenticate!
projects
=
current_user
.
authorized_projects
projects
=
filter_projects
(
projects
)
entity
=
params
[
:simple
]
?
Entities
::
BasicProjectDetails
:
Entities
::
ProjectWithAccess
...
...
@@ -103,6 +105,8 @@ module API
use
:pagination
end
get
'/owned'
do
authenticate!
projects
=
current_user
.
owned_projects
projects
=
filter_projects
(
projects
)
...
...
@@ -117,6 +121,8 @@ module API
use
:pagination
end
get
'/starred'
do
authenticate!
projects
=
current_user
.
viewable_starred_projects
projects
=
filter_projects
(
projects
)
...
...
@@ -132,6 +138,7 @@ module API
end
get
'/all'
do
authenticated_as_admin!
projects
=
Project
.
all
projects
=
filter_projects
(
projects
)
...
...
@@ -213,7 +220,8 @@ module API
success
Entities
::
ProjectWithAccess
end
get
":id"
do
present
user_project
,
with:
Entities
::
ProjectWithAccess
,
user:
current_user
,
entity
=
current_user
?
Entities
::
ProjectWithAccess
:
Entities
::
BasicProjectDetails
present
user_project
,
with:
entity
,
user:
current_user
,
user_can_admin_project:
can?
(
current_user
,
:admin_project
,
user_project
)
end
...
...
@@ -433,7 +441,7 @@ module API
use
:pagination
end
get
':id/users'
do
users
=
User
.
where
(
id:
user_project
.
team
.
users
.
map
(
&
:id
))
users
=
user_project
.
team
.
users
users
=
users
.
search
(
params
[
:search
])
if
params
[
:search
].
present?
present
paginate
(
users
),
with:
Entities
::
UserBasic
...
...
spec/requests/api/api_helpers_spec.rb
View file @
d7572472
...
...
@@ -47,7 +47,7 @@ describe API::Helpers, api: true do
end
def
error!
(
message
,
status
)
raise
Exception
raise
Exception
.
new
(
"
#{
status
}
-
#{
message
}
"
)
end
describe
".current_user"
do
...
...
@@ -290,4 +290,56 @@ describe API::Helpers, api: true do
handle_api_exception
(
exception
)
end
end
describe
'.authenticate_non_get!'
do
%w[HEAD GET]
.
each
do
|
method_name
|
context
"method is
#{
method_name
}
"
do
before
do
expect_any_instance_of
(
self
.
class
).
to
receive
(
:route
).
and_return
(
double
(
route_method:
method_name
))
end
it
'does not raise an error'
do
expect_any_instance_of
(
self
.
class
).
not_to
receive
(
:authenticate!
)
expect
{
authenticate_non_get!
}.
not_to
raise_error
end
end
end
%w[POST PUT PATCH DELETE]
.
each
do
|
method_name
|
context
"method is
#{
method_name
}
"
do
before
do
expect_any_instance_of
(
self
.
class
).
to
receive
(
:route
).
and_return
(
double
(
route_method:
method_name
))
end
it
'calls authenticate!'
do
expect_any_instance_of
(
self
.
class
).
to
receive
(
:authenticate!
)
authenticate_non_get!
end
end
end
end
describe
'.authenticate!'
do
context
'current_user is nil'
do
before
do
expect_any_instance_of
(
self
.
class
).
to
receive
(
:current_user
).
and_return
(
nil
)
end
it
'returns a 401 response'
do
expect
{
authenticate!
}.
to
raise_error
'401 - {"message"=>"401 Unauthorized"}'
end
end
context
'current_user is present'
do
before
do
expect_any_instance_of
(
self
.
class
).
to
receive
(
:current_user
).
and_return
(
true
)
end
it
'does not raise an error'
do
expect
{
authenticate!
}.
not_to
raise_error
end
end
end
end
spec/requests/api/projects_spec.rb
View file @
d7572472
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment