Commit da3d3595 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'restrict-user-api-integers' into 'master'

Restrict users API endpoints to use integer IDs

Closes #2267

See merge request !1156
parents efa90d0a d241c6d0
...@@ -18,6 +18,7 @@ v 8.0.0 (unreleased) ...@@ -18,6 +18,7 @@ v 8.0.0 (unreleased)
- Improve dropdown positioning on the project home page (Hannes Rosenögger) - Improve dropdown positioning on the project home page (Hannes Rosenögger)
- Upgrade browser gem to 1.0.0 to avoid warning in IE11 compatibilty mode (Stan Hu) - Upgrade browser gem to 1.0.0 to avoid warning in IE11 compatibilty mode (Stan Hu)
- Remove user OAuth tokens from the database and request new tokens each session (Stan Hu) - Remove user OAuth tokens from the database and request new tokens each session (Stan Hu)
- Restrict users API endpoints to use integer IDs (Stan Hu)
- Only show recent push event if the branch still exists or a recent merge request has not been created (Stan Hu) - Only show recent push event if the branch still exists or a recent merge request has not been created (Stan Hu)
- Remove satellites - Remove satellites
- Better performance for web editor (switched from satellites to rugged) - Better performance for web editor (switched from satellites to rugged)
......
...@@ -3,7 +3,7 @@ module API ...@@ -3,7 +3,7 @@ module API
class Users < Grape::API class Users < Grape::API
before { authenticate! } before { authenticate! }
resource :users do resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do
# Get a users list # Get a users list
# #
# Example Request: # Example Request:
......
...@@ -58,6 +58,11 @@ describe API::API, api: true do ...@@ -58,6 +58,11 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 Not found') expect(json_response['message']).to eq('404 Not found')
end end
it "should return a 404 if invalid ID" do
get api("/users/1ASDF", user)
expect(response.status).to eq(404)
end
end end
describe "POST /users" do describe "POST /users" do
...@@ -257,6 +262,10 @@ describe API::API, api: true do ...@@ -257,6 +262,10 @@ describe API::API, api: true do
expect(json_response['message']).to eq('404 Not found') expect(json_response['message']).to eq('404 Not found')
end end
it "should raise error for invalid ID" do
expect{put api("/users/ASDF", admin) }.to raise_error(ActionController::RoutingError)
end
it 'should return 400 error if user does not validate' do it 'should return 400 error if user does not validate' do
put api("/users/#{user.id}", admin), put api("/users/#{user.id}", admin),
password: 'pass', password: 'pass',
...@@ -319,6 +328,10 @@ describe API::API, api: true do ...@@ -319,6 +328,10 @@ describe API::API, api: true do
post api("/users/#{user.id}/keys", admin), key_attrs post api("/users/#{user.id}/keys", admin), key_attrs
end.to change{ user.keys.count }.by(1) end.to change{ user.keys.count }.by(1)
end end
it "should raise error for invalid ID" do
expect{post api("/users/ASDF/keys", admin) }.to raise_error(ActionController::RoutingError)
end
end end
describe 'GET /user/:uid/keys' do describe 'GET /user/:uid/keys' do
...@@ -346,6 +359,11 @@ describe API::API, api: true do ...@@ -346,6 +359,11 @@ describe API::API, api: true do
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.first['title']).to eq(key.title) expect(json_response.first['title']).to eq(key.title)
end end
it "should return 404 for invalid ID" do
get api("/users/ASDF/keys", admin)
expect(response.status).to eq(404)
end
end end
end end
...@@ -400,6 +418,10 @@ describe API::API, api: true do ...@@ -400,6 +418,10 @@ describe API::API, api: true do
post api("/users/#{user.id}/emails", admin), email_attrs post api("/users/#{user.id}/emails", admin), email_attrs
end.to change{ user.emails.count }.by(1) end.to change{ user.emails.count }.by(1)
end end
it "should raise error for invalid ID" do
expect{post api("/users/ASDF/emails", admin) }.to raise_error(ActionController::RoutingError)
end
end end
describe 'GET /user/:uid/emails' do describe 'GET /user/:uid/emails' do
...@@ -427,6 +449,10 @@ describe API::API, api: true do ...@@ -427,6 +449,10 @@ describe API::API, api: true do
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.first['email']).to eq(email.email) expect(json_response.first['email']).to eq(email.email)
end end
it "should raise error for invalid ID" do
expect{put api("/users/ASDF/emails", admin) }.to raise_error(ActionController::RoutingError)
end
end end
end end
...@@ -463,6 +489,10 @@ describe API::API, api: true do ...@@ -463,6 +489,10 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 Email Not Found') expect(json_response['message']).to eq('404 Email Not Found')
end end
it "should raise error for invalid ID" do
expect{delete api("/users/ASDF/emails/bar", admin) }.to raise_error(ActionController::RoutingError)
end
end end
end end
...@@ -491,6 +521,10 @@ describe API::API, api: true do ...@@ -491,6 +521,10 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 User Not Found') expect(json_response['message']).to eq('404 User Not Found')
end end
it "should raise error for invalid ID" do
expect{delete api("/users/ASDF", admin) }.to raise_error(ActionController::RoutingError)
end
end end
describe "GET /user" do describe "GET /user" do
...@@ -553,6 +587,11 @@ describe API::API, api: true do ...@@ -553,6 +587,11 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 Not found') expect(json_response['message']).to eq('404 Not found')
end end
it "should return 404 for invalid ID" do
get api("/users/keys/ASDF", admin)
expect(response.status).to eq(404)
end
end end
describe "POST /user/keys" do describe "POST /user/keys" do
...@@ -608,6 +647,10 @@ describe API::API, api: true do ...@@ -608,6 +647,10 @@ describe API::API, api: true do
delete api("/user/keys/#{key.id}") delete api("/user/keys/#{key.id}")
expect(response.status).to eq(401) expect(response.status).to eq(401)
end end
it "should raise error for invalid ID" do
expect{delete api("/users/keys/ASDF", admin) }.to raise_error(ActionController::RoutingError)
end
end end
describe "GET /user/emails" do describe "GET /user/emails" do
...@@ -653,6 +696,11 @@ describe API::API, api: true do ...@@ -653,6 +696,11 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 Not found') expect(json_response['message']).to eq('404 Not found')
end end
it "should return 404 for invalid ID" do
get api("/users/emails/ASDF", admin)
expect(response.status).to eq(404)
end
end end
describe "POST /user/emails" do describe "POST /user/emails" do
...@@ -697,6 +745,10 @@ describe API::API, api: true do ...@@ -697,6 +745,10 @@ describe API::API, api: true do
delete api("/user/emails/#{email.id}") delete api("/user/emails/#{email.id}")
expect(response.status).to eq(401) expect(response.status).to eq(401)
end end
it "should raise error for invalid ID" do
expect{delete api("/users/emails/ASDF", admin) }.to raise_error(ActionController::RoutingError)
end
end end
describe 'PUT /user/:id/block' do describe 'PUT /user/:id/block' do
...@@ -748,5 +800,9 @@ describe API::API, api: true do ...@@ -748,5 +800,9 @@ describe API::API, api: true do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(json_response['message']).to eq('404 User Not Found') expect(json_response['message']).to eq('404 User Not Found')
end end
it "should raise error for invalid ID" do
expect{put api("/users/ASDF/block", admin) }.to raise_error(ActionController::RoutingError)
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment