Commit dbf955ce authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-59-prevent-create-api-snippet' into 'master'

Authorize create snippet through API request

Closes #59

See merge request gitlab-org/security/gitlab!206
parents 7fe27dd0 802bbbfa
No related merge requests found
---
title: External user can not create personal snippet through API
merge_request:
author:
type: security
......@@ -74,6 +74,8 @@ module API
desc: 'The visibility of the snippet'
end
post do
authorize! :create_snippet
attrs = declared_params(include_missing: false).merge(request: request, api: true)
service_response = ::Snippets::CreateService.new(nil, current_user, attrs).execute
snippet = service_response.payload[:snippet]
......
......@@ -164,6 +164,30 @@ describe API::ProjectSnippets do
end
end
context 'with an external user' do
let(:user) { create(:user, :external) }
context 'that belongs to the project' do
before do
project.add_developer(user)
end
it 'creates a new snippet' do
post api("/projects/#{project.id}/snippets/", user), params: params
expect(response).to have_gitlab_http_status(:created)
end
end
context 'that does not belong to the project' do
it 'does not create a new snippet' do
post api("/projects/#{project.id}/snippets/", user), params: params
expect(response).to have_gitlab_http_status(:forbidden)
end
end
end
context 'with a regular user' do
let(:user) { create(:user) }
......
......@@ -266,6 +266,16 @@ describe API::Snippets do
it_behaves_like 'snippet creation'
context 'with an external user' do
let(:user) { create(:user, :external) }
it 'does not create a new snippet' do
post api("/snippets/", user), params: params
expect(response).to have_gitlab_http_status(:forbidden)
end
end
it 'returns 400 for missing parameters' do
params.delete(:title)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment