Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
789eb36c
Commit
789eb36c
authored
6 years ago
by
haseeb
Committed by
Rémy Coutable
6 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove authentication for readonly endpoints in issues API
parent
984e0f1a
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
189 additions
and
119 deletions
+189
-119
changelogs/unreleased/40855_remove_authentication_in_readonly_issue_api.yml
...sed/40855_remove_authentication_in_readonly_issue_api.yml
+5
-0
lib/api/issues.rb
lib/api/issues.rb
+2
-1
spec/requests/api/issues_spec.rb
spec/requests/api/issues_spec.rb
+182
-118
No files found.
changelogs/unreleased/40855_remove_authentication_in_readonly_issue_api.yml
0 → 100644
View file @
789eb36c
---
title
:
made listing and showing public issue apis available without authentication
merge_request
:
18638
author
:
haseebeqx
type
:
changed
This diff is collapsed.
Click to expand it.
lib/api/issues.rb
View file @
789eb36c
...
@@ -2,7 +2,7 @@ module API
...
@@ -2,7 +2,7 @@ module API
class
Issues
<
Grape
::
API
class
Issues
<
Grape
::
API
include
PaginationParams
include
PaginationParams
before
{
authenticate!
}
before
{
authenticate
_non_get
!
}
helpers
::
Gitlab
::
IssuableMetadata
helpers
::
Gitlab
::
IssuableMetadata
...
@@ -70,6 +70,7 @@ module API
...
@@ -70,6 +70,7 @@ module API
desc:
'Return issues for the given scope: `created-by-me`, `assigned-to-me` or `all`'
desc:
'Return issues for the given scope: `created-by-me`, `assigned-to-me` or `all`'
end
end
get
do
get
do
authenticate!
unless
params
[
:scope
]
==
'all'
issues
=
paginate
(
find_issues
)
issues
=
paginate
(
find_issues
)
options
=
{
options
=
{
...
...
This diff is collapsed.
Click to expand it.
spec/requests/api/issues_spec.rb
View file @
789eb36c
...
@@ -64,12 +64,32 @@ describe API::Issues do
...
@@ -64,12 +64,32 @@ describe API::Issues do
describe
"GET /issues"
do
describe
"GET /issues"
do
context
"when unauthenticated"
do
context
"when unauthenticated"
do
it
"returns authentication error"
do
it
"returns an array of all issues"
do
get
api
(
"/issues"
),
scope:
'all'
expect
(
response
).
to
have_http_status
(
200
)
expect
(
json_response
).
to
be_an
Array
end
it
"returns authentication error without any scope"
do
get
api
(
"/issues"
)
get
api
(
"/issues"
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
expect
(
response
).
to
have_http_status
(
401
)
end
it
"returns authentication error when scope is assigned-to-me"
do
get
api
(
"/issues"
),
scope:
'assigned-to-me'
expect
(
response
).
to
have_http_status
(
401
)
end
it
"returns authentication error when scope is created-by-me"
do
get
api
(
"/issues"
),
scope:
'created-by-me'
expect
(
response
).
to
have_http_status
(
401
)
end
end
end
end
context
"when authenticated"
do
context
"when authenticated"
do
let
(
:first_issue
)
{
json_response
.
first
}
let
(
:first_issue
)
{
json_response
.
first
}
...
@@ -379,9 +399,6 @@ describe API::Issues do
...
@@ -379,9 +399,6 @@ describe API::Issues do
end
end
let!
(
:group_note
)
{
create
(
:note_on_issue
,
author:
user
,
project:
group_project
,
noteable:
group_issue
)
}
let!
(
:group_note
)
{
create
(
:note_on_issue
,
author:
user
,
project:
group_project
,
noteable:
group_issue
)
}
before
do
group_project
.
add_reporter
(
user
)
end
let
(
:base_url
)
{
"/groups/
#{
group
.
id
}
/issues"
}
let
(
:base_url
)
{
"/groups/
#{
group
.
id
}
/issues"
}
context
'when group has subgroups'
,
:nested_groups
do
context
'when group has subgroups'
,
:nested_groups
do
...
@@ -408,6 +425,19 @@ describe API::Issues do
...
@@ -408,6 +425,19 @@ describe API::Issues do
end
end
end
end
context
'when user is unauthenticated'
do
it
'lists all issues in public projects'
do
get
api
(
base_url
)
expect_paginated_array_response
(
size:
2
)
end
end
context
'when user is a group member'
do
before
do
group_project
.
add_reporter
(
user
)
end
it
'returns all group issues (including opened and closed)'
do
it
'returns all group issues (including opened and closed)'
do
get
api
(
base_url
,
admin
)
get
api
(
base_url
,
admin
)
...
@@ -576,10 +606,20 @@ describe API::Issues do
...
@@ -576,10 +606,20 @@ describe API::Issues do
expect
(
response_dates
).
to
eq
(
response_dates
.
sort
)
expect
(
response_dates
).
to
eq
(
response_dates
.
sort
)
end
end
end
end
end
describe
"GET /projects/:id/issues"
do
describe
"GET /projects/:id/issues"
do
let
(
:base_url
)
{
"/projects/
#{
project
.
id
}
"
}
let
(
:base_url
)
{
"/projects/
#{
project
.
id
}
"
}
context
'when unauthenticated'
do
it
'returns public project issues'
do
get
api
(
"/projects/
#{
project
.
id
}
/issues"
)
expect_paginated_array_response
(
size:
2
)
expect
(
json_response
.
first
[
'title'
]).
to
eq
(
issue
.
title
)
end
end
it
'avoids N+1 queries'
do
it
'avoids N+1 queries'
do
control_count
=
ActiveRecord
::
QueryRecorder
.
new
do
control_count
=
ActiveRecord
::
QueryRecorder
.
new
do
get
api
(
"/projects/
#{
project
.
id
}
/issues"
,
user
)
get
api
(
"/projects/
#{
project
.
id
}
/issues"
,
user
)
...
@@ -789,6 +829,14 @@ describe API::Issues do
...
@@ -789,6 +829,14 @@ describe API::Issues do
end
end
describe
"GET /projects/:id/issues/:issue_iid"
do
describe
"GET /projects/:id/issues/:issue_iid"
do
context
'when unauthenticated'
do
it
'returns public issues'
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
"
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
end
end
it
'exposes known attributes'
do
it
'exposes known attributes'
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
"
,
user
)
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
"
,
user
)
...
@@ -1581,6 +1629,14 @@ describe API::Issues do
...
@@ -1581,6 +1629,14 @@ describe API::Issues do
create
(
:merge_requests_closing_issues
,
issue:
issue
,
merge_request:
merge_request
)
create
(
:merge_requests_closing_issues
,
issue:
issue
,
merge_request:
merge_request
)
end
end
context
'when unauthenticated'
do
it
'return public project issues'
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
/closed_by"
)
expect_paginated_array_response
(
size:
1
)
end
end
it
'returns merge requests that will close issue on merge'
do
it
'returns merge requests that will close issue on merge'
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
/closed_by"
,
user
)
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
/closed_by"
,
user
)
...
@@ -1605,6 +1661,14 @@ describe API::Issues do
...
@@ -1605,6 +1661,14 @@ describe API::Issues do
describe
"GET /projects/:id/issues/:issue_iid/user_agent_detail"
do
describe
"GET /projects/:id/issues/:issue_iid/user_agent_detail"
do
let!
(
:user_agent_detail
)
{
create
(
:user_agent_detail
,
subject:
issue
)
}
let!
(
:user_agent_detail
)
{
create
(
:user_agent_detail
,
subject:
issue
)
}
context
'when unauthenticated'
do
it
"returns unautorized"
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
/user_agent_detail"
)
expect
(
response
).
to
have_gitlab_http_status
(
401
)
end
end
it
'exposes known attributes'
do
it
'exposes known attributes'
do
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
/user_agent_detail"
,
admin
)
get
api
(
"/projects/
#{
project
.
id
}
/issues/
#{
issue
.
iid
}
/user_agent_detail"
,
admin
)
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment