Commit 4e97f266 authored by jubianchi's avatar jubianchi

Acces groups with their path in API

parent a073e00a
...@@ -53,7 +53,7 @@ v 7.8.0 ...@@ -53,7 +53,7 @@ v 7.8.0
- Add a new API function that retrieves all issues assigned to a single milestone (Justin Whear and Hannes Rosenögger) - Add a new API function that retrieves all issues assigned to a single milestone (Justin Whear and Hannes Rosenögger)
- -
- -
- - API: Access groups with their path (Julien Bianchi)
- -
- -
- -
......
...@@ -32,7 +32,7 @@ GET /groups/:id ...@@ -32,7 +32,7 @@ GET /groups/:id
Parameters: Parameters:
- `id` (required) - The ID of a group - `id` (required) - The ID or path of a group
## New group ## New group
...@@ -58,7 +58,7 @@ POST /groups/:id/projects/:project_id ...@@ -58,7 +58,7 @@ POST /groups/:id/projects/:project_id
Parameters: Parameters:
- `id` (required) - The ID of a group - `id` (required) - The ID or path of a group
- `project_id` (required) - The ID of a project - `project_id` (required) - The ID of a project
## Remove group ## Remove group
...@@ -71,7 +71,7 @@ DELETE /groups/:id ...@@ -71,7 +71,7 @@ DELETE /groups/:id
Parameters: Parameters:
- `id` (required) - The ID of a user group - `id` (required) - The ID or path of a user group
## Search for group ## Search for group
...@@ -148,7 +148,7 @@ POST /groups/:id/members ...@@ -148,7 +148,7 @@ POST /groups/:id/members
Parameters: Parameters:
- `id` (required) - The ID of a group - `id` (required) - The ID or path of a group
- `user_id` (required) - The ID of a user to add - `user_id` (required) - The ID of a user to add
- `access_level` (required) - Project access level - `access_level` (required) - Project access level
...@@ -162,5 +162,5 @@ DELETE /groups/:id/members/:user_id ...@@ -162,5 +162,5 @@ DELETE /groups/:id/members/:user_id
Parameters: Parameters:
- `id` (required) - The ID of a user group - `id` (required) - The ID or path of a user group
- `user_id` (required) - The ID of a group member - `user_id` (required) - The ID of a group member
...@@ -3,22 +3,6 @@ module API ...@@ -3,22 +3,6 @@ module API
before { authenticate! } before { authenticate! }
resource :groups do resource :groups do
helpers do
def find_group(id)
group = Group.find(id)
if can?(current_user, :read_group, group)
group
else
render_api_error!("403 Forbidden - #{current_user.username} lacks sufficient access to #{group.name}", 403)
end
end
def validate_access_level?(level)
Gitlab::Access.options_with_owner.values.include? level.to_i
end
end
# Get a list of group members viewable by the authenticated user. # Get a list of group members viewable by the authenticated user.
# #
# Example Request: # Example Request:
......
...@@ -4,22 +4,6 @@ module API ...@@ -4,22 +4,6 @@ module API
before { authenticate! } before { authenticate! }
resource :groups do resource :groups do
helpers do
def find_group(id)
group = Group.find(id)
if can?(current_user, :read_group, group)
group
else
render_api_error!("403 Forbidden - #{current_user.username} lacks sufficient access to #{group.name}", 403)
end
end
def validate_access_level?(level)
Gitlab::Access.options_with_owner.values.include? level.to_i
end
end
# Get a groups list # Get a groups list
# #
# Example Request: # Example Request:
......
...@@ -55,6 +55,21 @@ module API ...@@ -55,6 +55,21 @@ module API
end end
end end
def find_group(id)
begin
group = Group.find(id)
rescue ActiveRecord::RecordNotFound
group = Group.find_by!(path: id)
end
if can?(current_user, :read_group, group)
group
else
forbidden!("#{current_user.username} lacks sufficient "\
"access to #{group.name}")
end
end
def paginate(relation) def paginate(relation)
per_page = params[:per_page].to_i per_page = params[:per_page].to_i
paginated = relation.page(params[:page]).per(per_page) paginated = relation.page(params[:page]).per(per_page)
...@@ -135,10 +150,16 @@ module API ...@@ -135,10 +150,16 @@ module API
errors errors
end end
def validate_access_level?(level)
Gitlab::Access.options_with_owner.values.include? level.to_i
end
# error helpers # error helpers
def forbidden! def forbidden!(reason = nil)
render_api_error!('403 Forbidden', 403) message = ['403 Forbidden']
message << " - #{reason}" if reason
render_api_error!(message.join(' '), 403)
end end
def bad_request!(attribute) def bad_request!(attribute)
......
...@@ -73,6 +73,24 @@ describe API::API, api: true do ...@@ -73,6 +73,24 @@ describe API::API, api: true do
response.status.should == 404 response.status.should == 404
end end
end end
context 'when using group path in URL' do
it 'should return any existing group' do
get api("/groups/#{group1.path}", admin)
response.status.should == 200
json_response['name'] == group2.name
end
it 'should not return a non existing group' do
get api('/groups/unknown', admin)
response.status.should == 404
end
it 'should not return a group not attached to user1' do
get api("/groups/#{group2.path}", user1)
response.status.should == 403
end
end
end end
describe "POST /groups" do describe "POST /groups" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment