Commit 1c34a2a0 authored by James Lopez's avatar James Lopez

Use read_repository scope on read-only files API

parent 40343096
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
module API module API
class Files < Grape::API class Files < Grape::API
include APIGuard
FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX) FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)
# Prevents returning plain/text responses for files with .txt extension # Prevents returning plain/text responses for files with .txt extension
...@@ -79,6 +81,8 @@ module API ...@@ -79,6 +81,8 @@ module API
requires :id, type: String, desc: 'The project ID' requires :id, type: String, desc: 'The project ID'
end end
resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do
allow_access_with_scope :read_repository, if: -> (request) { request.get? || request.head? }
desc 'Get raw file metadata from repository' desc 'Get raw file metadata from repository'
params do params do
requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb' requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb'
......
...@@ -121,6 +121,13 @@ describe API::Files do ...@@ -121,6 +121,13 @@ describe API::Files do
end end
end end
context 'when PATs are used' do
it_behaves_like 'repository files' do
let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
let(:current_user) { { personal_access_token: token } }
end
end
context 'when authenticated', 'as a developer' do context 'when authenticated', 'as a developer' do
it_behaves_like 'repository files' do it_behaves_like 'repository files' do
let(:current_user) { user } let(:current_user) { user }
...@@ -217,6 +224,13 @@ describe API::Files do ...@@ -217,6 +224,13 @@ describe API::Files do
end end
end end
context 'when PATs are used' do
it_behaves_like 'repository files' do
let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
let(:current_user) { { personal_access_token: token } }
end
end
context 'when unauthenticated', 'and project is private' do context 'when unauthenticated', 'and project is private' do
it_behaves_like '404 response' do it_behaves_like '404 response' do
let(:request) { get api(route(file_path)), params } let(:request) { get api(route(file_path)), params }
...@@ -317,6 +331,21 @@ describe API::Files do ...@@ -317,6 +331,21 @@ describe API::Files do
let(:request) { get api(route(file_path), guest), params } let(:request) { get api(route(file_path), guest), params }
end end
end end
context 'when PATs are used' do
it 'returns file by commit sha' do
token = create(:personal_access_token, scopes: ['read_repository'], user: user)
# This file is deleted on HEAD
file_path = "files%2Fjs%2Fcommit%2Ejs%2Ecoffee"
params[:ref] = "6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9"
expect(Gitlab::Workhorse).to receive(:send_git_blob)
get api(route(file_path) + "/raw", personal_access_token: token), params
expect(response).to have_gitlab_http_status(200)
end
end
end end
describe "POST /projects/:id/repository/files/:file_path" do describe "POST /projects/:id/repository/files/:file_path" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment