Commit 5fe1bd6f authored by Peter Leitzen's avatar Peter Leitzen

Merge branch 'fiw-username-override' into 'master'

Prevent username overriding while creating a Deploy Token via the API.

Closes #211963

See merge request gitlab-org/gitlab!28175
parents 4268d385 f2e6e7dc
---
title: Prevent overriding the username when creating a Deploy Token via the API
merge_request: 28175
author: Ayoub Mrini
type: fixed
......@@ -8,7 +8,7 @@ module API
def scope_params
scopes = params.delete(:scopes)
result_hash = {}
result_hash = Hashie::Mash.new
result_hash[:read_registry] = scopes.include?('read_registry')
result_hash[:write_registry] = scopes.include?('write_registry')
result_hash[:read_repository] = scopes.include?('read_repository')
......
......@@ -205,10 +205,11 @@ describe API::DeployTokens do
context 'deploy token creation' do
shared_examples 'creating a deploy token' do |entity, unauthenticated_response|
let(:expires_time) { 1.year.from_now }
let(:params) do
{
name: 'Foo',
expires_at: 1.year.from_now,
expires_at: expires_time,
scopes: [
'read_repository'
],
......@@ -240,6 +241,10 @@ describe API::DeployTokens do
expect(response).to have_gitlab_http_status(:created)
expect(response).to match_response_schema('public_api/v4/deploy_token')
expect(json_response['name']).to eq('Foo')
expect(json_response['scopes']).to eq(['read_repository'])
expect(json_response['username']).to eq('Bar')
expect(json_response['expires_at'].to_time.to_i).to eq(expires_time.to_i)
end
context 'with no optional params given' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment