Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8aed9f08
Commit
8aed9f08
authored
Jul 15, 2018
by
Warren Parad
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add authenticate to events api. fix #49255
parent
6f21652f
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
62 additions
and
8 deletions
+62
-8
changelogs/unreleased/fix_event_api_permissions.yml
changelogs/unreleased/fix_event_api_permissions.yml
+5
-0
doc/api/events.md
doc/api/events.md
+8
-4
lib/api/events.rb
lib/api/events.rb
+5
-0
spec/requests/api/events_spec.rb
spec/requests/api/events_spec.rb
+44
-4
No files found.
changelogs/unreleased/fix_event_api_permissions.yml
0 → 100644
View file @
8aed9f08
---
title
:
'
Events
API
now
requires
the
read_user
or
api
scope.'
merge_request
:
20627
author
:
Warren Parad
type
:
fixed
doc/api/events.md
View file @
8aed9f08
...
...
@@ -48,9 +48,11 @@ GitLab removes events older than 1 year from the events table for performance re
## List currently authenticated user's events
>**Note:** This endpoint was introduced in GitLab 9.3.
>**Notes:**
> This endpoint was introduced in GitLab 9.3.
> `read_user` access was introduced in GitLab 11.3.
Get a list of events for the authenticated user.
Get a list of events for the authenticated user.
Scope
`read_user`
or
`api`
is required.
```
GET /events
...
...
@@ -119,9 +121,11 @@ Example response:
### Get user contribution events
>**Note:** Documentation was formerly located in the [Users API pages][users-api].
>**Notes:**
> Documentation was formerly located in the [Users API pages][users-api].
> `read_user` access was introduced in GitLab 11.3.
Get the contribution events for the specified user, sorted from newest to oldest.
Get the contribution events for the specified user, sorted from newest to oldest.
Scope
`read_user`
or
`api`
is required.
```
GET /users/:id/events
...
...
lib/api/events.rb
View file @
8aed9f08
module
API
class
Events
<
Grape
::
API
include
PaginationParams
include
APIGuard
helpers
do
params
:event_filter_params
do
...
...
@@ -24,6 +25,8 @@ module API
end
resource
:events
do
allow_access_with_scope
:read_user
,
if:
->
(
request
)
{
request
.
get?
}
desc
"List currently authenticated user's events"
do
detail
'This feature was introduced in GitLab 9.3.'
success
Entities
::
Event
...
...
@@ -46,6 +49,8 @@ module API
requires
:id
,
type:
String
,
desc:
'The ID or Username of the user'
end
resource
:users
do
allow_access_with_scope
:read_user
,
if:
->
(
request
)
{
request
.
get?
}
desc
'Get the contribution events of a specified user'
do
detail
'This feature was introduced in GitLab 8.13.'
success
Entities
::
Event
...
...
spec/requests/api/events_spec.rb
View file @
8aed9f08
...
...
@@ -2,9 +2,9 @@ require 'spec_helper'
describe
API
::
Events
do
include
ApiHelpers
let
(
:user
)
{
create
(
:user
)
}
let
(
:non_member
)
{
create
(
:user
)
}
let
(
:other_user
)
{
create
(
:user
,
username:
'otheruser'
)
}
let
(
:private_project
)
{
create
(
:project
,
:private
,
creator_id:
user
.
id
,
namespace:
user
.
namespace
)
}
let
(
:closed_issue
)
{
create
(
:closed_issue
,
project:
private_project
,
author:
user
)
}
let!
(
:closed_issue_event
)
{
create
(
:event
,
project:
private_project
,
author:
user
,
target:
closed_issue
,
action:
Event
::
CLOSED
,
created_at:
Date
.
new
(
2016
,
12
,
30
))
}
...
...
@@ -28,12 +28,52 @@ describe API::Events do
expect
(
json_response
.
size
).
to
eq
(
1
)
end
end
context
'when the requesting token has "read_user" scope'
do
let
(
:token
)
{
create
(
:personal_access_token
,
scopes:
[
'read_user'
],
user:
user
)
}
it
'returns users events'
do
get
api
(
'/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31'
,
personal_access_token:
token
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
response
).
to
include_pagination_headers
expect
(
json_response
).
to
be_an
Array
expect
(
json_response
.
size
).
to
eq
(
1
)
end
end
context
'when the requesting token does not have "read_user" or "api" scope'
do
let
(
:token_without_scopes
)
{
create
(
:personal_access_token
,
scopes:
[
'read_repository'
],
user:
user
)
}
it
'returns a "403" response'
do
get
api
(
'/events'
,
personal_access_token:
token_without_scopes
)
expect
(
response
).
to
have_gitlab_http_status
(
403
)
end
end
end
describe
'GET /users/:id/events'
do
context
"as a user that cannot see the event's project"
do
it
'returns no events'
do
get
api
(
"/users/
#{
user
.
id
}
/events"
,
other_user
)
context
"as a user that cannot see another user"
do
it
'returns a "404" response'
do
allow
(
Ability
).
to
receive
(
:allowed?
).
and_call_original
allow
(
Ability
).
to
receive
(
:allowed?
).
with
(
non_member
,
:read_user
,
user
).
and_return
(
false
)
get
api
(
"/users/
#{
user
.
id
}
/events"
,
non_member
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
json_response
).
to
be_empty
end
end
context
"as a user token that cannot see another user"
do
let
(
:non_member_token
)
{
create
(
:personal_access_token
,
scopes:
[
'read_user'
],
user:
non_member
)
}
it
'returns a "404" response'
do
allow
(
Ability
).
to
receive
(
:allowed?
).
and_call_original
allow
(
Ability
).
to
receive
(
:allowed?
).
with
(
non_member
,
:read_user
,
user
).
and_return
(
false
)
get
api
(
"/users/
#{
user
.
id
}
/events"
,
personal_access_token:
non_member_token
)
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
json_response
).
to
be_empty
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment