Commit 9adaae0b authored by Robert Speicher's avatar Robert Speicher

Merge branch 'broaden-access-scope-for-version-api' into 'master'

Broaden access scope for Version API

See merge request gitlab-org/gitlab!25211
parents 1c9a8c8c 46e88b15
---
title: Allow access to /version API endpoint with read_user scope
merge_request: 25211
author:
type: changed
......@@ -3,6 +3,9 @@
module API
class Version < Grape::API
helpers ::API::Helpers::GraphqlHelpers
include APIGuard
allow_access_with_scope :read_user, if: -> (request) { request.get? }
before { authenticate! }
......
......@@ -12,17 +12,55 @@ describe API::Version do
end
end
context 'when authenticated' do
context 'when authenticated as user' do
let(:user) { create(:user) }
it 'returns the version information' do
get api('/version', user)
expect(response).to have_gitlab_http_status(200)
expect(json_response['version']).to eq(Gitlab::VERSION)
expect(json_response['revision']).to eq(Gitlab.revision)
expect_version
end
end
context 'when authenticated with token' do
let(:personal_access_token) { create(:personal_access_token, scopes: scopes) }
context 'with api scope' do
let(:scopes) { %i(api) }
it 'returns the version information' do
get api('/version', personal_access_token: personal_access_token)
expect_version
end
end
context 'with read_user scope' do
let(:scopes) { %i(read_user) }
it 'returns the version information' do
get api('/version', personal_access_token: personal_access_token)
expect_version
end
end
context 'with neither api nor read_user scope' do
let(:scopes) { %i(read_repository) }
it 'returns authorization error' do
get api('/version', personal_access_token: personal_access_token)
expect(response).to have_gitlab_http_status(403)
end
end
end
def expect_version
expect(response).to have_gitlab_http_status(200)
expect(json_response['version']).to eq(Gitlab::VERSION)
expect(json_response['revision']).to eq(Gitlab.revision)
end
end
context 'with graphql enabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment