Merge branch 'broaden-access-scope-for-version-api' into 'master'

Broaden access scope for Version API See merge request gitlab-org/gitlab!25211

Merge branch 'broaden-access-scope-for-version-api' into 'master'
Broaden access scope for Version API See merge request gitlab-org/gitlab!25211
9adaae0b · Robert Speicher · 1c9a8c8c · 46e88b15 · 9adaae0b · 9adaae0b
Commit 9adaae0b authored Feb 24, 2020 by Robert Speicher
3 changed files
--- a/changelogs/unreleased/broaden-access-scope-for-version-api.yml
+++ b/changelogs/unreleased/broaden-access-scope-for-version-api.yml
+---
+title: Allow access to /version API endpoint with read_user scope
+merge_request: 25211
+author:
+type: changed
--- a/lib/api/version.rb
+++ b/lib/api/version.rb
@@ -3,6 +3,9 @@
 module API
  class Version < Grape::API
    helpers ::API::Helpers::GraphqlHelpers
+    include APIGuard
+
+    allow_access_with_scope :read_user, if: -> (request) { request.get? }

    before { authenticate! }


--- a/spec/requests/api/version_spec.rb
+++ b/spec/requests/api/version_spec.rb
@@ -12,17 +12,55 @@ describe API::Version do
      end
    end

-    context 'when authenticated' do
+    context 'when authenticated as user' do
      let(:user) { create(:user) }

      it 'returns the version information' do
        get api('/version', user)

-        expect(response).to have_gitlab_http_status(200)
-        expect(json_response['version']).to eq(Gitlab::VERSION)
-        expect(json_response['revision']).to eq(Gitlab.revision)
+        expect_version
      end
    end
+
+    context 'when authenticated with token' do
+      let(:personal_access_token) { create(:personal_access_token, scopes: scopes) }
+
+      context 'with api scope' do
+        let(:scopes) { %i(api) }
+
+        it 'returns the version information' do
+          get api('/version', personal_access_token: personal_access_token)
+
+          expect_version
+        end
+      end
+
+      context 'with read_user scope' do
+        let(:scopes) { %i(read_user) }
+
+        it 'returns the version information' do
+          get api('/version', personal_access_token: personal_access_token)
+
+          expect_version
+        end
+      end
+
+      context 'with neither api nor read_user scope' do
+        let(:scopes) { %i(read_repository) }
+
+        it 'returns authorization error' do
+          get api('/version', personal_access_token: personal_access_token)
+
+          expect(response).to have_gitlab_http_status(403)
+        end
+      end
+    end
+
+    def expect_version
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response['version']).to eq(Gitlab::VERSION)
+      expect(json_response['revision']).to eq(Gitlab.revision)
+    end
  end

  context 'with graphql enabled' do