Commit b60fe2bd authored by Lorenz Leutgeb's avatar Lorenz Leutgeb Committed by Michelle Gill

Allow non-admin user to get GPG keys

Removes the requirement of administration privileges for the
endpoint

    GET `/users/:id/gpg_keys`

With this change the scope `read_user` is now required.

Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/21584

Make GPG Keys public

Add changelog
parent 82f7405e
---
title: Allow a users public GPG Keys to be API accessible
merge_request: 43332
author:
type: added
......@@ -950,7 +950,7 @@ Returns `204 No Content` on success, or `404 Not found` if the key cannot be fou
## List all GPG keys for given user
Get a list of a specified user's GPG keys. Available only for admins.
Get a list of a specified user's GPG keys. This endpoint can be accessed without authentication.
```plaintext
GET /users/:id/gpg_keys
......
......@@ -348,7 +348,7 @@ module API
end
# rubocop: enable CodeReuse/ActiveRecord
desc 'Get the GPG keys of a specified user. Available only for admins.' do
desc 'Get the GPG keys of a specified user.' do
detail 'This feature was added in GitLab 10.0'
success Entities::GpgKey
end
......@@ -358,8 +358,6 @@ module API
end
# rubocop: disable CodeReuse/ActiveRecord
get ':id/gpg_keys' do
authenticated_as_admin!
user = User.find_by(id: params[:id])
not_found!('User') unless user
......
......@@ -1460,33 +1460,17 @@ RSpec.describe API::Users, :do_not_mock_admin_mode do
end
describe 'GET /user/:id/gpg_keys' do
context 'when unauthenticated' do
it 'returns authentication error' do
get api("/users/#{user.id}/gpg_keys")
expect(response).to have_gitlab_http_status(:unauthorized)
end
end
context 'when authenticated' do
it 'returns 404 for non-existing user' do
get api('/users/0/gpg_keys', admin)
get api('/users/0/gpg_keys')
expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['message']).to eq('404 User Not Found')
end
it 'returns 404 error if key not foud' do
delete api("/users/#{user.id}/gpg_keys/#{non_existing_record_id}", admin)
expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['message']).to eq('404 GPG Key Not Found')
end
it 'returns array of GPG keys' do
user.gpg_keys << gpg_key
get api("/users/#{user.id}/gpg_keys", admin)
get api("/users/#{user.id}/gpg_keys")
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
......@@ -1494,7 +1478,6 @@ RSpec.describe API::Users, :do_not_mock_admin_mode do
expect(json_response.first['key']).to eq(gpg_key.key)
end
end
end
describe 'DELETE /user/:id/gpg_keys/:key_id' do
context 'when unauthenticated' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment