delta/gitlab/gitlab-ce.git/lib/api/api_guard.rb, branch replace_explore_projects.feature gitlab.com: gitlab-org/gitlab-ce.git Make sure API responds with 401 when invalid authentication info is provided 2017-09-28T12:17:52+00:00 Douwe Maan douwe@selenight.nl 2017-09-27T13:31:52+00:00 b6c5a73c0bc0bc68ca8c66a5cefa50d314cc164a 






Whitelist or fix additional `Gitlab/PublicSend` cop violations
2017-08-14T16:14:11+00:00

Robert Speicher
rspeicher@gmail.com

2017-08-10T16:39:26+00:00

260c8da060a6039cbd47cfe31c8ec6d6f9b43de0

An upcoming update to rubocop-gitlab-security added additional
violations.





An upcoming update to rubocop-gitlab-security added additional
violations.







Extract a `Gitlab::Scope` class.
2017-06-29T06:15:57+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-28T07:12:23+00:00

b8ec1f4201c74c500e4f7010b238c7920599da7a

- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.





- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.







Implement review comments from @DouweM for !12300.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-26T04:14:10+00:00

c1fcd730cc9dbee5b41ce2a6a12f8d84416b1a4a

- Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`

- Refactor the "remove scopes whose :if condition returns false" logic to use a
  `select` rather than a `reject`.





- Use a struct for scopes, so we can call `scope.if` instead of `scope[:if]`

- Refactor the "remove scopes whose :if condition returns false" logic to use a
  `select` rather than a `reject`.







Implement review comments from @dbalexandre for !12300.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-23T11:18:44+00:00

4dbfa14e160e0d9bca11941adcf04b3d272aa1a2












Fix remaining spec failures for !12300.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-21T09:22:39+00:00

1b8223dd51345f6075172a92dab610f9dee89d84

1. Get the spec for `lib/gitlab/auth.rb` passing.

  - Make the `request` argument to `AccessTokenValidationService` optional -
  `auth.rb` doesn't need to pass in a request.

  - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
  is what `AccessTokenValidationService` now expects.

2. Get the spec for `API::V3::Users` passing

2. Get the spec for `AccessTokenValidationService` passing





1. Get the spec for `lib/gitlab/auth.rb` passing.

  - Make the `request` argument to `AccessTokenValidationService` optional -
  `auth.rb` doesn't need to pass in a request.

  - Pass in scopes in the format `[{ name: 'api' }]` rather than `['api']`, which
  is what `AccessTokenValidationService` now expects.

2. Get the spec for `API::V3::Users` passing

2. Get the spec for `AccessTokenValidationService` passing







When verifying scopes, manually include scopes from `API::API`.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-20T12:00:57+00:00

d774825f981a73263c9a6c276c672b0c3e9bf104

- They are not included automatically since `API::Users` does not inherit from
  `API::API`, as I initially assumed.

- Scopes declared in `API::API` are considered global (to the API), and need to
  be included in all cases.





- They are not included automatically since `API::Users` does not inherit from
  `API::API`, as I initially assumed.

- Scopes declared in `API::API` are considered global (to the API), and need to
  be included in all cases.







Allow API scope declarations to be applied conditionally.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-20T08:27:45+00:00

80c1ebaa83f346e45346baac584f21878652c350

- Scope declarations of the form:

    allow_access_with_scope :read_user, if: -> (request) { request.get? }

  will only apply for `GET` requests

- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
  test for this case in the `AccessTokenValidationService` unit tests.





- Scope declarations of the form:

    allow_access_with_scope :read_user, if: -> (request) { request.get? }

  will only apply for `GET` requests

- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
  test for this case in the `AccessTokenValidationService` unit tests.







Initial attempt at refactoring API scope declarations.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-20T07:40:24+00:00

6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b

- Declaring an endpoint's scopes in a `before` block has proved to be
  unreliable. For example, if we're accessing the `API::Users` endpoint - code
  in a `before` block in `API::API` wouldn't be able to see the scopes set in
  `API::Users` since the `API::API` `before` block runs first.

- This commit moves these declarations to the class level, since they don't need
  to change once set.





- Declaring an endpoint's scopes in a `before` block has proved to be
  unreliable. For example, if we're accessing the `API::Users` endpoint - code
  in a `before` block in `API::API` wouldn't be able to see the scopes set in
  `API::Users` since the `API::API` `before` block runs first.

- This commit moves these declarations to the class level, since they don't need
  to change once set.







Enable Style/Proc cop for rubocop
2017-04-02T09:48:43+00:00

mhasbini
mohammad.hasbini@gmail.com

2017-03-31T15:11:28+00:00

0a09925dcef1976970bc2674432f69d46786c38f