Calls to the API are checked for scope.

- Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
author: Timothy Andrew <mail@timothyandrew.net> 2016-11-22 14:34:23 +0530
committer: Timothy Andrew <mail@timothyandrew.net> 2016-12-16 16:29:31 +0530
commit: 7fa06ed55d18af4d055041eb27d38fecf9b5548f (patch)
tree: d2565cdc70269e5f244e7cf542170b0d5d8cf7aa /lib/api/api.rb
parent: 6c809dfae84e702f7a49d3fac5725745264e0ff9 (diff)
download: gitlab-ce-7fa06ed55d18af4d055041eb27d38fecf9b5548f.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/lib/api/api.rb b/lib/api/api.rb
index cec2702e44d..9d5adffd8f4 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -3,6 +3,8 @@ module API
     include APIGuard
     version 'v3', using: :path
 
+    before { allow_access_with_scope :api }
+
     rescue_from Gitlab::Access::AccessDeniedError do
       rack_response({ 'message' => '403 Forbidden' }.to_json, 403)
     end
author	Timothy Andrew <mail@timothyandrew.net>	2016-11-22 14:34:23 +0530
committer	Timothy Andrew <mail@timothyandrew.net>	2016-12-16 16:29:31 +0530
commit	7fa06ed55d18af4d055041eb27d38fecf9b5548f (patch)
tree	d2565cdc70269e5f244e7cf542170b0d5d8cf7aa /lib/api/api.rb
parent	6c809dfae84e702f7a49d3fac5725745264e0ff9 (diff)
download	gitlab-ce-7fa06ed55d18af4d055041eb27d38fecf9b5548f.tar.gz