diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-20 07:40:24 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-28 07:17:13 +0000 |
| commit | 6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b (patch) | |
| tree | b9de79a82757d00156ddf2f86453ae5b2ee7944d /lib/api/api_guard.rb | |
| parent | 08ad0af49c017d740b43588c0809b3811d25a448 (diff) | |
| download | gitlab-ce-6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b.tar.gz | |
Initial attempt at refactoring API scope declarations.
- Declaring an endpoint's scopes in a `before` block has proved to be
unreliable. For example, if we're accessing the `API::Users` endpoint - code
in a `before` block in `API::API` wouldn't be able to see the scopes set in
`API::Users` since the `API::API` `before` block runs first.
- This commit moves these declarations to the class level, since they don't need
to change once set.
Diffstat (limited to 'lib/api/api_guard.rb')
| -rw-r--r-- | lib/api/api_guard.rb | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 9fcf04efa38..9a9e32a0242 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -23,6 +23,27 @@ module API install_error_responders(base) end + class_methods do + # Set the authorization scope(s) allowed for the current request. + # + # A call to this method adds to any previous scopes in place, either from the same class, or + # higher up in the inheritance chain. For example, if we call `allow_access_with_scope :api` from + # `API::API`, and `allow_access_with_scope :read_user` from `API::Users` (which inherits from `API::API`), + # `API::Users` will allow access with either the `api` or `read_user` scope. `API::API` will allow + # access only with the `api` scope. + def allow_access_with_scope(scopes, options = {}) + @scopes ||= [] + + params = Array.wrap(scopes).map { |scope| { name: scope, if: options[:if] } } + + @scopes.concat(params) + end + + def scopes + @scopes + end + end + # Helper Methods for Grape Endpoint module HelperMethods # Invokes the doorkeeper guard. @@ -74,18 +95,6 @@ module API @current_user end - # Set the authorization scope(s) allowed for the current request. - # - # Note: A call to this method adds to any previous scopes in place. This is done because - # `Grape` callbacks run from the outside-in: the top-level callback (API::API) runs first, then - # the next-level callback (API::API::Users, for example) runs. All these scopes are valid for the - # given endpoint (GET `/api/users` is accessible by the `api` and `read_user` scopes), and so they - # need to be stored. - def allow_access_with_scope(*scopes) - @scopes ||= [] - @scopes.concat(scopes.map(&:to_s)) - end - private def find_user_by_authentication_token(token_string) |