summaryrefslogtreecommitdiff
path: root/lib/api/helpers.rb
diff options
context:
space:
mode:
authorLin Jen-Shin <godfat@godfat.org>2016-10-25 02:13:24 +0800
committerLin Jen-Shin <godfat@godfat.org>2016-10-25 02:13:24 +0800
commit600da9ee0bb823e4b14fd45d6ff0e5f0b61b9737 (patch)
treef91eeeee22da72eed5bdf5b87ca27bdc95b136a0 /lib/api/helpers.rb
parent40ff7579e9ba025610dfada9703386b4dc657d6d (diff)
parentcb38290ababe43aca0c635fb87d3a38c4c5debcd (diff)
downloadgitlab-ce-19737-read-only-auditor.tar.gz
Merge remote-tracking branch 'upstream/master' into 19737-read-only-auditor19737-read-only-auditor
* upstream/master: (1277 commits) Grapify the labels API Fix typo in project settings that prevents users from enabling container registry. Fix old monitoring links to point to the new location Added path parameter to Commits API fixes build with cache:clear issue Merge branch 'security-fix-leaking-namespace-name' into 'security' Fix authored vote from notes Grapify builds API Add changelog item for groups 404 on relative url Add relative url support to routing contrainers Update project member controller to match recent master logic Add parentheses around return redirect_to method Trigger change even in select2 test helper to produce production-like behaviour Refactor js that disable form submit if no members selected Improve create project member test at project_members_controller_spec Move changelog item to 8.14 Refactor create member tests from group_members_controller_spec Refactor groups/projects members controller Gracefully handle adding of no users to projects and groups Revert "Change "Group#web_url" to return "/groups/twitter" rather than "/twitter"." ...
Diffstat (limited to 'lib/api/helpers.rb')
-rw-r--r--lib/api/helpers.rb26
1 files changed, 14 insertions, 12 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 9d71e90075a..d05841def89 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -21,8 +21,11 @@ module API
end
# Check the Rails session for valid authentication details
+ #
+ # Until CSRF protection is added to the API, disallow this method for
+ # state-changing endpoints
def find_user_from_warden
- warden ? warden.authenticate : nil
+ warden.try(:authenticate) if %w[GET HEAD].include?(env['REQUEST_METHOD'])
end
def find_user_by_private_token
@@ -68,6 +71,10 @@ module API
@project ||= find_project(params[:id])
end
+ def available_labels
+ @available_labels ||= LabelsFinder.new(current_user, project_id: user_project.id).execute
+ end
+
def find_project(id)
project = Project.find_with_namespace(id) || Project.find_by(id: id)
@@ -115,7 +122,7 @@ module API
end
def find_project_label(id)
- label = user_project.labels.find_by_id(id) || user_project.labels.find_by_title(id)
+ label = available_labels.find_by_id(id) || available_labels.find_by_title(id)
label || not_found!('Label')
end
@@ -194,16 +201,11 @@ module API
def validate_label_params(params)
errors = {}
- if params[:labels].present?
- params[:labels].split(',').each do |label_name|
- label = user_project.labels.create_with(
- color: Label::DEFAULT_COLOR).find_or_initialize_by(
- title: label_name.strip)
+ params[:labels].to_s.split(',').each do |label_name|
+ label = available_labels.find_or_initialize_by(title: label_name.strip)
+ next if label.valid?
- if label.invalid?
- errors[label.title] = label.errors
- end
- end
+ errors[label.title] = label.errors
end
errors
@@ -430,7 +432,7 @@ module API
end
def secret_token
- File.read(Gitlab.config.gitlab_shell.secret_file).chomp
+ Gitlab::Shell.secret_token
end
def send_git_blob(repository, blob)
View Lorry Controller Status