diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/issues.rb | 3 | ||||
| -rw-r--r-- | lib/gitlab/auth/scope_validator.rb | 24 | ||||
| -rw-r--r-- | lib/gitlab/graphql/authorize/object_authorization.rb | 45 | ||||
| -rw-r--r-- | lib/gitlab/pagination/gitaly_keyset_pager.rb | 4 |
4 files changed, 71 insertions, 5 deletions
diff --git a/lib/api/issues.rb b/lib/api/issues.rb index ea09174f03a..fcbd453d402 100644 --- a/lib/api/issues.rb +++ b/lib/api/issues.rb @@ -236,7 +236,6 @@ module API authorize! :create_issue, user_project issue_params = declared_params(include_missing: false) - issue_params[:system_note_timestamp] = params[:created_at] issue_params = convert_parameters_from_legacy_format(issue_params) @@ -280,8 +279,6 @@ module API issue = user_project.issues.find_by!(iid: params.delete(:issue_iid)) authorize! :update_issue, issue - issue.system_note_timestamp = params[:updated_at] - update_params = declared_params(include_missing: false).merge(request: request, api: true) update_params = convert_parameters_from_legacy_format(update_params) diff --git a/lib/gitlab/auth/scope_validator.rb b/lib/gitlab/auth/scope_validator.rb new file mode 100644 index 00000000000..de4c36ad594 --- /dev/null +++ b/lib/gitlab/auth/scope_validator.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +# Wrapper around a RequestAuthenticator to +# perform authorization of scopes. Access is limited to +# only those methods needed to validate that an API user +# has at least one permitted scope. +module Gitlab + module Auth + class ScopeValidator + def initialize(api_user, request_authenticator) + @api_user = api_user + @request_authenticator = request_authenticator + end + + def valid_for?(permitted) + return true unless @api_user + return true if permitted.none? + + scopes = permitted.map { |s| API::Scope.new(s) } + @request_authenticator.valid_access_token?(scopes: scopes) + end + end + end +end diff --git a/lib/gitlab/graphql/authorize/object_authorization.rb b/lib/gitlab/graphql/authorize/object_authorization.rb new file mode 100644 index 00000000000..f13acc9ea27 --- /dev/null +++ b/lib/gitlab/graphql/authorize/object_authorization.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +module Gitlab + module Graphql + module Authorize + class ObjectAuthorization + attr_reader :abilities, :permitted_scopes + + def initialize(abilities, scopes = %i[api read_api]) + @abilities = Array.wrap(abilities).flatten + @permitted_scopes = Array.wrap(scopes) + end + + def none? + abilities.empty? + end + + def any? + abilities.present? + end + + def ok?(object, current_user, scope_validator: nil) + scopes_ok?(scope_validator) && abilities_ok?(object, current_user) + end + + private + + def abilities_ok?(object, current_user) + return true if none? + + subject = object.try(:declarative_policy_subject) || object + abilities.all? do |ability| + Ability.allowed?(current_user, ability, subject) + end + end + + def scopes_ok?(validator) + return true unless validator.present? + + validator.valid_for?(permitted_scopes) + end + end + end + end +end diff --git a/lib/gitlab/pagination/gitaly_keyset_pager.rb b/lib/gitlab/pagination/gitaly_keyset_pager.rb index 1350168967e..b05891066ac 100644 --- a/lib/gitlab/pagination/gitaly_keyset_pager.rb +++ b/lib/gitlab/pagination/gitaly_keyset_pager.rb @@ -26,11 +26,11 @@ module Gitlab private def keyset_pagination_enabled? - Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: true) && params[:pagination] == 'keyset' + Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: :yaml) && params[:pagination] == 'keyset' end def paginate_first_page? - Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: true) && (params[:page].blank? || params[:page].to_i == 1) + Feature.enabled?(:branch_list_keyset_pagination, project, default_enabled: :yaml) && (params[:page].blank? || params[:page].to_i == 1) end def paginate_via_gitaly(finder) |