summaryrefslogtreecommitdiff
path: root/lib/api/helpers.rb
Commit message (Collapse)AuthorAgeFilesLines
* Do not validate CSRF token in API unless neededdm-api-current-userDouwe Maan2017-08-021-0/+2
|
* Rescue only from ActionController::InvalidAuthenticityTokenDouwe Maan2017-07-261-2/+2
|
* Add `rescue false`.blackst0ne2017-07-261-1/+1
|
* Refactor CSRF protectionblackst0ne2017-07-261-30/+2
|
* Add CSRF token verification to APIblackst0ne2017-07-261-4/+34
|
* Add group milestones API endpointissue_34622Felipe Artur2017-07-211-0/+4
|
* Add user projects APIvanadium232017-07-061-1/+2
|
* Implement review comments from @dbalexandre for !12300.Timothy Andrew2017-06-281-2/+2
|
* When verifying scopes, manually include scopes from `API::API`.Timothy Andrew2017-06-281-4/+19
| | | | | | | | - They are not included automatically since `API::Users` does not inherit from `API::API`, as I initially assumed. - Scopes declared in `API::API` are considered global (to the API), and need to be included in all cases.
* Allow API scope declarations to be applied conditionally.Timothy Andrew2017-06-281-1/+1
| | | | | | | | | | | - Scope declarations of the form: allow_access_with_scope :read_user, if: -> (request) { request.get? } will only apply for `GET` requests - Add a negative test to a `POST` endpoint in the `users` API to test this. Also test for this case in the `AccessTokenValidationService` unit tests.
* Initial attempt at refactoring API scope declarations.Timothy Andrew2017-06-281-2/+4
| | | | | | | | | | - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
* Enable the Style/PreferredHashMethods coprc/enable-PreferredHashMethods-copRémy Coutable2017-06-021-1/+1
| | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* Add missing specsKamil Trzcinski2017-06-011-0/+10
|
* Add :owned param to ProjectFinderToon Claes2017-05-301-5/+2
| | | | And use it in the API.
* Use helper to construct Finder paramsToon Claes2017-05-301-0/+10
| | | | | | | The ProjectsFinder and GroupFinder both support the same set of params. And the `/api/v4/projects` and `/api/v4/group/:id/projects` also support the same set of params. But they do not match the Finder params. So use a helper method to transform them.
* Use ProjectFinder to filter the projectsToon Claes2017-05-301-13/+0
| | | | | Instead of trying to do the heavy lifting in the API itself, use the existing features of the ProjectFinder.
* Handle `membership` in ProjectFinderToon Claes2017-05-301-4/+0
| | | | | The ProjectFinder supports the `non_public` parameter. This can be used to find only projects the user is member of.
* Merge branch '27144-enforce-rubocop-trailing_commas-no_comma-style' into ↵Robert Speicher2017-05-101-1/+1
|\ | | | | | | | | | | | | | | | | | | 'master' Resolve "Use consistent style for trailing commas" Closes #27144 See merge request !11063
| * Enable the Style/TrailingCommaInArguments copRémy Coutable2017-05-101-1/+1
| | | | | | | | | | | | Use the EnforcedStyleForMultiline: no_comma option. Signed-off-by: Rémy Coutable <remy@rymai.me>
* | Use new SnippetsFinder signature in APIbvl-security-patchesBob Van Landuyt2017-05-101-2/+2
|/
* Allow admins to sudo to blocked users.29505-allow-admins-sudo-to-blocked-usersTimothy Andrew2017-04-261-1/+1
| | | | | | | | | | - Currently, (for example) admins can't delete snippets for blocked users, which is an unexpected limitation. - We modify `authenticate!` to conduct the `access_api` policy check against the `initial_current_user`, instead of the user being impersonated. - Update CHANGELOG for !10842
* Remove the User#is_admin? methodblackst0ne2017-04-091-2/+2
|
* API: Make the /notes endpoint work with noteable iid instead of idToon Claes2017-03-271-0/+5
| | | | | | | | | | | | | | | | In API V4 all endpoints were changed so Merge Requests and Issues should be referred by iid, instead of id. Except the /notes endpoint was forgotten. So change the endpoints from: - /projects/:id/issues/:issue_id/notes - /projects/:id/merge_requests/:merge_request_id/notes To: - /projects/:id/issues/:issue_iid/notes - /projects/:id/merge_requests/:merge_request_iid/notes For Project Snippets nothing changes.
* use the policy stack to protect loginshttp://jneen.net/2017-03-091-1/+1
|
* use a magic default :global symbol instead of nilhttp://jneen.net/2017-03-091-2/+2
| | | | to make sure we mean the global permissions
* API routes referencing a specific merge request should use the MR `iid`Timothy Andrew2017-03-071-4/+4
| | | | | | - As opposed to the `id` that was previously being used. - This brings the API routes closer to the web interface's routes. - This is specific to API v4.
* API routes referencing a specific issue should use the issue `iid`Timothy Andrew2017-03-071-2/+2
| | | | | | - As opposed to the issue `id` that was previously being used. - This brings the API routes closer to the web interface's routes. - This is specific to API v4.
* Test various login scenarios if the limit gets enforcedPawel Chojnacki2017-03-061-7/+8
|
* Remove "subscribed" field from API responses returning list of issues or ↵api-drop-subscribedAdam Niedzielski2017-03-061-8/+0
| | | | merge requests
* Rename query parameter to `membership`28865-filter-by-authorized-projects-in-v4Toon Claes2017-03-031-1/+1
| | | | The query parameter `membership` should be more self-explaining.
* Add filter param for authorized projects for current_user for V4Oswaldo Ferreira2017-03-031-0/+4
|
* Enable filtering milestones by search criteria in the APIMark Fletcher2017-03-021-0/+4
| | | | - Also remove a redundant test
* Return 202 with JSON body on async removals on V4 API3874-correctly-return-json-on-delete-responsesOswaldo2017-02-231-0/+4
|
* Enable Style/MutableConstantDouwe Maan2017-02-231-1/+1
|
* Merge branch '28093-snippet-and-issue-spam-check-on-edit' into 'master'Sean McGivern2017-02-221-0/+4
|\ | | | | | | | | | | | | Spam check and reCAPTCHA improvements Closes #28093 See merge request !9248
| * Spam check and reCAPTCHA improvements28093-snippet-and-issue-spam-check-on-editOswaldo Ferreira2017-02-211-0/+4
| |
* | No more and/orDouwe Maan2017-02-211-1/+1
|/
* Use grape validation for datesapi-grape-datetimeRobert Schilling2017-02-201-16/+0
|
* API: Consolidate /projects endpointToon Claes2017-02-141-0/+8
| | | | | | | | | | | It consolidates these endpoints: - /projects - /projects/owned - /projects/visible - /projects/starred - /projects/all Into the /projects endpoint using query parameters.
* API: Fix file downloadingRobert Schilling2017-02-031-1/+1
|
* replace `find_with_namespace` with `find_by_full_path`Adam Pahlevi2017-02-031-1/+1
| | | | add complete changelog for !8949
* Merge branch 'fix-api-mr-permissions' into 'security'Robert Speicher2017-01-231-0/+6
| | | | | | Ensure that only privileged users can access merge requests in the API See merge request !2053
* Fix specsKamil Trzcinski2017-01-191-1/+1
|
* Fix specsKamil Trzcinski2017-01-191-1/+1
|
* Merge remote-tracking branch 'origin/master' into 21698-redis-runner-last-buildKamil Trzcinski2017-01-191-51/+9
|\
| * Merge branch 'time-tracking-api' into 'master' Sean McGivern2017-01-181-0/+4
| |\ | | | | | | | | | | | | | | | | | | Time tracking API Closes #25861 See merge request !8483
| | * Add some API endpoints for time tracking.Ruben Davila2017-01-181-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New endpoints are: POST :project_id/(issues|merge_requests)/(:issue_id|:merge_request_id)/time_estimate" POST :project_id/(issues|merge_requests)/(:issue_id|:merge_request_id)/reset_time_estimate" POST :project_id/(issues|merge_requests)/(:issue_id|:merge_request_id)/add_spent_time" POST :project_id/(issues|merge_requests)/(:issue_id|:merge_request_id)/reset_spent_time" GET :project_id/(issues|merge_requests)/(:issue_id|:merge_request_id)/time_stats"
| * | Fix a API deprecation warningfix-deprecation-warningRobert Schilling2017-01-161-1/+1
| |/
| * fix pipelines/index.html.haml merge conflictRegis2017-01-021-2/+2
| |\
| | * Merge branch 'fix-api-deprecation' into 'master' Robert Schilling2016-12-281-1/+1
| | |\ | | | | | | | | | | | | | | | | Fix a Grape deprecation, use `#request_method` instead of `#route_method` See merge request !8297
View Lorry Controller Status