From 1c34a2a01497f9db4602794b1aa37ae54dcee740 Mon Sep 17 00:00:00 2001
From: James Lopez <james@jameslopez.es>
Date: Tue, 4 Dec 2018 11:55:34 +0100
Subject: Use read_repository scope on read-only files API

---
 lib/api/files.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lib/api/files.rb')

diff --git a/lib/api/files.rb b/lib/api/files.rb
index becf66d1467..ca59d330e1c 100644
--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -2,6 +2,8 @@
 
 module API
   class Files < Grape::API
+    include APIGuard
+
     FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)
 
     # Prevents returning plain/text responses for files with .txt extension
@@ -79,6 +81,8 @@ module API
       requires :id, type: String, desc: 'The project ID'
     end
     resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do
+      allow_access_with_scope :read_repository, if: -> (request) { request.get? || request.head? }
+
       desc 'Get raw file metadata from repository'
       params do
         requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb'
-- 
cgit v1.2.1