From 181cd299f9e06223e8338e93b1c318c671ccb1aa Mon Sep 17 00:00:00 2001 From: Jacopo Date: Tue, 14 Nov 2017 10:02:39 +0100 Subject: Adds Rubocop rule for line break after guard clause Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses. --- lib/api/commits.rb | 2 ++ lib/api/helpers/custom_validators.rb | 1 + lib/api/helpers/runner.rb | 1 + lib/api/runners.rb | 4 ++++ lib/api/snippets.rb | 1 + lib/api/v3/commits.rb | 2 ++ lib/api/v3/runners.rb | 1 + lib/api/v3/snippets.rb | 2 ++ 8 files changed, 14 insertions(+) (limited to 'lib/api') diff --git a/lib/api/commits.rb b/lib/api/commits.rb index 2bc4039b019..38e05074353 100644 --- a/lib/api/commits.rb +++ b/lib/api/commits.rb @@ -180,10 +180,12 @@ module API if params[:path] commit.raw_diffs(limits: false).each do |diff| next unless diff.new_path == params[:path] + lines = Gitlab::Diff::Parser.new.parse(diff.diff.each_line) lines.each do |line| next unless line.new_pos == params[:line] && line.type == params[:line_type] + break opts[:line_code] = Gitlab::Git.diff_line_code(diff.new_path, line.new_pos, line.old_pos) end diff --git a/lib/api/helpers/custom_validators.rb b/lib/api/helpers/custom_validators.rb index 0a8f3073a50..dd4f6c41131 100644 --- a/lib/api/helpers/custom_validators.rb +++ b/lib/api/helpers/custom_validators.rb @@ -4,6 +4,7 @@ module API class Absence < Grape::Validations::Base def validate_param!(attr_name, params) return if params.respond_to?(:key?) && !params.key?(attr_name) + raise Grape::Exceptions::Validation, params: [@scope.full_name(attr_name)], message: message(:absence) end end diff --git a/lib/api/helpers/runner.rb b/lib/api/helpers/runner.rb index 282af32ca94..2cae53dba53 100644 --- a/lib/api/helpers/runner.rb +++ b/lib/api/helpers/runner.rb @@ -14,6 +14,7 @@ module API def get_runner_version_from_params return unless params['info'].present? + attributes_for_keys(%w(name version revision platform architecture), params['info']) end diff --git a/lib/api/runners.rb b/lib/api/runners.rb index d3559ef71be..e816fcdd928 100644 --- a/lib/api/runners.rb +++ b/lib/api/runners.rb @@ -165,17 +165,20 @@ module API def authenticate_show_runner!(runner) return if runner.is_shared || current_user.admin? + forbidden!("No access granted") unless user_can_access_runner?(runner) end def authenticate_update_runner!(runner) return if current_user.admin? + forbidden!("Runner is shared") if runner.is_shared? forbidden!("No access granted") unless user_can_access_runner?(runner) end def authenticate_delete_runner!(runner) return if current_user.admin? + forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner associated with more than one project") if runner.projects.count > 1 forbidden!("No access granted") unless user_can_access_runner?(runner) @@ -185,6 +188,7 @@ module API forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner is locked") if runner.locked? return if current_user.admin? + forbidden!("No access granted") unless user_can_access_runner?(runner) end diff --git a/lib/api/snippets.rb b/lib/api/snippets.rb index 00eb7c60f16..c736cc32021 100644 --- a/lib/api/snippets.rb +++ b/lib/api/snippets.rb @@ -95,6 +95,7 @@ module API put ':id' do snippet = snippets_for_current_user.find_by(id: params.delete(:id)) return not_found!('Snippet') unless snippet + authorize! :update_personal_snippet, snippet attrs = declared_params(include_missing: false).merge(request: request, api: true) diff --git a/lib/api/v3/commits.rb b/lib/api/v3/commits.rb index be360fbfc0c..0ef26aa696a 100644 --- a/lib/api/v3/commits.rb +++ b/lib/api/v3/commits.rb @@ -169,10 +169,12 @@ module API if params[:path] commit.raw_diffs(limits: false).each do |diff| next unless diff.new_path == params[:path] + lines = Gitlab::Diff::Parser.new.parse(diff.diff.each_line) lines.each do |line| next unless line.new_pos == params[:line] && line.type == params[:line_type] + break opts[:line_code] = Gitlab::Git.diff_line_code(diff.new_path, line.new_pos, line.old_pos) end diff --git a/lib/api/v3/runners.rb b/lib/api/v3/runners.rb index faa265f3314..c6d9957d452 100644 --- a/lib/api/v3/runners.rb +++ b/lib/api/v3/runners.rb @@ -51,6 +51,7 @@ module API helpers do def authenticate_delete_runner!(runner) return if current_user.admin? + forbidden!("Runner is shared") if runner.is_shared? forbidden!("Runner associated with more than one project") if runner.projects.count > 1 forbidden!("No access granted") unless user_can_access_runner?(runner) diff --git a/lib/api/v3/snippets.rb b/lib/api/v3/snippets.rb index 0762fc02d70..126ec72248e 100644 --- a/lib/api/v3/snippets.rb +++ b/lib/api/v3/snippets.rb @@ -91,6 +91,7 @@ module API put ':id' do snippet = snippets_for_current_user.find_by(id: params.delete(:id)) return not_found!('Snippet') unless snippet + authorize! :update_personal_snippet, snippet attrs = declared_params(include_missing: false) @@ -113,6 +114,7 @@ module API delete ':id' do snippet = snippets_for_current_user.find_by(id: params.delete(:id)) return not_found!('Snippet') unless snippet + authorize! :destroy_personal_snippet, snippet snippet.destroy no_content! -- cgit v1.2.1 From d948e6791300b14d18b95881290ccfcba7928ea0 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Tue, 7 Nov 2017 10:52:05 +0100 Subject: First refactor --- lib/api/api_guard.rb | 58 +++++++++++++++++----------------------------------- 1 file changed, 19 insertions(+), 39 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index c1c0d344917..0a93e71858e 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -74,43 +74,27 @@ module API private - def find_user_from_access_token - return unless access_token - - validate_access_token! - - access_token.user || raise(UnauthorizedError) - end - - # Check the Rails session for valid authentication details - def find_user_from_warden - warden.try(:authenticate) if verified_request? - end - - def warden - env['warden'] - end - - # Check if the request is GET/HEAD, or if CSRF token is valid. - def verified_request? - Gitlab::RequestForgeryProtection.verified?(env) - end - - def find_oauth_access_token - token = Doorkeeper::OAuth::Token.from_request(doorkeeper_request, *Doorkeeper.configuration.access_token_methods) - return unless token - - # Expiration, revocation and scopes are verified in `find_user_by_access_token` - access_token = OauthAccessToken.by_token(token) - raise UnauthorizedError unless access_token - - access_token.revoke_previous_refresh_token! - access_token + def raise_unauthorized_error! + raise UnauthorizedError end - def find_personal_access_token - token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s - return unless token.present? + # If token is presented and valid, then it sets @current_user. + # + # If the token does not have sufficient scopes to cover the requred scopes, + # then it raises InsufficientScopeError. + # + # If the token is expired, then it raises ExpiredError. + # + # If the token is revoked, then it raises RevokedError. + # + # If the token is not found (nil), then it returns nil + # + # Arguments: + # + # scopes: (optional) scopes required for this guard. + # Defaults to empty array. + def find_user_by_access_token(access_token) + scopes = scopes_registered_for_endpoint # Expiration, revocation and scopes are verified in `find_user_by_access_token` access_token = PersonalAccessToken.find_by(token: token) @@ -119,10 +103,6 @@ module API access_token end - def doorkeeper_request - @doorkeeper_request ||= ActionDispatch::Request.new(env) - end - # An array of scopes that were registered (using `allow_access_with_scope`) # for the current endpoint class. It also returns scopes registered on # `API::API`, since these are meant to apply to all API routes. -- cgit v1.2.1 From 470b5dc32633cd4ec873e655ac6a70011c835e17 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Tue, 7 Nov 2017 16:13:00 +0100 Subject: Updated refactor and pushing to see if test fails --- lib/api/api_guard.rb | 2 -- 1 file changed, 2 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 0a93e71858e..66ad2b77f75 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -72,8 +72,6 @@ module API end end - private - def raise_unauthorized_error! raise UnauthorizedError end -- cgit v1.2.1 From 41ebd06ddc837c80ba6ca95c6d5fea2b76cef8d2 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Tue, 7 Nov 2017 19:17:41 +0100 Subject: Some fixes after rebase --- lib/api/api_guard.rb | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 66ad2b77f75..9ada2d5ebb1 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -72,33 +72,16 @@ module API end end - def raise_unauthorized_error! - raise UnauthorizedError - end + private - # If token is presented and valid, then it sets @current_user. - # - # If the token does not have sufficient scopes to cover the requred scopes, - # then it raises InsufficientScopeError. - # - # If the token is expired, then it raises ExpiredError. - # - # If the token is revoked, then it raises RevokedError. - # - # If the token is not found (nil), then it returns nil - # - # Arguments: - # - # scopes: (optional) scopes required for this guard. - # Defaults to empty array. - def find_user_by_access_token(access_token) - scopes = scopes_registered_for_endpoint + def handle_return_value!(value, &block) + raise UnauthorizedError unless value - # Expiration, revocation and scopes are verified in `find_user_by_access_token` - access_token = PersonalAccessToken.find_by(token: token) - raise UnauthorizedError unless access_token + block_given? ? yield(value) : value + end - access_token + def private_token + params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence end # An array of scopes that were registered (using `allow_access_with_scope`) -- cgit v1.2.1 From 374179a97042da3a4d5312afcdb0dc90a44634f0 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Wed, 8 Nov 2017 10:13:22 +0100 Subject: Removing private token --- lib/api/api_guard.rb | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 9ada2d5ebb1..9c68830ae34 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -45,6 +45,7 @@ module API include Gitlab::Utils::StrongMemoize def find_current_user! + set_raise_unauthorized_error user = find_user_from_access_token || find_user_from_warden return unless user @@ -74,12 +75,6 @@ module API private - def handle_return_value!(value, &block) - raise UnauthorizedError unless value - - block_given? ? yield(value) : value - end - def private_token params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence end -- cgit v1.2.1 From aecc3eb0809c4436a57f5ecdd88def58e704205d Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Wed, 8 Nov 2017 19:41:07 +0100 Subject: Applied some code review comments --- lib/api/api_guard.rb | 5 ----- 1 file changed, 5 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 9c68830ae34..01e15ffee84 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -45,7 +45,6 @@ module API include Gitlab::Utils::StrongMemoize def find_current_user! - set_raise_unauthorized_error user = find_user_from_access_token || find_user_from_warden return unless user @@ -75,10 +74,6 @@ module API private - def private_token - params[PRIVATE_TOKEN_PARAM].presence || env[PRIVATE_TOKEN_HEADER].presence - end - # An array of scopes that were registered (using `allow_access_with_scope`) # for the current endpoint class. It also returns scopes registered on # `API::API`, since these are meant to apply to all API routes. -- cgit v1.2.1 From 21153a4f47871733f3c0d333a10ffa69ada9a5a9 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Thu, 9 Nov 2017 19:04:19 +0100 Subject: Homogenising the type of the request handled by UserAuthFinder. Also tests fixed --- lib/api/api_guard.rb | 3 --- 1 file changed, 3 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 01e15ffee84..e2a1a51b300 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -6,9 +6,6 @@ module API module APIGuard extend ActiveSupport::Concern - PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN".freeze - PRIVATE_TOKEN_PARAM = :private_token - included do |base| # OAuth2 Resource Server Authentication use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request| -- cgit v1.2.1 From f1896575237cb92dce5a413bb6b6cc6474cbb19d Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Fri, 10 Nov 2017 11:41:33 +0100 Subject: Added some more comments --- lib/api/api_guard.rb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index e2a1a51b300..0caf2aa25bc 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -139,13 +139,14 @@ module API # Exceptions # - MissingTokenError = Class.new(StandardError) - TokenNotFoundError = Class.new(StandardError) - ExpiredError = Class.new(StandardError) - RevokedError = Class.new(StandardError) - UnauthorizedError = Class.new(StandardError) - - class InsufficientScopeError < StandardError + AuthenticationException = Class.new(StandardError) + MissingTokenError = Class.new(AuthenticationException) + TokenNotFoundError = Class.new(AuthenticationException) + ExpiredError = Class.new(AuthenticationException) + RevokedError = Class.new(AuthenticationException) + UnauthorizedError = Class.new(AuthenticationException) + + class InsufficientScopeError < AuthenticationException attr_reader :scopes def initialize(scopes) @scopes = scopes.map { |s| s.try(:name) || s } -- cgit v1.2.1 From aa84ef1e1af0bac40279e02e4ce889cb660ed9d0 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Thu, 16 Nov 2017 15:39:30 +0100 Subject: Moving exceptions to UserAuthFinders --- lib/api/api_guard.rb | 35 ++++++++++------------------------- lib/api/helpers.rb | 2 +- 2 files changed, 11 insertions(+), 26 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 0caf2aa25bc..a07015406b1 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -93,8 +93,11 @@ module API private def install_error_responders(base) - error_classes = [MissingTokenError, TokenNotFoundError, - ExpiredError, RevokedError, InsufficientScopeError] + error_classes = [Gitlab::Auth::UserAuthFinders::MissingTokenError, + Gitlab::Auth::UserAuthFinders::TokenNotFoundError, + Gitlab::Auth::UserAuthFinders::ExpiredError, + Gitlab::Auth::UserAuthFinders::RevokedError, + Gitlab::Auth::UserAuthFinders::InsufficientScopeError] base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend end @@ -103,25 +106,25 @@ module API proc do |e| response = case e - when MissingTokenError + when Gitlab::Auth::UserAuthFinders::MissingTokenError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new - when TokenNotFoundError + when Gitlab::Auth::UserAuthFinders::TokenNotFoundError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Bad Access Token.") - when ExpiredError + when Gitlab::Auth::UserAuthFinders::ExpiredError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Token is expired. You can either do re-authorization or token refresh.") - when RevokedError + when Gitlab::Auth::UserAuthFinders::RevokedError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Token was revoked. You have to re-authorize from the user.") - when InsufficientScopeError + when Gitlab::Auth::UserAuthFinders::InsufficientScopeError # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2) # does not include WWW-Authenticate header, which breaks the standard. Rack::OAuth2::Server::Resource::Bearer::Forbidden.new( @@ -134,23 +137,5 @@ module API end end end - - # - # Exceptions - # - - AuthenticationException = Class.new(StandardError) - MissingTokenError = Class.new(AuthenticationException) - TokenNotFoundError = Class.new(AuthenticationException) - ExpiredError = Class.new(AuthenticationException) - RevokedError = Class.new(AuthenticationException) - UnauthorizedError = Class.new(AuthenticationException) - - class InsufficientScopeError < AuthenticationException - attr_reader :scopes - def initialize(scopes) - @scopes = scopes.map { |s| s.try(:name) || s } - end - end end end diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 3c8960cb1ab..09e9753b010 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -398,7 +398,7 @@ module API begin @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user! } - rescue APIGuard::UnauthorizedError + rescue Gitlab::Auth::UserAuthFinders::UnauthorizedError unauthorized! end end -- cgit v1.2.1 From 1436598e49792b78f5f753477a9d8c097d666b99 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Thu, 16 Nov 2017 17:03:19 +0100 Subject: Moved Exceptions to Gitlab::Auth --- lib/api/api_guard.rb | 20 ++++++++++---------- lib/api/helpers.rb | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index a07015406b1..1953a613f1d 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -93,11 +93,11 @@ module API private def install_error_responders(base) - error_classes = [Gitlab::Auth::UserAuthFinders::MissingTokenError, - Gitlab::Auth::UserAuthFinders::TokenNotFoundError, - Gitlab::Auth::UserAuthFinders::ExpiredError, - Gitlab::Auth::UserAuthFinders::RevokedError, - Gitlab::Auth::UserAuthFinders::InsufficientScopeError] + error_classes = [Gitlab::Auth::MissingTokenError, + Gitlab::Auth::TokenNotFoundError, + Gitlab::Auth::ExpiredError, + Gitlab::Auth::RevokedError, + Gitlab::Auth::InsufficientScopeError] base.__send__(:rescue_from, *error_classes, oauth2_bearer_token_error_handler) # rubocop:disable GitlabSecurity/PublicSend end @@ -106,25 +106,25 @@ module API proc do |e| response = case e - when Gitlab::Auth::UserAuthFinders::MissingTokenError + when Gitlab::Auth::MissingTokenError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new - when Gitlab::Auth::UserAuthFinders::TokenNotFoundError + when Gitlab::Auth::TokenNotFoundError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Bad Access Token.") - when Gitlab::Auth::UserAuthFinders::ExpiredError + when Gitlab::Auth::ExpiredError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Token is expired. You can either do re-authorization or token refresh.") - when Gitlab::Auth::UserAuthFinders::RevokedError + when Gitlab::Auth::RevokedError Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new( :invalid_token, "Token was revoked. You have to re-authorize from the user.") - when Gitlab::Auth::UserAuthFinders::InsufficientScopeError + when Gitlab::Auth::InsufficientScopeError # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2) # does not include WWW-Authenticate header, which breaks the standard. Rack::OAuth2::Server::Resource::Bearer::Forbidden.new( diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 09e9753b010..b26c61ab8da 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -398,7 +398,7 @@ module API begin @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user! } - rescue Gitlab::Auth::UserAuthFinders::UnauthorizedError + rescue Gitlab::Auth::UnauthorizedError unauthorized! end end -- cgit v1.2.1 From 7f0317917a6684189b1637ea73f90d258e8a72b6 Mon Sep 17 00:00:00 2001 From: Francisco Lopez Date: Fri, 17 Nov 2017 10:09:56 +0100 Subject: Changes after rebase --- lib/api/api_guard.rb | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) (limited to 'lib/api') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 1953a613f1d..9aeebc34525 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -39,7 +39,7 @@ module API # Helper Methods for Grape Endpoint module HelperMethods - include Gitlab::Utils::StrongMemoize + include Gitlab::Auth::UserAuthFinders def find_current_user! user = find_user_from_access_token || find_user_from_warden @@ -50,25 +50,6 @@ module API user end - def access_token - strong_memoize(:access_token) do - find_oauth_access_token || find_personal_access_token - end - end - - def validate_access_token!(scopes: []) - return unless access_token - - case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes) - when AccessTokenValidationService::INSUFFICIENT_SCOPE - raise InsufficientScopeError.new(scopes) - when AccessTokenValidationService::EXPIRED - raise ExpiredError - when AccessTokenValidationService::REVOKED - raise RevokedError - end - end - private # An array of scopes that were registered (using `allow_access_with_scope`) -- cgit v1.2.1 From c900c21eef9235306d7d0da42b07aa2de346e263 Mon Sep 17 00:00:00 2001 From: "micael.bergeron" Date: Tue, 21 Nov 2017 08:31:23 -0500 Subject: add `#with_metadata` scope to remove a N+1 from the notes' API --- lib/api/notes.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/api') diff --git a/lib/api/notes.rb b/lib/api/notes.rb index 0b9ab4eeb05..ceaaeca4046 100644 --- a/lib/api/notes.rb +++ b/lib/api/notes.rb @@ -33,7 +33,7 @@ module API # paginate() only works with a relation. This could lead to a # mismatch between the pagination headers info and the actual notes # array returned, but this is really a edge-case. - paginate(noteable.notes) + paginate(noteable.notes.with_metadata) .reject { |n| n.cross_reference_not_visible_for?(current_user) } present notes, with: Entities::Note else @@ -50,7 +50,7 @@ module API end get ":id/#{noteables_str}/:noteable_id/notes/:note_id" do noteable = find_project_noteable(noteables_str, params[:noteable_id]) - note = noteable.notes.find(params[:note_id]) + note = noteable.notes.with_metadata.find(params[:note_id]) can_read_note = can?(current_user, noteable_read_ability_name(noteable), noteable) && !note.cross_reference_not_visible_for?(current_user) if can_read_note -- cgit v1.2.1 From 0b9e1e16626eff4cd8ae43ce47ec0f965beaf843 Mon Sep 17 00:00:00 2001 From: Daniel Juarez Date: Tue, 21 Nov 2017 15:47:58 +0000 Subject: Skip confirmation user api --- lib/api/users.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/api') diff --git a/lib/api/users.rb b/lib/api/users.rb index d80b364bd09..0cd89b1bcf8 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -31,7 +31,6 @@ module API optional :location, type: String, desc: 'The location of the user' optional :admin, type: Boolean, desc: 'Flag indicating the user is an administrator' optional :can_create_group, type: Boolean, desc: 'Flag indicating the user can create groups' - optional :skip_confirmation, type: Boolean, default: false, desc: 'Flag indicating the account is confirmed' optional :external, type: Boolean, desc: 'Flag indicating the user is an external user' optional :avatar, type: File, desc: 'Avatar image for user' all_or_none_of :extern_uid, :provider @@ -101,6 +100,7 @@ module API requires :email, type: String, desc: 'The email of the user' optional :password, type: String, desc: 'The password of the new user' optional :reset_password, type: Boolean, desc: 'Flag indicating the user will be sent a password reset token' + optional :skip_confirmation, type: Boolean, desc: 'Flag indicating the account is confirmed' at_least_one_of :password, :reset_password requires :name, type: String, desc: 'The name of the user' requires :username, type: String, desc: 'The username of the user' @@ -134,6 +134,7 @@ module API requires :id, type: Integer, desc: 'The ID of the user' optional :email, type: String, desc: 'The email of the user' optional :password, type: String, desc: 'The password of the new user' + optional :skip_reconfirmation, type: Boolean, desc: 'Flag indicating the account skips the confirmation by email' optional :name, type: String, desc: 'The name of the user' optional :username, type: String, desc: 'The username of the user' use :optional_attributes -- cgit v1.2.1