From 80c1ebaa83f346e45346baac584f21878652c350 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Tue, 20 Jun 2017 08:27:45 +0000 Subject: Allow API scope declarations to be applied conditionally. - Scope declarations of the form: allow_access_with_scope :read_user, if: -> (request) { request.get? } will only apply for `GET` requests - Add a negative test to a `POST` endpoint in the `users` API to test this. Also test for this case in the `AccessTokenValidationService` unit tests. --- lib/api/api_guard.rb | 4 ++-- lib/api/helpers.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 9a9e32a0242..ceeecbbc00b 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -68,7 +68,7 @@ module API access_token = find_access_token return nil unless access_token - case AccessTokenValidationService.new(access_token).validate(scopes: scopes) + case AccessTokenValidationService.new(access_token, request).validate(scopes: scopes) when AccessTokenValidationService::INSUFFICIENT_SCOPE raise InsufficientScopeError.new(scopes) @@ -105,7 +105,7 @@ module API access_token = PersonalAccessToken.active.find_by_token(token_string) return unless access_token - if AccessTokenValidationService.new(access_token).include_any_scope?(scopes) + if AccessTokenValidationService.new(access_token, request).include_any_scope?(scopes) User.find(access_token.user_id) end end diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 3cf04e6df3c..c69e7afea8c 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -340,7 +340,7 @@ module API end def initial_current_user - endpoint_class = options[:for] + endpoint_class = options[:for].presence || ::API::API return @initial_current_user if defined?(@initial_current_user) Gitlab::Auth::UniqueIpsLimiter.limit_user! do -- cgit v1.2.1