lib/api/invitations.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

# frozen_string_literal: true

module API
  class Invitations < ::API::Base
    include PaginationParams

    feature_category :users

    before { authenticate! }

    helpers ::API::Helpers::MembersHelpers

    %w[group project].each do |source_type|
      params do
        requires :id, type: String, desc: "The #{source_type} ID"
      end
      resource source_type.pluralize, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
        desc 'Invite non-members by email address to a group or project.' do
          detail 'This feature was introduced in GitLab 13.6'
          success Entities::Invitation
          tags %w[invitations]
        end
        params do
          requires :access_level, type: Integer, values: Gitlab::Access.all_values, desc: 'A valid access level (defaults: `30`, developer access level)'
          optional :email, type: Array[String], email_or_email_list: true, coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The email address to invite, or multiple emails separated by comma'
          optional :user_id, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The user ID of the new member or multiple IDs separated by commas.'
          optional :expires_at, type: DateTime, desc: 'Date string in the format YEAR-MONTH-DAY'
          optional :invite_source, type: String, desc: 'Source that triggered the member creation process', default: 'invitations-api'
          optional :tasks_to_be_done, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Tasks the inviter wants the member to do'
          optional :tasks_project_id, type: Integer, desc: 'The project ID in which to create the task issues'
        end
        post ":id/invitations", urgency: :low do
          ::Gitlab::QueryLimiting.disable!('https://gitlab.com/gitlab-org/gitlab/-/issues/354016')

          bad_request!('Must provide either email or user_id as a parameter') if params[:email].blank? && params[:user_id].blank?

          source = find_source(source_type, params[:id])
          authorize_admin_source!(source_type, source)

          create_service_params = params.merge(source: source)

          ::Members::InviteService.new(current_user, create_service_params).execute
        end

        desc 'Get a list of group or project invitations viewable by the authenticated user' do
          detail 'This feature was introduced in GitLab 13.6'
          success Entities::Invitation
          is_array true
          tags %w[invitations]
        end
        params do
          optional :page, type: Integer, desc: 'Page to retrieve'
          optional :per_page, type: Integer, desc: 'Number of member invitations to return per page'
          optional :query, type: String, desc: 'A query string to search for members'
          use :pagination
        end
        get ":id/invitations" do
          source = find_source(source_type, params[:id])
          query = params[:query]

          authorize_admin_source!(source_type, source)

          invitations = paginate(retrieve_member_invitations(source, query))

          present_member_invitations invitations
        end

        desc 'Updates a group or project invitation.' do
          success Entities::Member
          tags %w[invitations]
        end
        params do
          requires :email, type: String, desc: 'The email address of the invitation'
          optional :access_level, type: Integer, values: Gitlab::Access.all_values, desc: 'A valid access level (defaults: `30`, developer access level)'
          optional :expires_at, type: DateTime, desc: 'Date string in ISO 8601 format (`YYYY-MM-DDTHH:MM:SSZ`)'
        end
        put ":id/invitations/:email", requirements: { email: %r{[^/]+} } do
          source = find_source(source_type, params.delete(:id))
          invite_email = params[:email]
          authorize_admin_source!(source_type, source)

          invite = retrieve_member_invitations(source, invite_email).first
          not_found! unless invite

          update_params = declared_params(include_missing: false)
          update_params.delete(:email)
          bad_request! unless update_params.any?

          result = ::Members::UpdateService
            .new(current_user, update_params)
            .execute(invite)

          updated_member = result[:members].first

          if result[:status] == :success
            present_members updated_member
          else
            render_validation_error!(updated_member)
          end
        end

        desc 'Removes an invitation from a group or project.' do
          success code: 204
          failure [
            { code: 403, message: 'Forbidden' },
            { code: 404, message: 'Not found' },
            { code: 409, message: 'Could not delete invitation' }
          ]
          tags %w[invitations]
        end
        params do
          requires :email, type: String, desc: 'The email address of the invitation'
        end
        delete ":id/invitations/:email", requirements: { email: %r{[^/]+} } do
          source = find_source(source_type, params[:id])
          invite_email = params[:email]
          authorize_admin_source!(source_type, source)

          invite = retrieve_member_invitations(source, invite_email).first
          not_found! unless invite

          destroy_conditionally!(invite) do
            ::Members::DestroyService.new(current_user, params).execute(invite)
            unprocessable_entity! unless invite.destroyed?
          end
        end
      end
    end
  end
end