Skip to content

Provide an API to list public snippets of other users

Summary

An admin user which has created a personal access token with api, read_user and sudo scope is not allowed to get snippets from other users via Snippets API regardless of the snippet's visibility level.

Steps to reproduce

Login as non-admin user A and create a snippet. You can set the visibility as public (using visibility level internal or private will end up in the same error).

Login as admin user B and get a personal access token with all 3 scopes. Use the provided token to get the snippet that was created by A (say, this snippet has ID 1):

curl --request GET --header "PRIVATE-TOKEN: foo" http://git.your-domain.de/api/v4/snippets/1

You'll get an 404 (Not Found).

As user B create another snippet (say, this snippet has ID 2) and try to get it via Snippets API:

curl --request GET --header "PRIVATE-TOKEN: foo" http://git.your-domain.de/api/v4/snippets/2

This will return a valid JSON representation of the given snippet.

What is the current bug behavior?

see above

What is the expected correct behavior?

B should see A's snippet via Snippets API. An admin user using a personal access token with sudo scope should be able to see all snippets.

Results of GitLab environment info

Expand for output related to GitLab environment info 
# gitlab-rake gitlab:env:info

System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.3.5p376
Gem Version:    2.6.13
Bundler Version:1.13.7
Rake Version:   12.3.0
Redis Version:  3.2.11
Git Version:    2.14.3
Sidekiq Version:5.0.4
Go Version:     unknown


GitLab information
Version:        10.3.3
Revision:       888cf31
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            xxx
HTTP Clone URL: xxx
SSH Clone URL:  xxx
Using LDAP:     yes
Using Omniauth: no


GitLab Shell
Version:        5.10.2
Repository storage paths:
  • default: /Data/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Does not report any problems. Everything is OK.

Possible fixes

currently no fixes available

Edited by Mark Fletcher