Commit edf7d1d4 authored by Grzegorz Bizon's avatar Grzegorz Bizon 🔴

Merge branch 'fix_events_permission_#49255' into 'master'

Add authenticate to events api. fix #49255

Closes #49255

See merge request gitlab-org/gitlab-ce!20627
parents b755753c 8aed9f08
---
title: 'Events API now requires the read_user or api scope.'
merge_request: 20627
author: Warren Parad
type: fixed
......@@ -48,9 +48,11 @@ GitLab removes events older than 1 year from the events table for performance re
## List currently authenticated user's events
>**Note:** This endpoint was introduced in GitLab 9.3.
>**Notes:**
> This endpoint was introduced in GitLab 9.3.
> `read_user` access was introduced in GitLab 11.3.
Get a list of events for the authenticated user.
Get a list of events for the authenticated user. Scope `read_user` or `api` is required.
```
GET /events
......@@ -119,9 +121,11 @@ Example response:
### Get user contribution events
>**Note:** Documentation was formerly located in the [Users API pages][users-api].
>**Notes:**
> Documentation was formerly located in the [Users API pages][users-api].
> `read_user` access was introduced in GitLab 11.3.
Get the contribution events for the specified user, sorted from newest to oldest.
Get the contribution events for the specified user, sorted from newest to oldest. Scope `read_user` or `api` is required.
```
GET /users/:id/events
......
module API
class Events < Grape::API
include PaginationParams
include APIGuard
helpers do
params :event_filter_params do
......@@ -24,6 +25,8 @@ module API
end
resource :events do
allow_access_with_scope :read_user, if: -> (request) { request.get? }
desc "List currently authenticated user's events" do
detail 'This feature was introduced in GitLab 9.3.'
success Entities::Event
......@@ -46,6 +49,8 @@ module API
requires :id, type: String, desc: 'The ID or Username of the user'
end
resource :users do
allow_access_with_scope :read_user, if: -> (request) { request.get? }
desc 'Get the contribution events of a specified user' do
detail 'This feature was introduced in GitLab 8.13.'
success Entities::Event
......
......@@ -2,9 +2,9 @@ require 'spec_helper'
describe API::Events do
include ApiHelpers
let(:user) { create(:user) }
let(:non_member) { create(:user) }
let(:other_user) { create(:user, username: 'otheruser') }
let(:private_project) { create(:project, :private, creator_id: user.id, namespace: user.namespace) }
let(:closed_issue) { create(:closed_issue, project: private_project, author: user) }
let!(:closed_issue_event) { create(:event, project: private_project, author: user, target: closed_issue, action: Event::CLOSED, created_at: Date.new(2016, 12, 30)) }
......@@ -28,12 +28,52 @@ describe API::Events do
expect(json_response.size).to eq(1)
end
end
context 'when the requesting token has "read_user" scope' do
let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
it 'returns users events' do
get api('/events?action=closed&target_type=issue&after=2016-12-1&before=2016-12-31', personal_access_token: token)
expect(response).to have_gitlab_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
expect(json_response.size).to eq(1)
end
end
context 'when the requesting token does not have "read_user" or "api" scope' do
let(:token_without_scopes) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
it 'returns a "403" response' do
get api('/events', personal_access_token: token_without_scopes)
expect(response).to have_gitlab_http_status(403)
end
end
end
describe 'GET /users/:id/events' do
context "as a user that cannot see the event's project" do
it 'returns no events' do
get api("/users/#{user.id}/events", other_user)
context "as a user that cannot see another user" do
it 'returns a "404" response' do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(non_member, :read_user, user).and_return(false)
get api("/users/#{user.id}/events", non_member)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_empty
end
end
context "as a user token that cannot see another user" do
let(:non_member_token) { create(:personal_access_token, scopes: ['read_user'], user: non_member) }
it 'returns a "404" response' do
allow(Ability).to receive(:allowed?).and_call_original
allow(Ability).to receive(:allowed?).with(non_member, :read_user, user).and_return(false)
get api("/users/#{user.id}/events", personal_access_token: non_member_token)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_empty
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment