Ensure Current.organization is always set for Grape API

In Rails controllers, we have a before_action that calls set_current_organization.

The result: Current.organization is available and valid in all controllers that have ApplicationController as a parent class.

We will need current_user because, if the API user does not supply an organization, we need to derive the organization from the current_user object (using the API token).

We want a similar implementation for Grape API. But this is not trivial, see this MR. Currently, we explicitly call set_current_organization in the Grape API's that need it. But that is a lot of duplication.

I expected that we could ignore this problem because I expected that we would never need current_user to determine an Organization but I expect we do need it (unless we ask all our API users to explicitly supply an organization_id in each API call)

The summary is:

  • In Rails context, current_user returns a user OR nil
  • In Grape context, current_user returns a user OR renders an Unauthorized HTTP header
  • In Grape context, some controllers don't even use current_user but have their own custom authentication
    • Example: API::Scim::InstanceScim
    • Example: API::Ci::Runner (using runner token)

I expect that we need to refactor the authentication logic in Grape API

Definition of Done

This issue can be closed if:

  • All API classes have Current.organization set, without any change to the API class itself
  • The explicit calls to set_current_organization (for example, in API::Projects) have been removed
Edited by 🤖 GitLab Bot 🤖