Skip to content

API: outbound_local_requests_whitelist cannot be updated via /api/v4/application/settings

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

The outbound_local_requests_whitelist application setting cannot be updated via the /api/v4/application/settings API endpoint, while other settings like keep_latest_artifact work correctly. This results in validation errors when attempting to update this setting through the API.

Steps to reproduce

  1. Make a PUT request to /api/v4/application/settings with outbound_local_requests_whitelist parameter
  2. Observe that the request fails with a validation error
  3. Compare with keep_latest_artifact which works correctly

What is the current bug behavior?

The API rejects updates to outbound_local_requests_whitelist with validation errors, preventing administrators from managing this setting programmatically.

What is the expected correct behavior?

The outbound_local_requests_whitelist setting should be updatable via the API, just like other application settings.

Root Cause Analysis

The issue is in the ApplicationSettingsHelper.visible_attributes method in app/helpers/application_settings_helper.rb. The method includes:

  • outbound_local_requests_allowlist_raw (line 334) - this is the "raw" version for UI display
  • outbound_local_requests_whitelist - missing from the visible attributes list
  • keep_latest_artifact (line 424) - correctly included

The API uses Helpers::SettingsHelpers.optional_attributes which includes ApplicationSettingsHelper.visible_attributes. Since outbound_local_requests_whitelist is not in the visible attributes list, it's not available as an optional parameter in the API.

Technical Details

Files involved:

  • lib/api/settings.rb - API endpoint definition
  • lib/api/helpers/settings_helpers.rb - includes visible_attributes in optional_attributes
  • app/helpers/application_settings_helper.rb - defines visible_attributes (missing the setting)
  • app/models/application_setting_implementation.rb - model implementation (working correctly)

Configuration files:

  • config/application_setting_columns/outbound_local_requests_whitelist.yml - correctly configured as api_type: array of strings
  • config/application_setting_columns/keep_latest_artifact.yml - correctly configured as api_type: boolean

Proposed Solution

Add outbound_local_requests_whitelist to the visible_attributes array in app/helpers/application_settings_helper.rb around line 334, near the existing outbound_local_requests_allowlist_raw entry.

Impact

  • Severity: Medium - affects API functionality for administrators
  • Workaround: Use the admin UI instead of API
  • Affected versions: All versions where this setting exists

Additional Context

The setting works correctly in:

  • Admin UI (uses outbound_local_requests_allowlist_raw)
  • Model layer (all methods implemented correctly)
  • Database storage (column exists and configured properly)

The issue is specifically in the API layer's parameter validation.

Edited by 🤖 GitLab Bot 🤖