Require read_code instead of download_code for api endpoints
requested to merge 376180-separate-view-code-permission-from-download-code-create-2-permissions-7 into master
What does this MR do and why?
Require read_code instead of download_code
For entities and grape api endpoints: require read_code instead of download_code
Contributes to: #376180 (closed)
How to set up and validate locally
- Create a private project
- Add a user to the project with developer access
- Create a personal access token for that user
- Try making requests to api endpoints and see responses. For example:
curl 127.0.0.1:3000/api/v4/projects/<id>/repository/branches -H 'PRIVATE-TOKEN: <personal access token>'curl 127.0.0.1:3000/api/v4/projects/<id>/repository/commits -H 'PRIVATE-TOKEN: <personal access token>'curl '127.0.0.1:3000/api/v4/projects/<id>/repository/files/something/blame?ref=main' -H 'PRIVATE-TOKEN: <personal access token>'curl --header "Content-Type: application/json" "127.0.0.1:3000/api/v4/projects/<id>/ci/lint" --data '{"content": "{ \"image\": \"ruby:2.6\", \"services\": [\"postgres\"], \"before_script\": [\"bundle install\", \"bundle exec rake db:create\"], \"variables\": {\"DB_NAME\": \"postgres\"}, \"types\": [\"test\", \"deploy\", \"notify\"], \"rspec\": { \"script\": \"rake spec\", \"tags\": [\"ruby\", \"postgres\"], \"only\": [\"branches\"]}}"}' PRIVATE-TOKEN: <personal access token>'-
curl '127.0.0.1:3000/api/v4/projects/<id>repository/blobs/<sha>' -H 'PRIVATE-TOKEN: <personal access token>- sha can be caculated like so:
git hash-object -w --stdin < filename
- sha can be caculated like so:
curl '127.0.0.1:3000/api/v4/projects/<id>repository/tags' -H 'PRIVATE-TOKEN: <personal access token>
- Try those requests again with a user with only guest access and see that the responses are 403 forbidden
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #376180 (closed)
Edited by Jerry Seto