Skip to content

Introduce new /snippets/all endpoint

Joe Woodward requested to merge feature/snippets_all into master

What does this MR do and why?

This MR needs !128460 (merged) merged first.

This MR introduces a new /snippets/all API endpoint which is designed to return all personal and project snippets the user has access to. In the case of an account with Administrator or Auditor access, this will be all snippets (both personal and project).

Related to #419640 (closed)

Changed: added

How to set up and validate locally

  1. To make querying easier, clear out all existing Snippets (# Snippet.destroy_all)

  2. Create snippets in various states internal, private, public, project snippets, for both admin and user snippets.

    root_user = User.find_by_username!('root')
other_user =  User.find_by_username!('tim_kreiger')

[root_user, other_user].each do |user|
  username = user.username

  PersonalSnippet.new(title: "#{username}: public", content: 'public', author: user, visibility_level: Snippet::PUBLIC).save!
  PersonalSnippet.new(title: "#{username}: private", content: 'private', author: user, visibility_level: Snippet::PRIVATE).save!
  PersonalSnippet.new(title: "#{username}: internal", content: 'internal', author: user, visibility_level: Snippet::INTERNAL).save!

  public_project = (user.projects.where(name: "#{username}_public_project").first || ::Projects::CreateService.new(user, name: "#{username}_public_project", visibility_level: Project::PUBLIC).execute)
  private_project = (user.projects.where(name: "#{username}_private_project").first || ::Projects::CreateService.new(user, name: "#{username}_private_project", visibility_level: Project::PRIVATE).execute)
  internal_project = (user.projects.where(name: "#{username}_internal_project").first || ::Projects::CreateService.new(user, name: "#{username}_internal_project", visibility_level: Project::INTERNAL).execute)      

  ProjectSnippet.new(title: "#{public_project.name}: public", content: "#{public_project.name}: public", project: public_project, author: user, visibility_level: Snippet::PUBLIC).save!
  ProjectSnippet.new(title: "#{private_project.name}: private", content: "#{private_project.name}: private", project: private_project, author: user, visibility_level: Snippet::PRIVATE).save!
  ProjectSnippet.new(title: "#{internal_project.name}: internal", content: "#{internal_project.name}: internal", project: internal_project, author: user, visibility_level: Snippet::INTERNAL).save!      
end

  3. Create a personal access token for the admin user and a normal user:

  4. Request the endpoint with the user token. The user should be able to see their own + internal and public snippets (both personal and project) but not everything:

    curl -qs -Hr "PRIVATE-TOKEN: ${USER_TOKEN}" -H "Content-Type: application/json" "http://gdk.test:3000/api/v4/snippets/all" | jq .

  5. Request the endpoint with the admin token. The admin user should be able to see all snippets (both personal and project):

    curl -qs -H "PRIVATE-TOKEN: ${ADMIN_TOKEN}" -H "Content-Type: application/json" "http://gdk.test:3000/api/v4/snippets/all" | jq .

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ash McKenzie

Merge request reports