- 16 Aug, 2017 1 commit
-
-
Zeger-Jan van de Weg authored
Main feature was the deprication of the Hashie stuff, so the access by calling keys as method is gone now.
-
- 11 Aug, 2017 1 commit
-
-
Lin Jen-Shin authored
document have_gitlab_http_status
-
- 10 Aug, 2017 1 commit
-
-
Lin Jen-Shin authored
-
- 02 Aug, 2017 1 commit
-
-
Douwe Maan authored
-
- 01 Aug, 2017 1 commit
-
-
Shinya Maeda authored
-
- 26 Jul, 2017 4 commits
-
-
Douwe Maan authored
-
blackst0ne authored
-
blackst0ne authored
-
blackst0ne authored
-
- 21 Jul, 2017 1 commit
-
-
Felipe Artur authored
-
- 19 Jul, 2017 1 commit
-
-
Shinya Maeda authored
-
- 06 Jul, 2017 1 commit
-
-
vanadium23 authored
-
- 04 Jul, 2017 1 commit
-
-
Timothy Andrew authored
- Rather than using an explicit check to turn off authentication for the `/users` endpoint, simply call `authenticate_non_get!`. - All `GET` endpoints we wish to restrict already call `authenticated_as_admin!`, and so remain inacessible to anonymous users. - This _does_ open up the `/users/:id` endpoint to anonymous access. It contains the same access check that `/users` users, and so is safe for use here. - More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
-
- 30 Jun, 2017 1 commit
-
-
Timothy Andrew authored
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE.
-
- 28 Jun, 2017 4 commits
-
-
Timothy Andrew authored
-
Timothy Andrew authored
- They are not included automatically since `API::Users` does not inherit from `API::API`, as I initially assumed. - Scopes declared in `API::API` are considered global (to the API), and need to be included in all cases.
-
Timothy Andrew authored
- Scope declarations of the form: allow_access_with_scope :read_user, if: -> (request) { request.get? } will only apply for `GET` requests - Add a negative test to a `POST` endpoint in the `users` API to test this. Also test for this case in the `AccessTokenValidationService` unit tests.
-
Timothy Andrew authored
- Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
-
- 26 Jun, 2017 1 commit
-
-
Timothy Andrew authored
- The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username. - We don't authenticate this API anymore, but instead - if the `current_user` is not present: - Verify that the `username` parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The `UsersFinder` class performs an exact match on the `username`, so we are guaranteed to get 0 or 1 users. - Verify that the resulting user (if any) is accessible to be viewed publicly by calling `can?(current_user, :read_user, user)`
-
- 02 Jun, 2017 1 commit
-
-
Rémy Coutable authored
Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 01 Jun, 2017 1 commit
-
-
Kamil Trzcinski authored
-
- 30 May, 2017 4 commits
-
-
Toon Claes authored
And use it in the API.
-
Toon Claes authored
The ProjectsFinder and GroupFinder both support the same set of params. And the `/api/v4/projects` and `/api/v4/group/:id/projects` also support the same set of params. But they do not match the Finder params. So use a helper method to transform them.
-
Toon Claes authored
Instead of trying to do the heavy lifting in the API itself, use the existing features of the ProjectFinder.
-
Toon Claes authored
The ProjectFinder supports the `non_public` parameter. This can be used to find only projects the user is member of.
-
- 10 May, 2017 2 commits
-
-
Rémy Coutable authored
Use the EnforcedStyleForMultiline: no_comma option. Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Bob Van Landuyt authored
-
- 26 Apr, 2017 1 commit
-
-
Timothy Andrew authored
- Currently, (for example) admins can't delete snippets for blocked users, which is an unexpected limitation. - We modify `authenticate!` to conduct the `access_api` policy check against the `initial_current_user`, instead of the user being impersonated. - Update CHANGELOG for !10842
-
- 09 Apr, 2017 1 commit
-
-
blackst0ne authored
-
- 27 Mar, 2017 1 commit
-
-
Toon Claes authored
In API V4 all endpoints were changed so Merge Requests and Issues should be referred by iid, instead of id. Except the /notes endpoint was forgotten. So change the endpoints from: - /projects/:id/issues/:issue_id/notes - /projects/:id/merge_requests/:merge_request_id/notes To: - /projects/:id/issues/:issue_iid/notes - /projects/:id/merge_requests/:merge_request_iid/notes For Project Snippets nothing changes.
-
- 22 Mar, 2017 1 commit
-
-
Grzegorz Bizon authored
-
- 09 Mar, 2017 2 commits
-
-
http://jneen.net/ authored
-
http://jneen.net/ authored
to make sure we mean the global permissions
-
- 07 Mar, 2017 2 commits
-
-
Timothy Andrew authored
- As opposed to the `id` that was previously being used. - This brings the API routes closer to the web interface's routes. - This is specific to API v4.
-
Timothy Andrew authored
- As opposed to the issue `id` that was previously being used. - This brings the API routes closer to the web interface's routes. - This is specific to API v4.
-
- 06 Mar, 2017 2 commits
-
-
Pawel Chojnacki authored
-
Adam Niedzielski authored
-
- 03 Mar, 2017 2 commits
-
-
Toon Claes authored
The query parameter `membership` should be more self-explaining.
-
Oswaldo Ferreira authored
-
- 02 Mar, 2017 1 commit
-
-
Toon Claes authored
Add `visibility` & `visibility=` methods to the `Gitlab::VisibilityLevel` module so the `visibility_level` can be get/set with a string value.
-