diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:51:30 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 12:51:30 +0000 |
commit | 6c83592e614512aea485f89fa96e928c1da89704 (patch) | |
tree | f2124c9a0109ea7fadcd29f353598fc1aeb6fbae /lib | |
parent | ab04f05c135933837ced0a51037832f9be968eb7 (diff) | |
parent | 63e5a314b4f149fad39d40f898e13f705340cc22 (diff) | |
download | gitlab-ce-6c83592e614512aea485f89fa96e928c1da89704.tar.gz |
Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'
[master] Do not expose trigger token when user should not see it
See merge request gitlab/gitlabhq!2735
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/entities.rb | 5 | ||||
-rw-r--r-- | lib/api/helpers/presentable.rb | 29 | ||||
-rw-r--r-- | lib/api/triggers.rb | 10 |
3 files changed, 38 insertions, 6 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index e0a48908122..62278360329 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -1223,8 +1223,11 @@ module API end class Trigger < Grape::Entity + include ::API::Helpers::Presentable + expose :id - expose :token, :description + expose :token + expose :description expose :created_at, :updated_at, :last_used expose :owner, using: Entities::UserBasic end diff --git a/lib/api/helpers/presentable.rb b/lib/api/helpers/presentable.rb new file mode 100644 index 00000000000..973c2132efe --- /dev/null +++ b/lib/api/helpers/presentable.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +module API + module Helpers + ## + # This module makes it possible to use `app/presenters` with + # Grape Entities. It instantiates model presenter and passes + # options defined in the API endpoint to the presenter itself. + # + # present object, with: Entities::Something, + # current_user: current_user, + # another_option: 'my options' + # + # Example above will make `current_user` and `another_option` + # values available in the subclass of `Gitlab::View::Presenter` + # thorough a separate method in the presenter. + # + # The model class needs to have `::Presentable` module mixed in + # if you want to use `API::Helpers::Presentable`. + # + module Presentable + extend ActiveSupport::Concern + + def initialize(object, options = {}) + super(object.present(options), options) + end + end + end +end diff --git a/lib/api/triggers.rb b/lib/api/triggers.rb index 3ce1529f259..b67f056f491 100644 --- a/lib/api/triggers.rb +++ b/lib/api/triggers.rb @@ -51,7 +51,7 @@ module API triggers = user_project.triggers.includes(:trigger_requests) - present paginate(triggers), with: Entities::Trigger + present paginate(triggers), with: Entities::Trigger, current_user: current_user end # rubocop: enable CodeReuse/ActiveRecord @@ -68,7 +68,7 @@ module API trigger = user_project.triggers.find(params.delete(:trigger_id)) break not_found!('Trigger') unless trigger - present trigger, with: Entities::Trigger + present trigger, with: Entities::Trigger, current_user: current_user end desc 'Create a trigger' do @@ -85,7 +85,7 @@ module API declared_params(include_missing: false).merge(owner: current_user)) if trigger.valid? - present trigger, with: Entities::Trigger + present trigger, with: Entities::Trigger, current_user: current_user else render_validation_error!(trigger) end @@ -106,7 +106,7 @@ module API break not_found!('Trigger') unless trigger if trigger.update(declared_params(include_missing: false)) - present trigger, with: Entities::Trigger + present trigger, with: Entities::Trigger, current_user: current_user else render_validation_error!(trigger) end @@ -127,7 +127,7 @@ module API if trigger.update(owner: current_user) status :ok - present trigger, with: Entities::Trigger + present trigger, with: Entities::Trigger, current_user: current_user else render_validation_error!(trigger) end |