Allow API scope declarations to be applied conditionally.

- Scope declarations of the form:

    allow_access_with_scope :read_user, if: -> (request) { request.get? }

  will only apply for `GET` requests

- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
  test for this case in the `AccessTokenValidationService` unit tests.

2 files changed, 3 insertions, 3 deletions

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index 9a9e32a0242..ceeecbbc00b 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -68,7 +68,7 @@ module API
         access_token = find_access_token
         return nil unless access_token
 
-        case AccessTokenValidationService.new(access_token).validate(scopes: scopes)
+        case AccessTokenValidationService.new(access_token, request).validate(scopes: scopes)
         when AccessTokenValidationService::INSUFFICIENT_SCOPE
           raise InsufficientScopeError.new(scopes)
 
@@ -105,7 +105,7 @@ module API
         access_token = PersonalAccessToken.active.find_by_token(token_string)
         return unless access_token
 
-        if AccessTokenValidationService.new(access_token).include_any_scope?(scopes)
+        if AccessTokenValidationService.new(access_token, request).include_any_scope?(scopes)
           User.find(access_token.user_id)
         end
       end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 3cf04e6df3c..c69e7afea8c 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -340,7 +340,7 @@ module API
     end
 
     def initial_current_user
-      endpoint_class = options[:for]
+      endpoint_class = options[:for].presence || ::API::API
 
       return @initial_current_user if defined?(@initial_current_user)
       Gitlab::Auth::UniqueIpsLimiter.limit_user! do