Allow guests users to access project releases

This is step one of resolving https://gitlab.com/gitlab-org/gitlab-ce/issues/56838. Here is what changed: - Revert the security fix from bdee9e8412d. - Do not leak repository information (tag name, commit) to guests in API responses. - Do not include links to source code in API responses for users that do not have download_code access. - Show Releases in sidebar for guests. - Do not display links to source code under Assets for users that do not have download_code access. GET ':id/releases/:tag_name' still do not allow guests to access releases. This is to prevent guessing tag existence.
author: Krasimir Angelov <kangelov@gitlab.com> 2019-05-03 13:29:20 +0000
committer: Lin Jen-Shin <godfat@godfat.org> 2019-05-03 13:29:20 +0000
commit: 241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree: 085737123336ffc4abbf65652a7365c191c8a64c /spec/fixtures
parent: 9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
download: gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz
6 files changed, 71 insertions, 8 deletions
diff --git a/spec/fixtures/api/schemas/public_api/v4/release.json b/spec/fixtures/api/schemas/public_api/v4/release.json
index 6612c2a9911..6ea0781c1ed 100644
--- a/spec/fixtures/api/schemas/public_api/v4/release.json
+++ b/spec/fixtures/api/schemas/public_api/v4/release.json
@@ -1,12 +1,33 @@
 {
   "type": "object",
-  "required" : [
-    "tag_name",
-    "description"
-  ],
-  "properties" : {
-    "tag_name": { "type": ["string", "null"] },
-    "description": { "type": "string" }
+  "required": ["name", "tag_name", "commit"],
+  "properties": {
+    "name": { "type": "string" },
+    "tag_name": { "type": "string" },
+    "description": { "type": "string" },
+    "description_html": { "type": "string" },
+    "created_at": { "type": "date" },
+    "commit": {
+      "oneOf": [{ "type": "null" }, { "$ref": "commit/basic.json" }]
+    },
+    "author": {
+      "oneOf": [{ "type": "null" }, { "$ref": "user/basic.json" }]
+    },
+    "assets": {
+      "required": ["count", "links", "sources"],
+      "properties": {
+        "count": { "type": "integer" },
+        "links": { "$ref": "../../release/links.json" },
+        "sources": {
+          "type": "array",
+          "items": {
+            "format": "zip",
+            "url": "string"
+          }
+        }
+      },
+      "additionalProperties": false
+    }
   },
   "additionalProperties": false
 }
diff --git a/spec/fixtures/api/schemas/public_api/v4/release/release_for_guest.json b/spec/fixtures/api/schemas/public_api/v4/release/release_for_guest.json
new file mode 100644
index 00000000000..e78398ad1d5
--- /dev/null
+++ b/spec/fixtures/api/schemas/public_api/v4/release/release_for_guest.json
@@ -0,0 +1,22 @@
+{
+  "type": "object",
+  "required": ["name"],
+  "properties": {
+    "name": { "type": "string" },
+    "description": { "type": "string" },
+    "description_html": { "type": "string" },
+    "created_at": { "type": "date" },
+    "author": {
+      "oneOf": [{ "type": "null" }, { "$ref": "../user/basic.json" }]
+    },
+    "assets": {
+      "required": ["count", "links"],
+      "properties": {
+        "count": { "type": "integer" },
+        "links": { "$ref": "../../../release/links.json" }
+      },
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}
diff --git a/spec/fixtures/api/schemas/public_api/v4/release/releases_for_guest.json b/spec/fixtures/api/schemas/public_api/v4/release/releases_for_guest.json
new file mode 100644
index 00000000000..c13966b28e9
--- /dev/null
+++ b/spec/fixtures/api/schemas/public_api/v4/release/releases_for_guest.json
@@ -0,0 +1,4 @@
+{
+  "type": "array",
+  "items": { "$ref": "release_for_guest.json" }
+}
diff --git a/spec/fixtures/api/schemas/public_api/v4/release/tag_release.json b/spec/fixtures/api/schemas/public_api/v4/release/tag_release.json
new file mode 100644
index 00000000000..6612c2a9911
--- /dev/null
+++ b/spec/fixtures/api/schemas/public_api/v4/release/tag_release.json
@@ -0,0 +1,12 @@
+{
+  "type": "object",
+  "required" : [
+    "tag_name",
+    "description"
+  ],
+  "properties" : {
+    "tag_name": { "type": ["string", "null"] },
+    "description": { "type": "string" }
+  },
+  "additionalProperties": false
+}
diff --git a/spec/fixtures/api/schemas/public_api/v4/releases.json b/spec/fixtures/api/schemas/public_api/v4/releases.json
new file mode 100644
index 00000000000..e26215707fe
--- /dev/null
+++ b/spec/fixtures/api/schemas/public_api/v4/releases.json
@@ -0,0 +1,4 @@
+{
+  "type": "array",
+  "items": { "$ref": "release.json" }
+}
diff --git a/spec/fixtures/api/schemas/public_api/v4/tag.json b/spec/fixtures/api/schemas/public_api/v4/tag.json
index 10d4edb7ffb..5713ea1f526 100644
--- a/spec/fixtures/api/schemas/public_api/v4/tag.json
+++ b/spec/fixtures/api/schemas/public_api/v4/tag.json
@@ -14,7 +14,7 @@
     "release": {
       "oneOf": [
         { "type": "null" },
-        { "$ref": "release.json" }
+        { "$ref": "release/tag_release.json" }
       ]
     }
   },
author	Krasimir Angelov <kangelov@gitlab.com>	2019-05-03 13:29:20 +0000
committer	Lin Jen-Shin <godfat@godfat.org>	2019-05-03 13:29:20 +0000
commit	241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c (patch)
tree	085737123336ffc4abbf65652a7365c191c8a64c /spec/fixtures
parent	9a9aa22352be07f2ecdfb1396016a9a03d26f559 (diff)
download	gitlab-ce-241ba4be7989547b3bc3f9a1a20b8dee7a4e9a0c.tar.gz