summaryrefslogtreecommitdiff
path: root/lib/api
diff options
context:
space:
mode:
Diffstat (limited to 'lib/api')
-rw-r--r--lib/api/entities/project.rb4
-rw-r--r--lib/api/entities/user_safe.rb12
-rw-r--r--lib/api/lint.rb12
-rw-r--r--lib/api/merge_request_approvals.rb4
-rw-r--r--lib/api/merge_request_diffs.rb4
-rw-r--r--lib/api/merge_requests.rb10
-rw-r--r--lib/api/todos.rb4
7 files changed, 26 insertions, 24 deletions
diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb
index b97e39c6d35..7942487bd1d 100644
--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -55,7 +55,9 @@ module API
expose(:snippets_enabled) { |project, options| project.feature_available?(:snippets, options[:current_user]) }
expose(:container_registry_enabled) { |project, options| project.feature_available?(:container_registry, options[:current_user]) }
expose :service_desk_enabled
- expose :service_desk_address
+ expose :service_desk_address, if: -> (project, options) do
+ Ability.allowed?(options[:current_user], :admin_issue, project)
+ end
expose(:can_create_merge_request_in) do |project, options|
Ability.allowed?(options[:current_user], :create_merge_request_in, project)
diff --git a/lib/api/entities/user_safe.rb b/lib/api/entities/user_safe.rb
index feb01767fd6..6006a076020 100644
--- a/lib/api/entities/user_safe.rb
+++ b/lib/api/entities/user_safe.rb
@@ -3,7 +3,17 @@
module API
module Entities
class UserSafe < Grape::Entity
- expose :id, :name, :username
+ expose :id, :username
+ expose :name do |user|
+ next user.name unless user.project_bot?
+
+ next user.name if options[:current_user]&.can?(:read_resource_access_tokens, user.projects.first)
+
+ # If the requester does not have permission to read the project bot name,
+ # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
+ # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
+ '****'
+ end
end
end
end
diff --git a/lib/api/lint.rb b/lib/api/lint.rb
index fa871b4bc57..d7d1f52c02e 100644
--- a/lib/api/lint.rb
+++ b/lib/api/lint.rb
@@ -4,6 +4,16 @@ module API
class Lint < ::API::Base
feature_category :pipeline_authoring
+ helpers do
+ def can_lint_ci?
+ signup_unrestricted = Gitlab::CurrentSettings.signup_enabled? && !Gitlab::CurrentSettings.signup_limited?
+ internal_user = current_user.present? && !current_user.external?
+ is_developer = current_user.present? && current_user.projects.any? { |p| p.team.member?(current_user, Gitlab::Access::DEVELOPER) }
+
+ signup_unrestricted || internal_user || is_developer
+ end
+ end
+
namespace :ci do
desc 'Validation of .gitlab-ci.yml content'
params do
@@ -11,7 +21,7 @@ module API
optional :include_merged_yaml, type: Boolean, desc: 'Whether or not to include merged CI config yaml in the response'
end
post '/lint' do
- unauthorized! if (Gitlab::CurrentSettings.signup_disabled? || Gitlab::CurrentSettings.signup_limited?) && current_user.nil?
+ unauthorized! unless can_lint_ci?
result = Gitlab::Ci::Lint.new(project: nil, current_user: current_user)
.validate(params[:content], dry_run: false)
diff --git a/lib/api/merge_request_approvals.rb b/lib/api/merge_request_approvals.rb
index 83150bb51ca..2e840e8e6e8 100644
--- a/lib/api/merge_request_approvals.rb
+++ b/lib/api/merge_request_approvals.rb
@@ -25,9 +25,7 @@ module API
# Examples:
# GET /projects/:id/merge_requests/:merge_request_iid/approvals
desc 'List approvals for merge request'
- get 'approvals' do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
+ get 'approvals', urgency: :low do
merge_request = find_merge_request_with_access(params[:merge_request_iid])
present_approval(merge_request)
diff --git a/lib/api/merge_request_diffs.rb b/lib/api/merge_request_diffs.rb
index 470f78a7dc2..8fa7138af42 100644
--- a/lib/api/merge_request_diffs.rb
+++ b/lib/api/merge_request_diffs.rb
@@ -23,8 +23,6 @@ module API
use :pagination
end
get ":id/merge_requests/:merge_request_iid/versions" do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
merge_request = find_merge_request_with_access(params[:merge_request_iid])
present paginate(merge_request.merge_request_diffs.order_id_desc), with: Entities::MergeRequestDiff
@@ -41,8 +39,6 @@ module API
end
get ":id/merge_requests/:merge_request_iid/versions/:version_id" do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
merge_request = find_merge_request_with_access(params[:merge_request_iid])
present_cached merge_request.merge_request_diffs.find(params[:version_id]), with: Entities::MergeRequestDiffFull, cache_context: nil
diff --git a/lib/api/merge_requests.rb b/lib/api/merge_requests.rb
index 34af9eab511..3f3fa3a9e76 100644
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
@@ -261,8 +261,6 @@ module API
success Entities::MergeRequest
end
get ':id/merge_requests/:merge_request_iid', feature_category: :code_review do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
merge_request = find_merge_request_with_access(params[:merge_request_iid])
present merge_request,
@@ -279,8 +277,6 @@ module API
success Entities::UserBasic
end
get ':id/merge_requests/:merge_request_iid/participants', feature_category: :code_review do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
merge_request = find_merge_request_with_access(params[:merge_request_iid])
participants = ::Kaminari.paginate_array(merge_request.participants)
@@ -292,8 +288,6 @@ module API
success Entities::Commit
end
get ':id/merge_requests/:merge_request_iid/commits', feature_category: :code_review do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
merge_request = find_merge_request_with_access(params[:merge_request_iid])
commits =
@@ -375,8 +369,6 @@ module API
success Entities::MergeRequestChanges
end
get ':id/merge_requests/:merge_request_iid/changes', feature_category: :code_review do
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
merge_request = find_merge_request_with_access(params[:merge_request_iid])
present merge_request,
@@ -392,8 +384,6 @@ module API
get ':id/merge_requests/:merge_request_iid/pipelines', feature_category: :continuous_integration do
pipelines = merge_request_pipelines_with_access
- not_found!("Merge Request") unless can?(current_user, :read_merge_request, user_project)
-
present paginate(pipelines), with: Entities::Ci::PipelineBasic
end
diff --git a/lib/api/todos.rb b/lib/api/todos.rb
index e0e5ca615ac..9b3cb85ee39 100644
--- a/lib/api/todos.rb
+++ b/lib/api/todos.rb
@@ -29,10 +29,6 @@ module API
post ":id/#{type}/:#{type_id_str}/todo" do
issuable = instance_exec(params[type_id_str], &finder)
- unless can?(current_user, :read_merge_request, issuable.project)
- not_found!(type.split("_").map(&:capitalize).join(" "))
- end
-
todo = TodoService.new.mark_todo(issuable, current_user).first
if todo
View Lorry Controller Status