Commit 46e88b15 authored by Hordur Freyr Yngvason's avatar Hordur Freyr Yngvason

Broaden access scope for Version API

Requiring the api scope for accessing the version seems excessive.
The docs state that it "Responds 200 OK for authenticated users."

See https://gitlab.com/gitlab-org/gitlab/issues/198483
parent bb40d720
---
title: Allow access to /version API endpoint with read_user scope
merge_request: 25211
author:
type: changed
...@@ -3,6 +3,9 @@ ...@@ -3,6 +3,9 @@
module API module API
class Version < Grape::API class Version < Grape::API
helpers ::API::Helpers::GraphqlHelpers helpers ::API::Helpers::GraphqlHelpers
include APIGuard
allow_access_with_scope :read_user, if: -> (request) { request.get? }
before { authenticate! } before { authenticate! }
......
...@@ -12,17 +12,55 @@ describe API::Version do ...@@ -12,17 +12,55 @@ describe API::Version do
end end
end end
context 'when authenticated' do context 'when authenticated as user' do
let(:user) { create(:user) } let(:user) { create(:user) }
it 'returns the version information' do it 'returns the version information' do
get api('/version', user) get api('/version', user)
expect(response).to have_gitlab_http_status(200) expect_version
expect(json_response['version']).to eq(Gitlab::VERSION)
expect(json_response['revision']).to eq(Gitlab.revision)
end end
end end
context 'when authenticated with token' do
let(:personal_access_token) { create(:personal_access_token, scopes: scopes) }
context 'with api scope' do
let(:scopes) { %i(api) }
it 'returns the version information' do
get api('/version', personal_access_token: personal_access_token)
expect_version
end
end
context 'with read_user scope' do
let(:scopes) { %i(read_user) }
it 'returns the version information' do
get api('/version', personal_access_token: personal_access_token)
expect_version
end
end
context 'with neither api nor read_user scope' do
let(:scopes) { %i(read_repository) }
it 'returns authorization error' do
get api('/version', personal_access_token: personal_access_token)
expect(response).to have_gitlab_http_status(403)
end
end
end
def expect_version
expect(response).to have_gitlab_http_status(200)
expect(json_response['version']).to eq(Gitlab::VERSION)
expect(json_response['revision']).to eq(Gitlab.revision)
end
end end
context 'with graphql enabled' do context 'with graphql enabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment