Commit 4ade06ec authored by Małgorzata Ksionek's avatar Małgorzata Ksionek

Add cr remarks

parent 958a3d67
---
title: Add read_api read only scope
title: Add read_api scope to personal access tokens for granting read only API access
merge_request: 28944
author:
type: added
......@@ -43,6 +43,7 @@ the following table.
| ------------------ | ------------- | ----------- |
| `read_user` | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951) | Allows access to the read-only endpoints under `/users`. Essentially, any of the `GET` requests in the [Users API][users] are allowed. |
| `api` | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951) | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_api` | [GitLab 12.10](https://https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944) | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_registry` | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845) | Allows to read (pull) [container registry] images if a project is private and authorization is required. |
| `sudo` | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838) | Allows performing API actions as any user in the system (if the authenticated user is an admin). |
| `read_repository` | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894) | Allows read-only access (pull) to the repository through `git clone`. |
......
......@@ -11,7 +11,7 @@ describe API::API do
# to represent any API endpoint
let(:user) { create(:user, last_activity_on: Date.yesterday) }
it 'updates the users last_activity_on date' do
it 'updates the users last_activity_on to the current date' do
expect { get api('/groups', user) }.to change { user.reload.last_activity_on }.to(Date.today)
end
......@@ -25,7 +25,7 @@ describe API::API do
end
describe 'User with only read_api scope personal access token' do
# It does not matter which endpoint is used because this should
# It does not matter which endpoint is used because this should behave
# in the same way for every request. `/groups` is used as an example
# to represent any API endpoint
......@@ -45,9 +45,9 @@ describe API::API do
end
it 'does not authorize user for post request' do
group_attributes = attributes_for_group_api
params = attributes_for_group_api
post api("/groups", personal_access_token: token), params: group_attributes
post api("/groups", personal_access_token: token), params: params
expect(response).to have_gitlab_http_status(:forbidden)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment