Merge branch 'enabling_runners_token_for_groups' into 'master'

Enabling runners token for groups See merge request gitlab-org/gitlab!16831

Merge branch 'enabling_runners_token_for_groups' into 'master'
Enabling runners token for groups See merge request gitlab-org/gitlab!16831
764103fe · Kamil Trzciński · ee7d9d47 · 011c1ac4 · 764103fe · 764103fe
Commit 764103fe authored Sep 17, 2019 by Kamil Trzciński
5 changed files
--- a/changelogs/unreleased/enabling_runners_token_for_groups.yml
+++ b/changelogs/unreleased/enabling_runners_token_for_groups.yml
+---
+title: Adds the runners_token of the group if the user that requests the group info is admin of it
+merge_request: 16831
+author: Ignacio Lorenzo Subirá Otal nachootal@gmail.com
+type: changed
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -208,7 +208,7 @@ Example response:
 ## Details of a group

 Get all details of a group. This endpoint can be accessed without authentication
-if the group is publicly accessible.
+if the group is publicly accessible. In case the user that requests is admin of the group, it will return the `runners_token` for the group too.

 ```
 GET /groups/:id
@@ -240,6 +240,7 @@ Example response:
  "request_access_enabled": false,
  "full_name": "Twitter",
  "full_path": "twitter",
+  "runners_token": "ba324ca7b1c77fc20bb9",
  "file_template_project_id": 1,
  "parent_id": null,
  "projects": [

--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -400,6 +400,7 @@ module API
    end

    class GroupDetail < Group
+      expose :runners_token, if: lambda { |group, options| options[:user_can_admin_group] }
      expose :projects, using: Entities::Project do |group, options|
        projects = GroupProjectsFinder.new(
          group: group,

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -173,7 +173,8 @@ module API

        options = {
          with: params[:with_projects] ? Entities::GroupDetail : Entities::Group,
-          current_user: current_user
+          current_user: current_user,
+          user_can_admin_group: can?(current_user, :admin_group, group)
        }

        group, options = with_custom_attributes(group, options)

--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -59,6 +59,16 @@ describe API::Groups do
          .to satisfy_one { |group| group['name'] == group1.name }
      end

+      it "does not include runners_token information" do
+        get api("/groups", user1)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response.length).to eq(1)
+        expect(json_response.first).not_to include('runners_token')
+      end
+
      it "does not include statistics" do
        get api("/groups", user1), params: { statistics: true }

@@ -79,6 +89,16 @@ describe API::Groups do
        expect(json_response.length).to eq(2)
      end

+      it "does not include runners_token information" do
+        get api("/groups", admin)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(json_response.length).to eq(2)
+        expect(json_response.first).not_to include('runners_token')
+      end
+
      it "does not include statistics by default" do
        get api("/groups", admin)

@@ -292,6 +312,7 @@ describe API::Groups do
        get api("/groups/#{group1.id}")

        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).not_to include('runners_token')
      end

      it 'returns only public projects in the group' do
@@ -350,6 +371,22 @@ describe API::Groups do
        expect(response).to have_gitlab_http_status(200)
        expect(json_response['projects']).to be_nil
        expect(json_response['shared_projects']).to be_nil
+        expect(json_response).not_to include('runners_token')
+      end
+
+      it "doesn't return runners_token if the user is not the owner of the group" do
+        get api("/groups/#{group1.id}", user3)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).not_to include('runners_token')
+      end
+
+      it "returns runners_token if the user is the owner of the group" do
+        group1.add_owner(user3)
+        get api("/groups/#{group1.id}", user3)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to include('runners_token')
      end

      it "does not return a non existing group" do
@@ -407,6 +444,13 @@ describe API::Groups do
        expect(json_response['name']).to eq(group2.name)
      end

+      it "returns information of the runners_token for the group" do
+        get api("/groups/#{group2.id}", admin)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to include('runners_token')
+      end
+
      it "does not return a non existing group" do
        get api("/groups/1328", admin)