Merge branch 'lm-fix-authorization-lint' into 'master'

Updates authorization for lint See merge request gitlab-org/gitlab!54492

Merge branch 'lm-fix-authorization-lint' into 'master'
Updates authorization for lint See merge request gitlab-org/gitlab!54492
ce664d2f · charlie ablett · 07a41b53 · e2a5f98e · ce664d2f · ce664d2f
Commit ce664d2f authored Feb 22, 2021 by charlie ablett
5 changed files
--- a/changelogs/unreleased/lm-fix-authorization-lint.yml
+++ b/changelogs/unreleased/lm-fix-authorization-lint.yml
+---
+title: Updates authorization for linting endpoint
+merge_request: 54492
+author:
+type: changed
--- a/lib/api/lint.rb
+++ b/lib/api/lint.rb
@@ -11,7 +11,7 @@ module API
        optional :include_merged_yaml, type: Boolean, desc: 'Whether or not to include merged CI config yaml in the response'
      end
      post '/lint' do
-        unauthorized! unless Gitlab::CurrentSettings.signup_enabled? && current_user
+        unauthorized! if Gitlab::CurrentSettings.signup_disabled? && current_user.nil?
        result = Gitlab::Ci::YamlProcessor.new(params[:content], user: current_user).execute

--- a/lib/gitlab/current_settings.rb
+++ b/lib/gitlab/current_settings.rb
@@ -3,6 +3,10 @@
 module Gitlab
  module CurrentSettings
    class << self
+      def signup_disabled?
+        !signup_enabled?
+      end
      def current_application_settings
        Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! }
      end

--- a/spec/lib/gitlab/current_settings_spec.rb
+++ b/spec/lib/gitlab/current_settings_spec.rb
@@ -24,6 +24,26 @@ RSpec.describe Gitlab::CurrentSettings do
    end
  end
+  describe '.signup_disabled?' do
+    subject { described_class.signup_disabled? }
+    context 'when signup is enabled' do
+      before do
+        create(:application_setting, signup_enabled: true)
+      end
+      it { is_expected.to be_falsey }
+    end
+    context 'when signup is disabled' do
+      before do
+        create(:application_setting, signup_enabled: false)
+      end
+      it { is_expected.to be_truthy }
+    end
+  end
  describe '#current_application_settings', :use_clean_rails_memory_store_caching do
    it 'allows keys to be called directly' do
      db_settings = create(:application_setting,

--- a/spec/requests/api/lint_spec.rb
+++ b/spec/requests/api/lint_spec.rb
@@ -5,7 +5,9 @@ require 'spec_helper'
 RSpec.describe API::Lint do
  describe 'POST /ci/lint' do
    context 'when signup settings are disabled' do
+      before do
        Gitlab::CurrentSettings.signup_enabled = false
+      end
      context 'when unauthenticated' do
        it 'returns authentication error' do
@@ -16,22 +18,25 @@ RSpec.describe API::Lint do
      end
      context 'when authenticated' do
-        it 'returns unauthorized error' do
+        let_it_be(:api_user) { create(:user) }
-          post api('/ci/lint'), params: { content: 'content' }
+        it 'returns authorized' do
+          post api('/ci/lint', api_user), params: { content: 'content' }
-          expect(response).to have_gitlab_http_status(:unauthorized)
+          expect(response).to have_gitlab_http_status(:ok)
        end
      end
    end
    context 'when signup settings are enabled' do
+      before do
        Gitlab::CurrentSettings.signup_enabled = true
+      end
      context 'when unauthenticated' do
-        it 'returns authentication error' do
+        it 'returns authorized success' do
          post api('/ci/lint'), params: { content: 'content' }
-          expect(response).to have_gitlab_http_status(:unauthorized)
+          expect(response).to have_gitlab_http_status(:ok)
        end
      end