Commit d5b17111 authored by briankabiro's avatar briankabiro

Add current_user check in events api

The API returns a 500 error when scope is supplied and current_user
is not present. This is because a user's projects are used in the
query that returns all events.

This change adds a check to confirm that current_user is provided
before trying to run the query when scope is passed
parent 17389160
...@@ -43,16 +43,17 @@ class EventsFinder ...@@ -43,16 +43,17 @@ class EventsFinder
events = sort(events) events = sort(events)
events = events.with_associations if params[:with_associations] events = events.with_associations if params[:with_associations]
paginated_filtered_by_user_visibility(events) paginated_filtered_by_user_visibility(events)
end end
private private
def get_events def get_events
return EventCollection.new(current_user.authorized_projects).all_project_events if scope == 'all' if current_user && scope == 'all'
EventCollection.new(current_user.authorized_projects).all_project_events
source.events else
source.events
end
end end
# rubocop: disable CodeReuse/ActiveRecord # rubocop: disable CodeReuse/ActiveRecord
......
---
title: Authenticate user when scope is passed to events api
merge_request: 22956
author: briankabiro
type: fixed
...@@ -171,6 +171,18 @@ describe API::Events do ...@@ -171,6 +171,18 @@ describe API::Events do
expect(json_response[0]['target_id']).to eq(closed_issue.id) expect(json_response[0]['target_id']).to eq(closed_issue.id)
end end
end end
context 'when scope is passed' do
context 'when unauthenticated' do
it 'returns no user events' do
get api("/users/#{user.username}/events?scope=all")
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(0)
end
end
end
end end
it 'returns a 404 error if not found' do it 'returns a 404 error if not found' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment