- They are not included automatically since `API::Users` does not inherit from
`API::API`, as I initially assumed.
- Scopes declared in `API::API` are considered global (to the API), and need to
be included in all cases.
- Scope declarations of the form:
allow_access_with_scope :read_user, if: -> (request) { request.get? }
will only apply for `GET` requests
- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
test for this case in the `AccessTokenValidationService` unit tests.
- Declaring an endpoint's scopes in a `before` block has proved to be
unreliable. For example, if we're accessing the `API::Users` endpoint - code
in a `before` block in `API::API` wouldn't be able to see the scopes set in
`API::Users` since the `API::API` `before` block runs first.
- This commit moves these declarations to the class level, since they don't need
to change once set.
The ProjectsFinder and GroupFinder both support the same set of params. And the
`/api/v4/projects` and `/api/v4/group/:id/projects` also support the same set of
params. But they do not match the Finder params. So use a helper method to
transform them.
- Currently, (for example) admins can't delete snippets for blocked users, which
is an unexpected limitation.
- We modify `authenticate!` to conduct the `access_api` policy check against the
`initial_current_user`, instead of the user being impersonated.
- Update CHANGELOG for !10842
In API V4 all endpoints were changed so Merge Requests and Issues
should be referred by iid, instead of id. Except the /notes endpoint
was forgotten. So change the endpoints from:
- /projects/:id/issues/:issue_id/notes
- /projects/:id/merge_requests/:merge_request_id/notes
To:
- /projects/:id/issues/:issue_iid/notes
- /projects/:id/merge_requests/:merge_request_iid/notes
For Project Snippets nothing changes.
- As opposed to the `id` that was previously being used.
- This brings the API routes closer to the web interface's routes.
- This is specific to API v4.
- As opposed to the issue `id` that was previously being used.
- This brings the API routes closer to the web interface's routes.
- This is specific to API v4.
Rémy Coutable
Douwe Maan
Ruben Davila
Grzegorz Bizon
blackst0ne
Grzegorz Bizon
Sean McGivern
Robert Schilling
Zeger-Jan van de Weg
Lin Jen-Shin
Felipe Artur
vanadium23
Timothy Andrew
Kamil Trzcinski
Toon Claes
Robert Speicher
Bob Van Landuyt
http://jneen.net/
Pawel Chojnacki
Adam Niedzielski
Oswaldo Ferreira
Mark Fletcher
Sean McGivern