Skip to content

Fix search api requests when no scope permission

Terri Chu requested to merge 415425-fix-default-scope-for-api into master

What does this MR do and why?

Related to #415425 (closed) and the bug was introduced with changes from !122234 (merged)

This MR does the following:

  • Changes Project Search API (API docs) to check user permission for the scope requested before attempting to return data to the caller. If the user does not have permission, an empty array is returned.
  • A refactor of the search navigation code to support sharing the project scope check across multiple areas of the code. Now it's used outside of the view/helper. This includes pulling a lot of the tests out of the helper spec files.

Screenshots or screen recordings

N/A

How to set up and validate locally

  1. set merge requests to "only project memebers" for a public project: Project - General Settings - Visibility, project features, permissions image

  2. use an api token for a non project member for the project

  3. perform a project level API search for merge_requests scope. note: you must search for a term that has results, if no results are returned that won't test this issue

    curl --request GET \
      --url 'http://gdk.test:3000/api/v4/projects/43/search?scope=merge_requests&search=test' \
      --header 'Private-Token: TOKEN' \
  4. verify that you get an empty array (and not an error) note: the same query on the master branch returns a 500 error

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Terri Chu

Merge request reports

Loading