Fix search api requests when no scope permission
What does this MR do and why?
Related to #415425 (closed) and the bug was introduced with changes from !122234 (merged)
This MR does the following:
- Changes Project Search API (API docs) to check user permission for the scope requested before attempting to return data to the caller. If the user does not have permission, an empty array is returned.
- A refactor of the search navigation code to support sharing the project scope check across multiple areas of the code. Now it's used outside of the view/helper. This includes pulling a lot of the tests out of the helper spec files.
Screenshots or screen recordings
N/A
How to set up and validate locally
-
set merge requests to "only project memebers" for a public project: Project - General Settings - Visibility, project features, permissions
-
use an api token for a non project member for the project
-
perform a project level API search for
merge_requests
scope. note: you must search for a term that has results, if no results are returned that won't test this issuecurl --request GET \ --url 'http://gdk.test:3000/api/v4/projects/43/search?scope=merge_requests&search=test' \ --header 'Private-Token: TOKEN' \
-
verify that you get an empty array (and not an error) note: the same query on the master branch returns a 500 error
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.