Add latest changes from gitlab-org/gitlab@master

5 files changed, 64 insertions, 3 deletions

diff --git a/doc/administration/geo/replication/configuration.md b/doc/administration/geo/replication/configuration.md
index ee92d05c81e..55c5d3784c2 100644
--- a/doc/administration/geo/replication/configuration.md
+++ b/doc/administration/geo/replication/configuration.md
@@ -12,7 +12,7 @@ type: howto
 NOTE:
 This is the final step in setting up a **secondary** Geo site. Stages of the
 setup process must be completed in the documented order.
-If not, [complete all prior stages](../setup/index.md#using-omnibus-gitlab) before procceed.
+If not, [complete all prior stages](../setup/index.md#using-omnibus-gitlab) before proceeding.
 
 Make sure you [set up the database replication](../setup/database.md), and [configured fast lookup of authorized SSH keys](../../operations/fast_ssh_key_lookup.md) in **both primary and secondary sites**.
 
diff --git a/lib/api/import_github.rb b/lib/api/import_github.rb
index 493cc038f46..ee678ee1981 100644
--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
@@ -2,6 +2,8 @@
 
 module API
   class ImportGithub < ::API::Base
+    before { authenticate! }
+
     feature_category :importers
     urgency :low
 
diff --git a/lib/api/resource_access_tokens.rb b/lib/api/resource_access_tokens.rb
index 2ba109b7092..1735e63c566 100644
--- a/lib/api/resource_access_tokens.rb
+++ b/lib/api/resource_access_tokens.rb
@@ -4,6 +4,8 @@ module API
   class ResourceAccessTokens < ::API::Base
     include PaginationParams
 
+    ALLOWED_RESOURCE_ACCESS_LEVELS = Gitlab::Access.options_with_owner.freeze
+
     before { authenticate! }
 
     feature_category :authentication_and_authorization
@@ -79,8 +81,8 @@ module API
         params do
           requires :id, type: String, desc: "The #{source_type} ID"
           requires :name, type: String, desc: "Resource access token name"
-          requires :scopes, type: Array[String], desc: "The permissions of the token"
-          optional :access_level, type: Integer, desc: "The access level of the token in the #{source_type}"
+          requires :scopes, type: Array[String], values: ::Gitlab::Auth.resource_bot_scopes.map(&:to_s), desc: "The permissions of the token"
+          optional :access_level, type: Integer, values: ALLOWED_RESOURCE_ACCESS_LEVELS.values, default: Gitlab::Access::MAINTAINER, desc: "The access level of the token in the #{source_type}"
           optional :expires_at, type: Date, desc: "The expiration date of the token"
         end
         post ':id/access_tokens' do
diff --git a/spec/requests/api/import_github_spec.rb b/spec/requests/api/import_github_spec.rb
index 015a09d41ab..4f95295c14d 100644
--- a/spec/requests/api/import_github_spec.rb
+++ b/spec/requests/api/import_github_spec.rb
@@ -89,6 +89,18 @@ RSpec.describe API::ImportGithub do
 
       expect(response).to have_gitlab_http_status(:unprocessable_entity)
     end
+
+    context 'when unauthenticated user' do
+      it 'returns 403 response' do
+        post api("/import/github"), params: {
+          target_namespace: user.namespace_path,
+          personal_access_token: token,
+          repo_id: non_existing_record_id
+        }
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
   end
 
   describe "POST /import/github/cancel" do
@@ -127,5 +139,15 @@ RSpec.describe API::ImportGithub do
         expect(json_response['message']).to eq('The import cannot be canceled because it is finished')
       end
     end
+
+    context 'when unauthenticated user' do
+      it 'returns 403 response' do
+        post api("/import/github/cancel"), params: {
+          project_id: project.id
+        }
+
+        expect(response).to have_gitlab_http_status(:unauthorized)
+      end
+    end
   end
 end
diff --git a/spec/requests/api/resource_access_tokens_spec.rb b/spec/requests/api/resource_access_tokens_spec.rb
index d9a12e7e148..73db8232119 100644
--- a/spec/requests/api/resource_access_tokens_spec.rb
+++ b/spec/requests/api/resource_access_tokens_spec.rb
@@ -416,6 +416,41 @@ RSpec.describe API::ResourceAccessTokens do
               expect(response.body).to include("scopes is missing")
             end
           end
+
+          context "when using invalid 'scopes'" do
+            let_it_be(:params) do
+              {
+                name: "test",
+                scopes: ["test"],
+                expires_at: 5.days.from_now
+              }
+            end
+
+            it "does not create a #{source_type} access token with invalid 'scopes'", :aggregate_failures do
+              create_token
+
+              expect(response).to have_gitlab_http_status(:bad_request)
+              expect(response.body).to include("scopes does not have a valid value")
+            end
+          end
+
+          context "when using invalid 'access_level'" do
+            let_it_be(:params) do
+              {
+                name: "test",
+                scopes: ["api"],
+                expires_at: 5.days.from_now,
+                access_level: Gitlab::Access::NO_ACCESS
+              }
+            end
+
+            it "does not create a #{source_type} access token with invalid 'access_level'", :aggregate_failures do
+              create_token
+
+              expect(response).to have_gitlab_http_status(:bad_request)
+              expect(response.body).to include("access_level does not have a valid value")
+            end
+          end
         end
 
         context "when trying to create a token in a different #{source_type}" do