Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-26 21:08:03 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-03-26 21:08:03 +0300
commit: dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch)
tree: 5e77ce228c33619201ac6706b9789d4a2eed2a3b /lib/api
parent: e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff)
5 files changed, 14 insertions, 4 deletions
diff --git a/lib/api/deploy_tokens.rb b/lib/api/deploy_tokens.rb
index 2b1c485785b..a637bfcb180 100644
--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
@@ -53,10 +53,10 @@ module API
 
       params do
         requires :name, type: String, desc: "New deploy token's name"
-        requires :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
-        requires :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
         requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
           desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository" or "read_registry".'
+        optional :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
+        optional :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
       end
       desc 'Create a project deploy token' do
         detail 'This feature was introduced in GitLab 12.9'
@@ -114,10 +114,10 @@ module API
 
       params do
         requires :name, type: String, desc: 'The name of the deploy token'
-        requires :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
-        requires :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
         requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
           desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository" or "read_registry".'
+        optional :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
+        optional :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
       end
       desc 'Create a group deploy token' do
         detail 'This feature was introduced in GitLab 12.9'
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 47784dc771e..ff61cceb4c9 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -367,6 +367,10 @@ module API
       render_api_error!('405 Method Not Allowed', 405)
     end
 
+    def not_acceptable!
+      render_api_error!('406 Not Acceptable', 406)
+    end
+
     def service_unavailable!
       render_api_error!('503 Service Unavailable', 503)
     end
diff --git a/lib/api/repositories.rb b/lib/api/repositories.rb
index 62f5b67af1e..0b2df85f61f 100644
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
@@ -95,6 +95,8 @@ module API
           render_api_error!({ error: ::Gitlab::RateLimitHelpers::ARCHIVE_RATE_LIMIT_REACHED_MESSAGE }, 429)
         end
 
+        not_acceptable! if Gitlab::HotlinkingDetector.intercept_hotlinking?(request)
+
         send_git_archive user_project.repository, ref: params[:sha], format: params[:format], append_sha: true
       rescue
         not_found!('File')
diff --git a/lib/api/snippets.rb b/lib/api/snippets.rb
index b5df036c5ca..0aaab9a812f 100644
--- a/lib/api/snippets.rb
+++ b/lib/api/snippets.rb
@@ -74,6 +74,8 @@ module API
                               desc: 'The visibility of the snippet'
       end
       post do
+        authorize! :create_snippet
+
         attrs = declared_params(include_missing: false).merge(request: request, api: true)
         service_response = ::Snippets::CreateService.new(nil, current_user, attrs).execute
         snippet = service_response.payload[:snippet]
diff --git a/lib/api/triggers.rb b/lib/api/triggers.rb
index 76af29b2977..e1829403941 100644
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
@@ -109,6 +109,8 @@ module API
         trigger = user_project.triggers.find(params.delete(:trigger_id))
         break not_found!('Trigger') unless trigger
 
+        authorize! :admin_trigger, trigger
+
         if trigger.update(declared_params(include_missing: false))
           present trigger, with: Entities::Trigger, current_user: current_user
         else
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-26 21:08:03 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-03-26 21:08:03 +0300
commit	dc003cd08b4cb72fecbb03aa978ea0c53c03aeb4 (patch)
tree	5e77ce228c33619201ac6706b9789d4a2eed2a3b /lib/api
parent	e80e0dd64fbb04f60394cb1bb08e17dbcb22b8ce (diff)