Merge branch '54826-use-read_repository-scope-on-read-only-files-endpoints' into 'master'

Resolve "Use read_repository scope on read-only files endpoints" Closes #54826 See merge request gitlab-org/gitlab-ce!23534
author: Grzegorz Bizon <grzegorz@gitlab.com> 2018-12-05 14:34:06 +0300
committer: Grzegorz Bizon <grzegorz@gitlab.com> 2018-12-05 14:34:06 +0300
commit: 1c9b10016a30dc8b8a7aa2a64eb0175973661087 (patch)
tree: 4bcfadcb045855e3d143100d23679eeb18556f15 /lib
parent: 5ea6b08e7c223fe9ca9d12f62e83a847d065bb42 (diff)
parent: 9f4a3111e4111bc22a4f90e1e7059de4ce5f7bc4 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/api/files.rb b/lib/api/files.rb
index becf66d1467..ca59d330e1c 100644
--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -2,6 +2,8 @@
 
 module API
   class Files < Grape::API
+    include APIGuard
+
     FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)
 
     # Prevents returning plain/text responses for files with .txt extension
@@ -79,6 +81,8 @@ module API
       requires :id, type: String, desc: 'The project ID'
     end
     resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do
+      allow_access_with_scope :read_repository, if: -> (request) { request.get? || request.head? }
+
       desc 'Get raw file metadata from repository'
       params do
         requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb'
author	Grzegorz Bizon <grzegorz@gitlab.com>	2018-12-05 14:34:06 +0300
committer	Grzegorz Bizon <grzegorz@gitlab.com>	2018-12-05 14:34:06 +0300
commit	1c9b10016a30dc8b8a7aa2a64eb0175973661087 (patch)
tree	4bcfadcb045855e3d143100d23679eeb18556f15 /lib
parent	5ea6b08e7c223fe9ca9d12f62e83a847d065bb42 (diff)
parent	9f4a3111e4111bc22a4f90e1e7059de4ce5f7bc4 (diff)