Allow API scope declarations to be applied conditionally.

- Scope declarations of the form: allow_access_with_scope :read_user, if: -> (request) { request.get? } will only apply for `GET` requests - Add a negative test to a `POST` endpoint in the `users` API to test this. Also test for this case in the `AccessTokenValidationService` unit tests.
author: Timothy Andrew <mail@timothyandrew.net> 2017-06-20 11:27:45 +0300
committer: Timothy Andrew <mail@timothyandrew.net> 2017-06-28 10:17:13 +0300
commit: 80c1ebaa83f346e45346baac584f21878652c350 (patch)
tree: 9a4aa49a6ad51aee496696b4284979da4ff670eb /spec/requests/api/users_spec.rb
parent: 6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index c8e22799ba4..982c1a50e3b 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -321,6 +321,16 @@ describe API::Users do
         .to eq([Gitlab::PathRegex.namespace_format_message])
     end
 
+    context 'when the requesting token has the "read_user" scope' do
+      let(:token) { create(:personal_access_token, scopes: ['read_user'], user: admin) }
+
+      it 'returns a "401" response' do
+        post api("/users", admin, personal_access_token: token), attributes_for(:user, projects_limit: 3)
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     it "is not available for non admin users" do
       post api("/users", user), attributes_for(:user)
       expect(response).to have_http_status(403)
author	Timothy Andrew <mail@timothyandrew.net>	2017-06-20 11:27:45 +0300
committer	Timothy Andrew <mail@timothyandrew.net>	2017-06-28 10:17:13 +0300
commit	80c1ebaa83f346e45346baac584f21878652c350 (patch)
tree	9a4aa49a6ad51aee496696b4284979da4ff670eb /spec/requests/api/users_spec.rb
parent	6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b (diff)