diff options
| -rw-r--r-- | changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml | 2 | ||||
| -rw-r--r-- | doc/api/repository_files.md | 8 | ||||
| -rw-r--r-- | spec/requests/api/files_spec.rb | 18 |
3 files changed, 22 insertions, 6 deletions
diff --git a/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml b/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml index af44c1cd263..ef8e93fca43 100644 --- a/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml +++ b/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml @@ -1,5 +1,5 @@ --- title: Use read_repository scope on read-only files API -merge_request: +merge_request: 23534 author: type: fixed diff --git a/doc/api/repository_files.md b/doc/api/repository_files.md index 658114eaa07..57ab7408d7c 100644 --- a/doc/api/repository_files.md +++ b/doc/api/repository_files.md @@ -4,18 +4,16 @@ **Create, read, update and delete repository files using this API** -The different scopes available using [personal access tokens][personal-access-tokens] are depicted +The different scopes available using [personal access tokens](../user/profile/personal_access_tokens.md) are depicted in the following table. | Scope | Description | | ----- | ----------- | -| `read_repository` | Allows read-access to the repository files | -| `api` | Allows read-write access to the repository files | +| `read_repository` | Allows read-access to the repository files. | +| `api` | Allows read-write access to the repository files. | > `read_repository` scope was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23534) in GitLab 11.5.3. -[personal-access-tokens]: ../user/profile/personal_access_tokens.md - ## Get file from repository Allows you to receive information about file in repository like name, size, diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb index 280950b0577..620f9f5e1d6 100644 --- a/spec/requests/api/files_spec.rb +++ b/spec/requests/api/files_spec.rb @@ -391,6 +391,24 @@ describe API::Files do expect(response).to have_gitlab_http_status(400) end + context 'with PATs' do + it 'returns 403 with `read_repository` scope' do + token = create(:personal_access_token, scopes: ['read_repository'], user: user) + + post api(route(file_path), personal_access_token: token), params + + expect(response).to have_gitlab_http_status(403) + end + + it 'returns 201 with `api` scope' do + token = create(:personal_access_token, scopes: ['api'], user: user) + + post api(route(file_path), personal_access_token: token), params + + expect(response).to have_gitlab_http_status(201) + end + end + context "when specifying an author" do it "creates a new file with the specified author" do params.merge!(author_email: author_email, author_name: author_name) |