Fix API Scoping
What does this MR do?
- API scopes are declared in
before
blocks - This causes subtle ordering bugs, since
before
blocks in parent classes are run before those in child classes - Description of exact bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/33580#note_32969050
- This MR attempts to fix this by moving declared scopes to the class level, so something like
API::API.scopes
would return[:api]
, whileAPI::Users.scopes
would return[:read_user]
.
Are there points in the code the reviewer needs to double check?
- Any downsides to storing
@scopes
at the class level? - Is it worth making each scope a class, rather than a hash?
- Any edge cases I haven't considered?
References
- Closes #33580 (closed)
- Closes #33022 (closed)
- Related EE merge request: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2338
Tasks
-
Investigation -
Implementation -
Move scope declarations to the class level -
Allow conditions like if request.get?
-
Make sure the declarations run only once. @scopes
must not grow with every request. -
Refactoring
-
-
Tests -
Added -
Test all endpoints calling out to allow_access_with_scope
-
Personal access tokens -
Doorkeeper tokens
-
-
Access token validation service
-
-
Passing
-
-
Meta -
CHANGELOG entry created -
API support added -
Branch has no merge conflicts with master
-
Squashed related commits together -
Check for clean merge with EE
-
-
Review -
Reviewer -
Maintainer
-
-
Wait for merge
Edited by username-removed-407765