From 1c34a2a01497f9db4602794b1aa37ae54dcee740 Mon Sep 17 00:00:00 2001
From: James Lopez <james@jameslopez.es>
Date: Tue, 4 Dec 2018 11:55:34 +0100
Subject: [PATCH] Use read_repository scope on read-only files API

---
 lib/api/files.rb                |  4 ++++
 spec/requests/api/files_spec.rb | 29 +++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/lib/api/files.rb b/lib/api/files.rb
index becf66d1467..ca59d330e1c 100644
--- a/lib/api/files.rb
+++ b/lib/api/files.rb
@@ -2,6 +2,8 @@
 
 module API
   class Files < Grape::API
+    include APIGuard
+
     FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)
 
     # Prevents returning plain/text responses for files with .txt extension
@@ -79,6 +81,8 @@ module API
       requires :id, type: String, desc: 'The project ID'
     end
     resource :projects, requirements: FILE_ENDPOINT_REQUIREMENTS do
+      allow_access_with_scope :read_repository, if: -> (request) { request.get? || request.head? }
+
       desc 'Get raw file metadata from repository'
       params do
         requires :file_path, type: String, desc: 'The url encoded path to the file. Ex. lib%2Fclass%2Erb'
diff --git a/spec/requests/api/files_spec.rb b/spec/requests/api/files_spec.rb
index 334dbb1c34c..280950b0577 100644
--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -121,6 +121,13 @@ describe API::Files do
       end
     end
 
+    context 'when PATs are used' do
+      it_behaves_like 'repository files' do
+        let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
+        let(:current_user) { { personal_access_token: token } }
+      end
+    end
+
     context 'when authenticated', 'as a developer' do
       it_behaves_like 'repository files' do
         let(:current_user) { user }
@@ -217,6 +224,13 @@ describe API::Files do
       end
     end
 
+    context 'when PATs are used' do
+      it_behaves_like 'repository files' do
+        let(:token) { create(:personal_access_token, scopes: ['read_repository'], user: user) }
+        let(:current_user) { { personal_access_token: token } }
+      end
+    end
+
     context 'when unauthenticated', 'and project is private' do
       it_behaves_like '404 response' do
         let(:request) { get api(route(file_path)), params }
@@ -317,6 +331,21 @@ describe API::Files do
         let(:request) { get api(route(file_path), guest), params }
       end
     end
+
+    context 'when PATs are used' do
+      it 'returns file by commit sha' do
+        token = create(:personal_access_token, scopes: ['read_repository'], user: user)
+
+        # This file is deleted on HEAD
+        file_path = "files%2Fjs%2Fcommit%2Ejs%2Ecoffee"
+        params[:ref] = "6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9"
+        expect(Gitlab::Workhorse).to receive(:send_git_blob)
+
+        get api(route(file_path) + "/raw", personal_access_token: token), params
+
+        expect(response).to have_gitlab_http_status(200)
+      end
+    end
   end
 
   describe "POST /projects/:id/repository/files/:file_path" do
-- 
GitLab