Update code based on feedback

3223f7b0 · James Lopez · 04622671 · 3223f7b0 · 3223f7b0 · 3223f7b0
3 changed file
--- a/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml
+++ b/changelogs/unreleased/54826-use-read_repository-scope-on-read-only-files-endpoints.yml
 ---
 title: Use read_repository scope on read-only files API
-merge_request:
+merge_request: 23534
 author:
 type: fixed
--- a/doc/api/repository_files.md
+++ b/doc/api/repository_files.md
@@ -4,18 +4,16 @@

 **Create, read, update and delete repository files using this API**

-The different scopes available using [personal access tokens][personal-access-tokens] are depicted
+The different scopes available using [personal access tokens](../user/profile/personal_access_tokens.md) are depicted
 in the following table.

 | Scope | Description |
 | ----- | ----------- |
-| `read_repository` | Allows read-access to the repository files |
-| `api` | Allows read-write access to the repository files |
+| `read_repository` | Allows read-access to the repository files. |
+| `api` | Allows read-write access to the repository files. |

 > `read_repository` scope was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23534) in GitLab 11.5.3.

-[personal-access-tokens]: ../user/profile/personal_access_tokens.md
-
 ## Get file from repository

 Allows you to receive information about file in repository like name, size,

--- a/spec/requests/api/files_spec.rb
+++ b/spec/requests/api/files_spec.rb
@@ -391,6 +391,24 @@ describe API::Files do
      expect(response).to have_gitlab_http_status(400)
    end

+    context 'with PATs' do
+      it 'returns 403 with `read_repository` scope' do
+        token = create(:personal_access_token, scopes: ['read_repository'], user: user)
+
+        post api(route(file_path), personal_access_token: token), params
+
+        expect(response).to have_gitlab_http_status(403)
+      end
+
+      it 'returns 201 with `api` scope' do
+        token = create(:personal_access_token, scopes: ['api'], user: user)
+
+        post api(route(file_path), personal_access_token: token), params
+
+        expect(response).to have_gitlab_http_status(201)
+      end
+    end
+
    context "when specifying an author" do
      it "creates a new file with the specified author" do
        params.merge!(author_email: author_email, author_name: author_name)