3d7c84bcfc
Fix new rubocop warnings
2025-06-10 18:54:51 +01:00
5ca24de0d0
Merge remote-tracking branch 'upstream/pull/5452'
2025-02-15 11:15:25 +00:00
03867e2fee
Remove current_user branch from ApiController#deny_access
...
Unreachable because if there's no doorkeeper_token, there's also no current_user.
2025-02-15 01:20:06 +03:00
9ec7e8c888
Skip blocks check when getting active blocks list
2025-02-14 14:16:48 +03:00
2d46b44872
Add write_changeset_comments scope
2025-02-14 00:17:45 +03:00
77a2657d33
Pass scopes instead of token to ApiAbility
2025-02-14 00:15:52 +03:00
304e0ef638
Pass user to ApiAbility
2025-02-14 00:15:52 +03:00
43f40c5d03
Stop using session flash to communicate with callbacks
2025-02-12 00:09:40 +00:00
47a8907e2a
Move scope_enabled? to ApiController
2025-01-24 05:56:23 +03:00
cdce867183
Merge ApiCapability class into ApiAbility
2024-12-20 18:39:08 +03:00
ad2e50fcfb
Merge remote-tracking branch 'upstream/pull/5245'
2024-10-02 18:36:03 +01:00
83425edd8d
Move api error handling and timeouts to parent class
...
Fixes #4861
Since the around_action is defined before authorize_resource is called,
the handler needs to pass on the CanCan::AccessDenied exception.
I've added the timeouts where I think they were missing (e.g. UserPreferencesController)
but I've kept the exception for changeset#upload and traces#create
2024-10-02 16:37:32 +01:00
6789fc3081
Drop support for ruby 3.0
...
Also add Ubuntu 24.04 and drop 20.04 as 24.04 is needed for
ruby 3.1 without rvm so we should test it.
2024-09-17 20:39:22 +01:00
973d62a25e
Drop support for basic authentication
2024-09-02 19:00:57 +01:00
17bc0853a0
Drop support for OAuth 1
2024-09-01 03:43:02 +03:00
3e77cae66c
Clear current_user if we reject OAuth 1
...
This ensures we don't try and do any further validation of the
user which might lead to trying to report additional errors.
2024-07-07 19:40:28 +01:00
c1cccd40fc
Move check_api_readable to api_controller
...
It's easier to skip the check in the two places that we need to, and
include it by default everywhere else.
2024-05-29 14:54:16 +01:00
ad4ab4603b
Merge pull request #4496 from tomhughes/disabled-auth-error
...
Return an error when a disabled authentication mechanism is used
2024-05-15 16:33:33 +01:00
604bba10ec
Remove assert_method from api controllers
2024-03-25 07:15:16 +03:00
29cc21c599
Drop user tokens table
2024-02-28 21:02:54 +00:00
519c13d4cd
Allow OAuth 1.0a to be disabled
2024-02-25 08:56:09 +00:00
1a684a7766
Return an error when basic authentication is used and is disabled
2024-02-25 08:53:44 +00:00
24f579562f
Attempt to make timeouts work properly
2024-01-29 19:37:59 +00:00
ba503e02d2
Enforce rate limit for API calls which make changes
2023-11-02 08:59:57 +00:00
d1d3c2597e
Handle timeouts inside a view for API calls
2023-09-07 00:32:11 +01:00
4c564e5a32
Move more api-related helper methods to ApiController
...
This prevents them from being inadvertently used in non-API controllers
2023-01-11 15:28:59 +00:00
0ae438a5c1
Add a configuration option to disable HTTP basic authentication
2022-07-08 17:25:20 +01:00
0c524b2408
Log any use of basic authentication
2022-07-08 17:13:02 +01:00
5d67fa3908
Fix some Naming/AccessorMethodName rubocop warnings
2022-03-08 19:10:05 +00:00
cfb4a70129
Fix Lint/DuplicateBranch rubocop warnings
2022-03-08 19:05:37 +00:00
e222329d04
Add support for OAuth2 using doorkeeper
2021-05-18 12:05:32 +01:00
70c4a750d7
Fix new rubocop warnings
2020-09-16 08:28:25 +01:00
aaf9d15d56
Rework set_default_request_format ast set_request_formats
...
Instead of trying to work out the exact format, just figure
out the list of allowed formats and let rails do the rest.
2020-02-29 15:28:23 +00:00
b556b054d1
JSON: added clarification for non-supported Accept header formats
2020-01-22 17:38:28 +01:00
03ca0b2c69
Added Accept header unit tests
2020-01-12 17:46:11 +01:00
97036c181e
JSON output, handle Accept header
2020-01-02 15:17:11 +01:00
45a1d298a9
Move default_format_xml to api_controller
2019-12-30 17:26:00 +01:00
57f5b7840e
Fix rubocop warnings
2019-12-04 19:31:53 +00:00
7b057545c0
Disentangle the api abilities from the web abilities
...
This will allow us to rename api actions without causing permissions headaches. The choice of
abilities files is made by inheriting from either api_controller or application_controller.
Also rename capabilities to api_capabilites, for consistency.
2019-03-27 18:07:29 +01:00
951564eed1
Merge remote-tracking branch 'upstream/pull/2186'
2019-03-23 12:01:05 +00:00
19c2f6d485
Move more api-only methods into api_controller
2019-03-20 15:08:36 +01:00
8d207e7de0
Mark all methods in api_controller and application_controller as private
...
They aren't designed to be used as request endpoints, so there's no
need for them to be public.
2019-03-20 15:08:36 +01:00
94d19ae567
Move the authorize method to api_controller
2019-03-20 14:39:17 +01:00
742291a840
Simplify deny_access handling
...
Now that we have all api controllers inheriting from a common base,
it's easier to override the deny_access handler without having to
switch between both.
Fixes #2064
2019-03-20 14:39:17 +01:00
3bb07e29ec
Refactor api controllers to inherit from a common ApiController
2019-03-20 14:16:15 +01:00
f4e2990526
Move map method to its own controller
2019-02-24 11:44:10 +01:00
d887252eeb
Move the changes api to its own controller
2019-02-24 11:00:28 +01:00
8383fd0928
Move the permissions call out of api_controller
2019-02-24 11:00:28 +01:00
317b8f9d45
Move the trackpoints call into its own controller (and rename to tracepoints)
2019-02-24 11:00:28 +01:00
6a4092bc16
Move the capabilities call out of api_controller
2019-02-24 11:00:20 +01:00
