[go: up one dir, main page]
Skip to content

Unable to see internal snippets using Snippets API

When using the /api/v4/snippets/public endpoint I am able to see all snippets labelled as public. However, it seems that snippets labelled as internal are not returned by the API for this endpoint. Even though these requests are authenticated using an access token. The endpoint /api/v4/snippets/internal or /api/v4/snippets/all do not seem to exist. The endpoint /api/v4/snippets only returns snippets created by the user that owns the used the access token.

When 'exploring' snippets on the webpage gitlab.com/explore/snippets, snippets created by the logged-in user, public snippets and internal snippets are shown.

There does not seem to be a way to retrieve internal snippets over the API. Is that correct and expected behaviour?

I have searched previous issues, the docs, spec of the snippets api, merge request of the snippets APIand source of the snippets API, but was unable to verify if this behaviour is intentional or not.

MR gitlab-ce!6373 speaks of the endpoints /snippets/public, /snippets/all, /snippets/explore and /snippets/search. Do these endpoints exist? I am unable to find documentation on these endpoints.

So to summarise, I am not sure if I'm looking at a bug, undocumented features, an incomplete API or something else. Can someone please enlighten me? I'd like to elaborate further if that's required, but only after a good night's sleep, since I've been looking in to the snippets API for a little too long now ':)

Backlog Refinement by @fjsanpedro :

Documentation needed: Yes, we will need to document to API endpoint modifications

Test Activity Planned: Test that the new endpoint or the updated one returns only internal snippets

Security Tests Planned: -

Explanation for Approach to be taken:

This issue would be quite straightforward to implement. It would be a matter of adding the following to the snippets API endpoints:

get 'public' do
  present paginate(Snippet.only_personal_snippets.are_internal.fresh), with: Entities::PersonalSnippet, current_user: current_user
end

Nevertheless, I don't think it is the right approach. Why? because there are still a lot of cases not implemented. For example, there are no endpoints for showing private snippets the user has access to. There is no way to return public or internal snippets that only returns project snippets, etc.

I think the final solution should go along with the comments in #212729. We need to extend this endpoint and add the following params to it:

  • scope: the values would be public, internal, or private. If not set the fallback to the existing behavior where we search over all snippets.
  • only_personal: if set, we will only perform the search over personal snippets.

This way the endpoint is more versatile and we can cover all the possible scenarios.

MR Breakdown:

  • 1 MR to apply the changes to the API

Weight Estimate: 1

Backlog Refinement by @vij :

I agree with @fjsanpedro's proposed solution above to extend the existing endpoint to support additional parameters that scope the returned Snippets accordingly.

Documentation needed:

  • Add documentation to the existing endpoint docs to cover the new parameters that can be used
  • (optional) Consider clarifying that this endpoint can return both Personal and Project Snippets (and link to the project-specific docs)

Test Activity Planned:

  • Test that the various visibility scopes are applied
  • Test that the only_personal param returns personal snippets only
  • Confirm existing tests still pass with no params

Security Tests Planned: Existing tests ensuring only snippets visible to the user are returned, should still apply

Explanation for Approach to be taken: As Fran has suggested above

MR Breakdown:

  • 1 MR to modify the API endpoint and add additional tests
  • (optional) 1 MR to add additional docs clarification around the types of snippets being returned by this endpoint

Weight Estimate: 1

Edited by Vijay Hawoldar