Check user access status in API for current_user

2 files changed, 10 insertions, 0 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 7ee4b9d1381..654c1f62c6c 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -8,6 +8,11 @@ module API
     def current_user
       private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
       @current_user ||= User.find_by(authentication_token: private_token)
+
+      unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
+        return nil
+      end
+
       identifier = sudo_identifier()
 
       # If the sudo is the current user do nothing
diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb
index 2dcbce09b27..a4869476574 100644
--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@@ -44,6 +44,11 @@ describe API, api: true do
       current_user.should be_nil
     end
 
+    it "should return nil for a user without access" do
+      Gitlab::UserAccess.stub(allowed?: false)
+      current_user.should be_nil
+    end
+
     it "should leave user as is when sudo not specified" do
       env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
       current_user.should == user