summaryrefslogtreecommitdiff
path: root/app/finders
diff options
context:
space:
mode:
authorTimothy Andrew <mail@timothyandrew.net>2017-06-26 07:20:30 +0000
committerTimothy Andrew <mail@timothyandrew.net>2017-06-26 07:20:30 +0000
commit20f679d620380b5b5e662b790c76caf256867b01 (patch)
tree186b69dfdb75768e5dc75bf01cb3092e1c8b06b7 /app/finders
parentf0886918845f8292889db7e30033b7051147f3b0 (diff)
downloadgitlab-ce-20f679d620380b5b5e662b790c76caf256867b01.tar.gz
Allow unauthenticated access to the `/api/v4/users` API.
- The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username. - We don't authenticate this API anymore, but instead - if the `current_user` is not present: - Verify that the `username` parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The `UsersFinder` class performs an exact match on the `username`, so we are guaranteed to get 0 or 1 users. - Verify that the resulting user (if any) is accessible to be viewed publicly by calling `can?(current_user, :read_user, user)`
Diffstat (limited to 'app/finders')
-rw-r--r--app/finders/users_finder.rb7
1 files changed, 5 insertions, 2 deletions
diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb
index dbd50d1db7c..0534317df8f 100644
--- a/app/finders/users_finder.rb
+++ b/app/finders/users_finder.rb
@@ -27,8 +27,11 @@ class UsersFinder
users = by_search(users)
users = by_blocked(users)
users = by_active(users)
- users = by_external_identity(users)
- users = by_external(users)
+
+ if current_user
+ users = by_external_identity(users)
+ users = by_external(users)
+ end
users
end