diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-25 16:54:51 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-25 16:54:51 +0000 |
commit | cdc3d9991b0cca2d2243bdf452f61aae40d778cd (patch) | |
tree | f05b5b8c2e3fd10e210c35637292f3d28ac6f510 /app/graphql | |
parent | e92c90758eb4126acc84962d37bb273d6d87b27b (diff) | |
download | gitlab-ce-cdc3d9991b0cca2d2243bdf452f61aae40d778cd.tar.gz |
Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee
Diffstat (limited to 'app/graphql')
-rw-r--r-- | app/graphql/resolvers/users_resolver.rb | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/app/graphql/resolvers/users_resolver.rb b/app/graphql/resolvers/users_resolver.rb index c6de3dba41a..1424c14083d 100644 --- a/app/graphql/resolvers/users_resolver.rb +++ b/app/graphql/resolvers/users_resolver.rb @@ -29,7 +29,7 @@ module Resolvers description: 'Return only admin users.' def resolve(ids: nil, usernames: nil, sort: nil, search: nil, admins: nil) - authorize! + authorize!(usernames) ::UsersFinder.new(context[:current_user], finder_params(ids, usernames, sort, search, admins)).execute end @@ -46,8 +46,11 @@ module Resolvers super end - def authorize! - Ability.allowed?(context[:current_user], :read_users_list) || raise_resource_not_available_error! + def authorize!(usernames) + authorized = Ability.allowed?(context[:current_user], :read_users_list) + authorized &&= usernames.present? if context[:current_user].blank? + + raise_resource_not_available_error! unless authorized end private |