summaryrefslogtreecommitdiff
path: root/app/policies/user_policy.rb
diff options
context:
space:
mode:
authorTimothy Andrew <mail@timothyandrew.net>2017-06-29 07:43:41 +0000
committerTimothy Andrew <mail@timothyandrew.net>2017-06-30 13:06:03 +0000
commit3c88a7869b87693ba8c3fb9814d39437dd569a31 (patch)
tree4335dcc017f75c382757047a37d7936704cfe9d5 /app/policies/user_policy.rb
parentc39e4ccfb7cb76b9bdb613399aba2c2467b77751 (diff)
downloadgitlab-ce-3c88a7869b87693ba8c3fb9814d39437dd569a31.tar.gz
Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE.
Diffstat (limited to 'app/policies/user_policy.rb')
-rw-r--r--app/policies/user_policy.rb6
1 files changed, 0 insertions, 6 deletions
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 229846e368c..265c56aba53 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -1,6 +1,4 @@
class UserPolicy < BasePolicy
- include Gitlab::CurrentSettings
-
def rules
can! :read_user if @user || !restricted_public_level?
@@ -12,8 +10,4 @@ class UserPolicy < BasePolicy
cannot! :destroy_user if @subject.ghost?
end
end
-
- def restricted_public_level?
- current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
- end
end