Don't display the `is_admin?` flag for user API responses.

- To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint
author: Timothy Andrew <mail@timothyandrew.net> 2017-04-21 09:47:58 +0000
committer: Timothy Andrew <mail@timothyandrew.net> 2017-04-25 09:46:05 +0000
commit: 34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch)
tree: 730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /lib/api/entities.rb
parent: 7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff)
download: gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 64ab6f01eb5..6d6ccefe877 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -14,7 +14,6 @@ module API
 
     class User < UserBasic
       expose :created_at
-      expose :admin?, as: :is_admin
       expose :bio, :location, :skype, :linkedin, :twitter, :website_url, :organization
     end
 
@@ -41,8 +40,9 @@ module API
       expose :external
     end
 
-    class UserWithPrivateToken < UserPublic
+    class UserWithPrivateDetails < UserPublic
       expose :private_token
+      expose :admin?, as: :is_admin
     end
 
     class Email < Grape::Entity
author	Timothy Andrew <mail@timothyandrew.net>	2017-04-21 09:47:58 +0000
committer	Timothy Andrew <mail@timothyandrew.net>	2017-04-25 09:46:05 +0000
commit	34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch)
tree	730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /lib/api/entities.rb
parent	7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff)
download	gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz