Merge branch '24537-reenable-private-token-with-sudo' into 'master'

Reenables /user API request to return private-token if user is admin and requested with sudo ## What does this MR do? Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin. ## Screenshots (if relevant) Without **sudo**: ![Screen_Shot_2016-11-21_at_11.44.49](/uploads/ebecf95dbadaf4a159b80c61c75771d9/Screen_Shot_2016-11-21_at_11.44.49.png) With **sudo**: ![Screen_Shot_2016-11-21_at_11.45.52](/uploads/f25f9ddffcf2b921e9694e5a250191d3/Screen_Shot_2016-11-21_at_11.45.52.png) ## Does this MR meet the acceptance criteria? - [x] [Changelog entry](https://docs.gitlab.com/ce/development/changelog.html) added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [x] API support added - Tests - [x] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [merge request performance guides](http://docs.gitlab.com/ce/development/merge_request_performance_guidelines.html) - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if it does - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) ## What are the relevant issue numbers? Closes #24537 See merge request !7615
author: Douwe Maan <douwe@gitlab.com> 2016-12-08 00:17:44 +0000
committer: Douwe Maan <douwe@gitlab.com> 2016-12-08 00:17:44 +0000
commit: cf2206eb2b16d12a1d9c18d47fc2105fbb650d33 (patch)
tree: 00f4f63354cd9664b1aa4e8d40403dc95d00fbd6 /lib/api/helpers.rb
parent: e7b045eadaf315dc2ae4fc079af5d1199d3e5d25 (diff)
parent: 3ed96afc47c481db4f8c0a6581602abaee920808 (diff)
download: gitlab-ce-cf2206eb2b16d12a1d9c18d47fc2105fbb650d33.tar.gz
1 files changed, 10 insertions, 3 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 898ca470a30..8db2678b368 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -44,11 +44,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -383,6 +386,10 @@ module API
       links.join(', ')
     end
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end
author	Douwe Maan <douwe@gitlab.com>	2016-12-08 00:17:44 +0000
committer	Douwe Maan <douwe@gitlab.com>	2016-12-08 00:17:44 +0000
commit	cf2206eb2b16d12a1d9c18d47fc2105fbb650d33 (patch)
tree	00f4f63354cd9664b1aa4e8d40403dc95d00fbd6 /lib/api/helpers.rb
parent	e7b045eadaf315dc2ae4fc079af5d1199d3e5d25 (diff)
parent	3ed96afc47c481db4f8c0a6581602abaee920808 (diff)
download	gitlab-ce-cf2206eb2b16d12a1d9c18d47fc2105fbb650d33.tar.gz