Merge branch 'master' into auto-pipelines-vue

* master: (76 commits) Update "Installation from source" guide for 8.15.0 Group links spec update Updates the font weight of button styles because of the change to system fonts Refactor SSH keys docs Improvements to setting up ssh Do not reload diff for merge request made from fork when target branch in fork is updated Add 8.12.10, 8.12.11, and 8.12.12 CHANGELOG.md items Changes after review Fix broken test Adds CHANGELOG entry Adds tests Uniformize props name format Replace commit icon svg logic Replace play icon svg logic Updated JS based on review Fixed group links dropdown to match Update docs to reflect new defaults on omnibus Merge branch 'jej-23867-use-mr-finder-instead-of-access-check' into 'security' Merge branch 'html-safe-diff-line-content' into 'security' Merge branch 'rs-filter-authentication_token' into 'security' Merge branch 'destroy-session' into 'security' ... Conflicts: app/models/ci/pipeline.rb app/models/commit_status.rb app/views/projects/ci/pipelines/_pipeline.html.haml app/views/projects/commit/_pipeline.html.haml app/views/projects/pipelines/_with_tabs.html.haml app/views/projects/pipelines/index.html.haml lib/api/helpers.rb
author: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2016-12-09 20:30:39 +0100
committer: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2016-12-09 20:30:39 +0100
commit: 0f40ae5f18bc67291dcf9bdd38ef7dcbaf9781ef (patch)
tree: 04a7f1f0513548d2148c6a5985e96ac638cb333d /lib/api/helpers.rb
parent: 2ecb65b8c4a3fc277925938e691621e34c449664 (diff)
parent: 6eae378d82634b3305b2e9e031eecf30834f1700 (diff)
download: gitlab-ce-0f40ae5f18bc67291dcf9bdd38ef7dcbaf9781ef.tar.gz
1 files changed, 11 insertions, 20 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 164aea613e4..40096f367db 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -45,11 +45,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -109,7 +112,7 @@ module API
       if id =~ /^\d+$/
         Group.find_by(id: id)
       else
-        Group.find_by(path: id)
+        Group.find_by_full_path(id)
       end
     end
 
@@ -212,22 +215,6 @@ module API
       end
     end
 
-    def issuable_order_by
-      if params["order_by"] == 'updated_at'
-        'updated_at'
-      else
-        'created_at'
-      end
-    end
-
-    def issuable_sort
-      if params["sort"] == 'asc'
-        :asc
-      else
-        :desc
-      end
-    end
-
     def filter_by_iid(items, iid)
       items.where(iid: iid)
     end
@@ -362,6 +349,10 @@ module API
 
     private
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end
author	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2016-12-09 20:30:39 +0100
committer	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2016-12-09 20:30:39 +0100
commit	0f40ae5f18bc67291dcf9bdd38ef7dcbaf9781ef (patch)
tree	04a7f1f0513548d2148c6a5985e96ac638cb333d /lib/api/helpers.rb
parent	2ecb65b8c4a3fc277925938e691621e34c449664 (diff)
parent	6eae378d82634b3305b2e9e031eecf30834f1700 (diff)
download	gitlab-ce-0f40ae5f18bc67291dcf9bdd38ef7dcbaf9781ef.tar.gz