Allow unauthenticated access to the `/api/v4/users` API.

- The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username. - We don't authenticate this API anymore, but instead - if the `current_user` is not present: - Verify that the `username` parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The `UsersFinder` class performs an exact match on the `username`, so we are guaranteed to get 0 or 1 users. - Verify that the resulting user (if any) is accessible to be viewed publicly by calling `can?(current_user, :read_user, user)`
author: Timothy Andrew <mail@timothyandrew.net> 2017-06-26 07:20:30 +0000
committer: Timothy Andrew <mail@timothyandrew.net> 2017-06-26 07:20:30 +0000
commit: 20f679d620380b5b5e662b790c76caf256867b01 (patch)
tree: 186b69dfdb75768e5dc75bf01cb3092e1c8b06b7 /lib/api/helpers.rb
parent: f0886918845f8292889db7e30033b7051147f3b0 (diff)
download: gitlab-ce-20f679d620380b5b5e662b790c76caf256867b01.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 2c73a6fdc4e..1322afaa64f 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -407,5 +407,11 @@ module API
 
       exception.status == 500
     end
+
+    # Does the current route match the route identified by
+    # `description`?
+    def route_matches_description?(description)
+      options.dig(:route_options, :description) == description
+    end
   end
 end
author	Timothy Andrew <mail@timothyandrew.net>	2017-06-26 07:20:30 +0000
committer	Timothy Andrew <mail@timothyandrew.net>	2017-06-26 07:20:30 +0000
commit	20f679d620380b5b5e662b790c76caf256867b01 (patch)
tree	186b69dfdb75768e5dc75bf01cb3092e1c8b06b7 /lib/api/helpers.rb
parent	f0886918845f8292889db7e30033b7051147f3b0 (diff)
download	gitlab-ce-20f679d620380b5b5e662b790c76caf256867b01.tar.gz