Implement review comments for !12445 from @godfat and @rymai.

- Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE.
author: Timothy Andrew <mail@timothyandrew.net> 2017-06-29 07:43:41 +0000
committer: Timothy Andrew <mail@timothyandrew.net> 2017-06-30 13:06:03 +0000
commit: 3c88a7869b87693ba8c3fb9814d39437dd569a31 (patch)
tree: 4335dcc017f75c382757047a37d7936704cfe9d5 /lib/api/helpers.rb
parent: c39e4ccfb7cb76b9bdb613399aba2c2467b77751 (diff)
download: gitlab-ce-3c88a7869b87693ba8c3fb9814d39437dd569a31.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 1322afaa64f..a3aec8889d7 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -410,8 +410,8 @@ module API
 
     # Does the current route match the route identified by
     # `description`?
-    def route_matches_description?(description)
-      options.dig(:route_options, :description) == description
+    def request_matches_route?(method, route)
+      request.request_method == method && request.path == route
     end
   end
 end
author	Timothy Andrew <mail@timothyandrew.net>	2017-06-29 07:43:41 +0000
committer	Timothy Andrew <mail@timothyandrew.net>	2017-06-30 13:06:03 +0000
commit	3c88a7869b87693ba8c3fb9814d39437dd569a31 (patch)
tree	4335dcc017f75c382757047a37d7936704cfe9d5 /lib/api/helpers.rb
parent	c39e4ccfb7cb76b9bdb613399aba2c2467b77751 (diff)
download	gitlab-ce-3c88a7869b87693ba8c3fb9814d39437dd569a31.tar.gz