diff options
| author | Douwe Maan <douwe@gitlab.com> | 2017-07-04 15:00:01 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2017-07-04 15:00:01 +0000 |
| commit | 5e2f7f25eb6ed1118cb541e43026915a7c4cdfef (patch) | |
| tree | fbb893941818f2c9f0f1ce89dd5daf9d67ed00aa /lib/api/users.rb | |
| parent | afbc7520c296196d0f3f95d4a24a9e42c0e41f3c (diff) | |
| parent | 016b9f2565f85b9c77a5a779b64483ca1d4e1776 (diff) | |
| download | gitlab-ce-5e2f7f25eb6ed1118cb541e43026915a7c4cdfef.tar.gz | |
Merge branch 'master' into '33580-fix-api-scoping'
# Conflicts:
# lib/api/users.rb
Diffstat (limited to 'lib/api/users.rb')
| -rw-r--r-- | lib/api/users.rb | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb index 2cac8c089f2..88bca235692 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -5,11 +5,11 @@ module API allow_access_with_scope :read_user, if: -> (request) { request.get? } - before do - authenticate! - end - resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do + before do + authenticate_non_get! + end + helpers do def find_user(params) id = params[:user_id] || params[:id] @@ -53,15 +53,22 @@ module API use :pagination end get do - unless can?(current_user, :read_users_list) - render_api_error!("Not authorized.", 403) - end - authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?) users = UsersFinder.new(current_user, params).execute - entity = current_user.admin? ? Entities::UserWithAdmin : Entities::UserBasic + authorized = can?(current_user, :read_users_list) + + # When `current_user` is not present, require that the `username` + # parameter is passed, to prevent an unauthenticated user from accessing + # a list of all the users on the GitLab instance. `UsersFinder` performs + # an exact match on the `username` parameter, so we are guaranteed to + # get either 0 or 1 `users` here. + authorized &&= params[:username].present? if current_user.blank? + + forbidden!("Not authorized to access /api/v4/users") unless authorized + + entity = current_user&.admin? ? Entities::UserWithAdmin : Entities::UserBasic present paginate(users), with: entity end @@ -400,6 +407,10 @@ module API end resource :user do + before do + authenticate! + end + desc 'Get the currently authenticated user' do success Entities::UserPublic end |