Calls to the API are checked for scope.

- Move the `Oauth2::AccessTokenValidationService` class to `AccessTokenValidationService`, since it is now being used for personal access token validation as well. - Each API endpoint declares the scopes it accepts (if any). Currently, the top level API module declares the `api` scope, and the `Users` API module declares the `read_user` scope (for GET requests). - Move the `find_user_by_private_token` from the API `Helpers` module to the `APIGuard` module, to avoid littering `Helpers` with more auth-related methods to support `find_user_by_private_token`
author: Timothy Andrew <mail@timothyandrew.net> 2016-11-22 14:34:23 +0530
committer: Timothy Andrew <mail@timothyandrew.net> 2016-12-16 16:29:31 +0530
commit: 7fa06ed55d18af4d055041eb27d38fecf9b5548f (patch)
tree: d2565cdc70269e5f244e7cf542170b0d5d8cf7aa /lib/api/users.rb
parent: 6c809dfae84e702f7a49d3fac5725745264e0ff9 (diff)
download: gitlab-ce-7fa06ed55d18af4d055041eb27d38fecf9b5548f.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb
index c7db2d71017..0842c3874c5 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -2,7 +2,10 @@ module API
   class Users < Grape::API
     include PaginationParams
 
-    before { authenticate! }
+    before do
+      allow_access_with_scope :read_user if request.get?
+      authenticate!
+    end
 
     resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do
       helpers do
author	Timothy Andrew <mail@timothyandrew.net>	2016-11-22 14:34:23 +0530
committer	Timothy Andrew <mail@timothyandrew.net>	2016-12-16 16:29:31 +0530
commit	7fa06ed55d18af4d055041eb27d38fecf9b5548f (patch)
tree	d2565cdc70269e5f244e7cf542170b0d5d8cf7aa /lib/api/users.rb
parent	6c809dfae84e702f7a49d3fac5725745264e0ff9 (diff)
download	gitlab-ce-7fa06ed55d18af4d055041eb27d38fecf9b5548f.tar.gz