diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-06-13 17:46:48 +0300 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-06-13 17:46:48 +0300 |
commit | ae564c97d48bf728745c57720734cb40378fd90f (patch) | |
tree | d9ac31827984c443b9c219deef29309a5e251125 /lib/api/users.rb | |
parent | d5b0f29c4a3a9d7da849d91a16f70bd494831da7 (diff) | |
download | gitlab-ce-ae564c97d48bf728745c57720734cb40378fd90f.tar.gz |
Dont expose user email via API
To prevent leaking of users info we reduce amount of user information
retrieved via API for normal users.
What user can get via API:
* if not admin: only id, state, name, username and avatar_url
* if admin: all user information
* about himself: all informaion
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Diffstat (limited to 'lib/api/users.rb')
-rw-r--r-- | lib/api/users.rb | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb index 6ed2740c333..92dbe97f0a4 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -13,7 +13,12 @@ module API @users = @users.active if params[:active].present? @users = @users.search(params[:search]) if params[:search].present? @users = paginate @users - present @users, with: Entities::User + + if current_user.is_admin? + present @users, with: Entities::UserFull + else + present @users, with: Entities::UserBasic + end end # Get a single user @@ -24,7 +29,12 @@ module API # GET /users/:id get ":id" do @user = User.find(params[:id]) - present @user, with: Entities::User + + if current_user.is_admin? + present @user, with: Entities::UserFull + else + present @user, with: Entities::UserBasic + end end # Create user. Available only for admin @@ -53,7 +63,7 @@ module API admin = attrs.delete(:admin) user.admin = admin unless admin.nil? if user.save - present user, with: Entities::User + present user, with: Entities::UserFull else not_found! end @@ -87,7 +97,7 @@ module API admin = attrs.delete(:admin) user.admin = admin unless admin.nil? if user.update_attributes(attrs, as: :admin) - present user, with: Entities::User + present user, with: Entities::UserFull else not_found! end |