diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-04-21 09:47:58 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-04-25 09:46:05 +0000 |
| commit | 34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch) | |
| tree | 730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /lib/api | |
| parent | 7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff) | |
| download | gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz | |
Don't display the `is_admin?` flag for user API responses.
- To prevent an attacker from enumerating the `/users` API to get a list of all
the admins.
- Display the `is_admin?` flag wherever we display the `private_token` - at the
moment, there are two instances:
- When an admin uses `sudo` to view the `/user` endpoint
- When logging in using the `/session` endpoint
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/entities.rb | 4 | ||||
| -rw-r--r-- | lib/api/session.rb | 4 | ||||
| -rw-r--r-- | lib/api/users.rb | 2 |
3 files changed, 5 insertions, 5 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb index 64ab6f01eb5..6d6ccefe877 100644 --- a/lib/api/entities.rb +++ b/lib/api/entities.rb @@ -14,7 +14,6 @@ module API class User < UserBasic expose :created_at - expose :admin?, as: :is_admin expose :bio, :location, :skype, :linkedin, :twitter, :website_url, :organization end @@ -41,8 +40,9 @@ module API expose :external end - class UserWithPrivateToken < UserPublic + class UserWithPrivateDetails < UserPublic expose :private_token + expose :admin?, as: :is_admin end class Email < Grape::Entity diff --git a/lib/api/session.rb b/lib/api/session.rb index 002ffd1d154..016415c3023 100644 --- a/lib/api/session.rb +++ b/lib/api/session.rb @@ -1,7 +1,7 @@ module API class Session < Grape::API desc 'Login to get token' do - success Entities::UserWithPrivateToken + success Entities::UserWithPrivateDetails end params do optional :login, type: String, desc: 'The username' @@ -14,7 +14,7 @@ module API return unauthorized! unless user return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled? - present user, with: Entities::UserWithPrivateToken + present user, with: Entities::UserWithPrivateDetails end end end diff --git a/lib/api/users.rb b/lib/api/users.rb index 46f221f68fe..40acaebf670 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -433,7 +433,7 @@ module API success Entities::UserPublic end get do - present current_user, with: sudo? ? Entities::UserWithPrivateToken : Entities::UserPublic + present current_user, with: sudo? ? Entities::UserWithPrivateDetails : Entities::UserPublic end desc "Get the currently authenticated user's SSH keys" do |