diff options
| author | Rémy Coutable <remy@rymai.me> | 2017-07-04 14:45:40 +0000 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2017-07-04 14:45:40 +0000 |
| commit | 52862754aba0d0ce12f9e2d923a906249b16d51b (patch) | |
| tree | 773bcfbc566ad09c63ef3433760a3027371d1aad /lib/api | |
| parent | a69236cd4a22be2012287ee165db37e92346ee7e (diff) | |
| parent | d1488268b2e31b8f3549c6e1e46955619535cd98 (diff) | |
| download | gitlab-ce-52862754aba0d0ce12f9e2d923a906249b16d51b.tar.gz | |
Merge branch '34141-allow-unauthenticated-access-to-the-users-api' into 'master'
Allow unauthenticated access to the `/api/v4/users` API
Closes #34141
See merge request !12445
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/users.rb | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb index f9555842daf..5b9d9a71be4 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -4,10 +4,13 @@ module API before do allow_access_with_scope :read_user if request.get? - authenticate! end resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do + before do + authenticate_non_get! + end + helpers do def find_user(params) id = params[:user_id] || params[:id] @@ -51,15 +54,22 @@ module API use :pagination end get do - unless can?(current_user, :read_users_list) - render_api_error!("Not authorized.", 403) - end - authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?) users = UsersFinder.new(current_user, params).execute - entity = current_user.admin? ? Entities::UserWithAdmin : Entities::UserBasic + authorized = can?(current_user, :read_users_list) + + # When `current_user` is not present, require that the `username` + # parameter is passed, to prevent an unauthenticated user from accessing + # a list of all the users on the GitLab instance. `UsersFinder` performs + # an exact match on the `username` parameter, so we are guaranteed to + # get either 0 or 1 `users` here. + authorized &&= params[:username].present? if current_user.blank? + + forbidden!("Not authorized to access /api/v4/users") unless authorized + + entity = current_user&.admin? ? Entities::UserWithAdmin : Entities::UserBasic present paginate(users), with: entity end @@ -398,6 +408,10 @@ module API end resource :user do + before do + authenticate! + end + desc 'Get the currently authenticated user' do success Entities::UserPublic end |