diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-18 00:08:58 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-03-18 00:08:58 +0000 |
| commit | 099333e261623df9b960419e2761b2cbb0eb3882 (patch) | |
| tree | 47d05cc18d6b20a16982b33e00bd1d144563f9e3 /lib/api | |
| parent | a0b4a462b0c6f333651ae9e0c0ca1e5794e7b4e1 (diff) | |
| download | gitlab-ce-099333e261623df9b960419e2761b2cbb0eb3882.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/api_guard.rb | 4 | ||||
| -rw-r--r-- | lib/api/internal/base.rb | 10 | ||||
| -rw-r--r-- | lib/api/settings.rb | 1 |
3 files changed, 12 insertions, 3 deletions
diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb index 8641271f2df..8822a30d4a1 100644 --- a/lib/api/api_guard.rb +++ b/lib/api/api_guard.rb @@ -55,7 +55,7 @@ module API user = find_user_from_sources return unless user - if user.is_a?(User) && Feature.enabled?(:user_mode_in_session) + if user.is_a?(User) && Gitlab::CurrentSettings.admin_mode # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) end @@ -236,7 +236,7 @@ module API def after # Use a Grape middleware since the Grape `after` blocks might run # before we are finished rendering the `Grape::Entity` classes - Gitlab::Auth::CurrentUserMode.reset_bypass_session! if Feature.enabled?(:user_mode_in_session) + Gitlab::Auth::CurrentUserMode.reset_bypass_session! if Gitlab::CurrentSettings.admin_mode # Explicit nil is needed or the api call return value will be overwritten nil diff --git a/lib/api/internal/base.rb b/lib/api/internal/base.rb index 3dd01b96e39..664b05ea010 100644 --- a/lib/api/internal/base.rb +++ b/lib/api/internal/base.rb @@ -52,7 +52,7 @@ module API actor.update_last_used_at! check_result = begin - Gitlab::Auth::CurrentUserMode.bypass_session!(actor.user&.id) do + with_admin_mode_bypass!(actor.user&.id) do access_check!(actor, params) end rescue Gitlab::GitAccess::ForbiddenError => e @@ -120,6 +120,14 @@ module API def two_factor_otp_check { success: false, message: 'Feature is not available' } end + + def with_admin_mode_bypass!(actor_id) + return yield unless Gitlab::CurrentSettings.admin_mode + + Gitlab::Auth::CurrentUserMode.bypass_session!(actor_id) do + yield + end + end end namespace 'internal' do diff --git a/lib/api/settings.rb b/lib/api/settings.rb index 64a72b4cb7f..95d0c525ced 100644 --- a/lib/api/settings.rb +++ b/lib/api/settings.rb @@ -30,6 +30,7 @@ module API success Entities::ApplicationSetting end params do + optional :admin_mode, type: Boolean, desc: 'Require admin users to re-authenticate for administrative (i.e. potentially dangerous) operations' optional :admin_notification_email, type: String, desc: 'Deprecated: Use :abuse_notification_email instead. Abuse reports will be sent to this address if it is set. Abuse reports are always available in the admin area.' optional :abuse_notification_email, type: String, desc: 'Abuse reports will be sent to this address if it is set. Abuse reports are always available in the admin area.' optional :after_sign_up_text, type: String, desc: 'Text shown after sign up' |