summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTimothy Andrew <mail@timothyandrew.net>2017-04-21 06:44:47 +0000
committerTimothy Andrew <mail@timothyandrew.net>2017-04-26 08:00:19 +0000
commit4dfdef2ddfc3cdeb6f6231e397543d120083a4c2 (patch)
tree0c3232d2ab9ea17fdfcadcc84612723188933b99 /lib
parent6c65b63ca5fb60ae26c900b4615054d2ff66eeb9 (diff)
downloadgitlab-ce-29505-allow-admins-sudo-to-blocked-users.tar.gz
Allow admins to sudo to blocked users.29505-allow-admins-sudo-to-blocked-users
- Currently, (for example) admins can't delete snippets for blocked users, which is an unexpected limitation. - We modify `authenticate!` to conduct the `access_api` policy check against the `initial_current_user`, instead of the user being impersonated. - Update CHANGELOG for !10842
Diffstat (limited to 'lib')
-rw-r--r--lib/api/helpers.rb2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index ddff3c8c1e8..86bf567fe69 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -102,7 +102,7 @@ module API
end
def authenticate!
- unauthorized! unless current_user && can?(current_user, :access_api)
+ unauthorized! unless current_user && can?(initial_current_user, :access_api)
end
def authenticate_non_get!