diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-04-21 06:44:47 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-04-26 08:00:19 +0000 |
| commit | 4dfdef2ddfc3cdeb6f6231e397543d120083a4c2 (patch) | |
| tree | 0c3232d2ab9ea17fdfcadcc84612723188933b99 /lib | |
| parent | 6c65b63ca5fb60ae26c900b4615054d2ff66eeb9 (diff) | |
| download | gitlab-ce-29505-allow-admins-sudo-to-blocked-users.tar.gz | |
Allow admins to sudo to blocked users.29505-allow-admins-sudo-to-blocked-users
- Currently, (for example) admins can't delete snippets for blocked users, which
is an unexpected limitation.
- We modify `authenticate!` to conduct the `access_api` policy check against the
`initial_current_user`, instead of the user being impersonated.
- Update CHANGELOG for !10842
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/helpers.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index ddff3c8c1e8..86bf567fe69 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -102,7 +102,7 @@ module API end def authenticate! - unauthorized! unless current_user && can?(current_user, :access_api) + unauthorized! unless current_user && can?(initial_current_user, :access_api) end def authenticate_non_get! |