Allow admins to sudo to blocked users.29505-allow-admins-sudo-to-blocked-users

- Currently, (for example) admins can't delete snippets for blocked users, which is an unexpected limitation. - We modify `authenticate!` to conduct the `access_api` policy check against the `initial_current_user`, instead of the user being impersonated. - Update CHANGELOG for !10842
author: Timothy Andrew <mail@timothyandrew.net> 2017-04-21 06:44:47 +0000
committer: Timothy Andrew <mail@timothyandrew.net> 2017-04-26 08:00:19 +0000
commit: 4dfdef2ddfc3cdeb6f6231e397543d120083a4c2 (patch)
tree: 0c3232d2ab9ea17fdfcadcc84612723188933b99 /lib
parent: 6c65b63ca5fb60ae26c900b4615054d2ff66eeb9 (diff)
download: gitlab-ce-4dfdef2ddfc3cdeb6f6231e397543d120083a4c2.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index ddff3c8c1e8..86bf567fe69 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -102,7 +102,7 @@ module API
     end
 
     def authenticate!
-      unauthorized! unless current_user && can?(current_user, :access_api)
+      unauthorized! unless current_user && can?(initial_current_user, :access_api)
     end
 
     def authenticate_non_get!
author	Timothy Andrew <mail@timothyandrew.net>	2017-04-21 06:44:47 +0000
committer	Timothy Andrew <mail@timothyandrew.net>	2017-04-26 08:00:19 +0000
commit	4dfdef2ddfc3cdeb6f6231e397543d120083a4c2 (patch)
tree	0c3232d2ab9ea17fdfcadcc84612723188933b99 /lib
parent	6c65b63ca5fb60ae26c900b4615054d2ff66eeb9 (diff)
download	gitlab-ce-4dfdef2ddfc3cdeb6f6231e397543d120083a4c2.tar.gz