diff options
| author | Douwe Maan <douwe@gitlab.com> | 2016-04-18 15:20:13 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2016-04-18 15:20:13 +0000 |
| commit | 58665b64f5bd8795571876587ea3a19253532286 (patch) | |
| tree | 6b7a6038e5c79cb244606b2a6ae9bf1c5fafa66f /lib | |
| parent | 70e6fa31064984c691e283eddf6712bc031e0842 (diff) | |
| parent | 2366768d3b28ea70c91fc49c471e66152650d442 (diff) | |
| download | gitlab-ce-58665b64f5bd8795571876587ea3a19253532286.tar.gz | |
Merge branch 'issue_3508' into 'master'
Restrict public users for private instances
Implements #3508
See merge request !3440
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/users.rb | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb index 0a14bac07c0..ea6fa2dc8a8 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -11,6 +11,10 @@ module API # GET /users?search=Admin # GET /users?username=root get do + unless can?(current_user, :read_users_list, nil) + render_api_error!("Not authorized.", 403) + end + if params[:username].present? @users = User.where(username: params[:username]) else @@ -36,10 +40,12 @@ module API get ":id" do @user = User.find(params[:id]) - if current_user.is_admin? + if current_user && current_user.is_admin? present @user, with: Entities::UserFull - else + elsif can?(current_user, :read_user, @user) present @user, with: Entities::User + else + render_api_error!("User not found.", 404) end end |