Merge branch '24537-reenable-private-token-with-sudo' into 'master'

Reenables the API /users to return `private-token` when sudo is either a parameter or passed as a header and the user is admin. Closes #24537 See merge request !7615 Signed-off-by: Rémy Coutable <remy@rymai.me>
author: Douwe Maan <douwe@gitlab.com> 2016-12-08 00:17:44 +0000
committer: Rémy Coutable <remy@rymai.me> 2016-12-08 11:18:13 +0100
commit: 390f8bc7d2e599020c5c9d24b32ccacb2c79d006 (patch)
tree: 840077339fb3514088f3ca9b3324249a9530a250 /lib
parent: 27d2ecb856f48d5d7f0ce27847573c24e3440616 (diff)
download: gitlab-ce-390f8bc7d2e599020c5c9d24b32ccacb2c79d006.tar.gz
4 files changed, 19 insertions, 12 deletions
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 92a6f29adb0..456785e5308 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -22,7 +22,7 @@ module API
       expose :provider, :extern_uid
     end
 
-    class UserFull < User
+    class UserPublic < User
       expose :last_sign_in_at
       expose :confirmed_at
       expose :email
@@ -34,7 +34,7 @@ module API
       expose :external
     end
 
-    class UserLogin < UserFull
+    class UserWithPrivateToken < UserPublic
       expose :private_token
     end
 
@@ -283,7 +283,7 @@ module API
     end
 
     class SSHKeyWithUser < SSHKey
-      expose :user, using: Entities::UserFull
+      expose :user, using: Entities::UserPublic
     end
 
     class Note < Grape::Entity
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 1f1fa1cbc3c..ec26e079370 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -44,11 +44,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -430,6 +433,10 @@ module API
       links.join(', ')
     end
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       File.read(Gitlab.config.gitlab_shell.secret_file).chomp
     end
diff --git a/lib/api/session.rb b/lib/api/session.rb
index 55ec66a6d67..af863f9efce 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -15,7 +15,7 @@ module API
 
       return unauthorized! unless user
       return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
-      present user, with: Entities::UserLogin
+      present user, with: Entities::UserWithPrivateToken
     end
   end
 end
diff --git a/lib/api/users.rb b/lib/api/users.rb
index c440305ff0f..55f9adabf9a 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -25,7 +25,7 @@ module API
         end
 
         if current_user.is_admin?
-          present @users, with: Entities::UserFull
+          present @users, with: Entities::UserPublic
         else
           present @users, with: Entities::UserBasic
         end
@@ -41,7 +41,7 @@ module API
         @user = User.find(params[:id])
 
         if current_user && current_user.is_admin?
-          present @user, with: Entities::UserFull
+          present @user, with: Entities::UserPublic
         elsif can?(current_user, :read_user, @user)
           present @user, with: Entities::User
         else
@@ -87,7 +87,7 @@ module API
         end
 
         if user.save
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         else
           conflict!('Email has already been taken') if User.
               where(email: user.email).
@@ -149,7 +149,7 @@ module API
         end
 
         if user.update_attributes(attrs)
-          present user, with: Entities::UserFull
+          present user, with: Entities::UserPublic
         else
           render_validation_error!(user)
         end
@@ -327,7 +327,7 @@ module API
       # Example Request:
       #   GET /user
       get do
-        present @current_user, with: Entities::UserFull
+        present @current_user, with: @impersonator ? Entities::UserWithPrivateToken : Entities::UserPublic
       end
 
       # Get currently authenticated user's keys
author	Douwe Maan <douwe@gitlab.com>	2016-12-08 00:17:44 +0000
committer	Rémy Coutable <remy@rymai.me>	2016-12-08 11:18:13 +0100
commit	390f8bc7d2e599020c5c9d24b32ccacb2c79d006 (patch)
tree	840077339fb3514088f3ca9b3324249a9530a250 /lib
parent	27d2ecb856f48d5d7f0ce27847573c24e3440616 (diff)
download	gitlab-ce-390f8bc7d2e599020c5c9d24b32ccacb2c79d006.tar.gz