Don't display the `is_admin?` flag for user API responses.

- To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint
author: Timothy Andrew <mail@timothyandrew.net> 2017-04-21 09:47:58 +0000
committer: Timothy Andrew <mail@timothyandrew.net> 2017-04-25 09:46:05 +0000
commit: 34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch)
tree: 730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /spec/fixtures/api/schemas/public_api/v4/user
parent: 7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff)
download: gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz
1 files changed, 0 insertions, 2 deletions
diff --git a/spec/fixtures/api/schemas/public_api/v4/user/public.json b/spec/fixtures/api/schemas/public_api/v4/user/public.json
index 5587cfec61a..faa126b65f2 100644
--- a/spec/fixtures/api/schemas/public_api/v4/user/public.json
+++ b/spec/fixtures/api/schemas/public_api/v4/user/public.json
@@ -9,7 +9,6 @@
     "avatar_url",
     "web_url",
     "created_at",
-    "is_admin",
     "bio",
     "location",
     "skype",
@@ -43,7 +42,6 @@
     "avatar_url": { "type": "string" },
     "web_url": { "type": "string" },
     "created_at": { "type": "date" },
-    "is_admin": { "type": "boolean" },
     "bio": { "type": ["string", "null"] },
     "location": { "type": ["string", "null"] },
     "skype": { "type": "string" },
author	Timothy Andrew <mail@timothyandrew.net>	2017-04-21 09:47:58 +0000
committer	Timothy Andrew <mail@timothyandrew.net>	2017-04-25 09:46:05 +0000
commit	34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch)
tree	730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /spec/fixtures/api/schemas/public_api/v4/user
parent	7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff)
download	gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz