Don't display the `is_admin?` flag for user API responses.

- To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint
author: Timothy Andrew <mail@timothyandrew.net> 2017-04-21 09:47:58 +0000
committer: Timothy Andrew <mail@timothyandrew.net> 2017-04-25 09:46:05 +0000
commit: 34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch)
tree: 730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /spec/requests
parent: 7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff)
download: gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz
3 files changed, 18 insertions, 2 deletions
diff --git a/spec/requests/api/keys_spec.rb b/spec/requests/api/keys_spec.rb
index 4c80987d680..adb33166332 100644
--- a/spec/requests/api/keys_spec.rb
+++ b/spec/requests/api/keys_spec.rb
@@ -34,6 +34,12 @@ describe API::Keys, api: true  do
         expect(json_response['user']['id']).to eq(user.id)
         expect(json_response['user']['username']).to eq(user.username)
       end
+
+      it "does not include the user's `is_admin` flag" do
+        get api("/keys/#{key.id}", admin)
+
+        expect(json_response['user']['is_admin']).to be_nil
+      end
     end
   end
 end
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 165ab389917..1db85da5c2c 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -137,6 +137,12 @@ describe API::Users, api: true do
       expect(json_response['username']).to eq(user.username)
     end
 
+    it "does not return the user's `is_admin` flag" do
+      get api("/users/#{user.id}", user)
+
+      expect(json_response['is_admin']).to be_nil
+    end
+
     it "returns a 401 if unauthenticated" do
       get api("/users/9998")
       expect(response).to have_http_status(401)
@@ -399,7 +405,6 @@ describe API::Users, api: true do
     it "updates admin status" do
       put api("/users/#{user.id}", admin), { admin: true }
       expect(response).to have_http_status(200)
-      expect(json_response['is_admin']).to eq(true)
       expect(user.reload.admin).to eq(true)
     end
 
@@ -413,7 +418,6 @@ describe API::Users, api: true do
     it "does not update admin status" do
       put api("/users/#{admin_user.id}", admin), { can_create_group: false }
       expect(response).to have_http_status(200)
-      expect(json_response['is_admin']).to eq(true)
       expect(admin_user.reload.admin).to eq(true)
       expect(admin_user.can_create_group).to eq(false)
     end
diff --git a/spec/requests/api/v3/users_spec.rb b/spec/requests/api/v3/users_spec.rb
index b38cbe74b85..19465a9a4ea 100644
--- a/spec/requests/api/v3/users_spec.rb
+++ b/spec/requests/api/v3/users_spec.rb
@@ -276,5 +276,11 @@ describe API::V3::Users, api: true  do
 
       expect(new_user).to be_confirmed
     end
+
+    it 'does not reveal the `is_admin` flag of the user' do
+      post v3_api('/users', admin), attributes_for(:user)
+
+      expect(json_response['is_admin']).to be_nil
+    end
   end
 end
author	Timothy Andrew <mail@timothyandrew.net>	2017-04-21 09:47:58 +0000
committer	Timothy Andrew <mail@timothyandrew.net>	2017-04-25 09:46:05 +0000
commit	34b71e734b0b01dd28e18be4728f93fbd4d1a561 (patch)
tree	730ad04bf186b803c88d58c4b65e4a15cc9d99e1 /spec/requests
parent	7d2e2bd3505e27f4b8838a5140af96c1d54d5875 (diff)
download	gitlab-ce-34b71e734b0b01dd28e18be4728f93fbd4d1a561.tar.gz