diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2017-07-04 12:19:48 +0000 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2017-07-04 12:19:48 +0000 |
commit | d1488268b2e31b8f3549c6e1e46955619535cd98 (patch) | |
tree | 649bce69f61984ae85205e340b54f1d6bc121f17 /spec | |
parent | 96e986327c4dad9248f9013f191119ffafe4a6d8 (diff) | |
download | gitlab-ce-d1488268b2e31b8f3549c6e1e46955619535cd98.tar.gz |
Simplify authentication logic in the v4 users API for !12445.
- Rather than using an explicit check to turn off authentication for the
`/users` endpoint, simply call `authenticate_non_get!`.
- All `GET` endpoints we wish to restrict already call
`authenticated_as_admin!`, and so remain inacessible to anonymous users.
- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
the same access check that `/users` users, and so is safe for use here.
- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/api/users_spec.rb | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index aa95ae8c7cc..8640c16203e 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -169,6 +169,7 @@ describe API::Users do describe "GET /users/:id" do it "returns a user by id" do get api("/users/#{user.id}", user) + expect(response).to have_http_status(200) expect(json_response['username']).to eq(user.username) end @@ -179,9 +180,22 @@ describe API::Users do expect(json_response['is_admin']).to be_nil end - it "returns a 401 if unauthenticated" do - get api("/users/9998") - expect(response).to have_http_status(401) + context 'for an anonymous user' do + it "returns a user by id" do + get api("/users/#{user.id}") + + expect(response).to have_http_status(200) + expect(json_response['username']).to eq(user.username) + end + + it "returns a 404 if the target user is present but inaccessible" do + allow(Ability).to receive(:allowed?).and_call_original + allow(Ability).to receive(:allowed?).with(nil, :read_user, user).and_return(false) + + get api("/users/#{user.id}") + + expect(response).to have_http_status(404) + end end it "returns a 404 error if user id not found" do |