summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/policies/global_policy.rb2
-rw-r--r--changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml4
-rw-r--r--spec/requests/api/users_spec.rb40
3 files changed, 28 insertions, 18 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 1c91425f589..1be7bbe9953 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
prevent :log_in
end
- rule { admin | ~restricted_public_level }.policy do
+ rule { ~(anonymous & restricted_public_level) }.policy do
enable :read_users_list
end
end
diff --git a/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml b/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml
new file mode 100644
index 00000000000..54b2e71bef9
--- /dev/null
+++ b/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml
@@ -0,0 +1,4 @@
+---
+title: Allow any logged in users to read_users_list even if it's restricted
+merge_request: 13201
+author:
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 66b165b438b..2dc7be22f8f 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -16,38 +16,44 @@ describe API::Users do
it "returns authorization error when the `username` parameter is not passed" do
get api("/users")
- expect(response).to have_http_status(403)
+ expect(response).to have_gitlab_http_status(403)
end
it "returns the user when a valid `username` parameter is passed" do
- user = create(:user)
-
get api("/users"), username: user.username
- expect(response).to have_http_status(200)
+ expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(1)
expect(json_response[0]['id']).to eq(user.id)
expect(json_response[0]['username']).to eq(user.username)
end
- it "returns authorization error when the `username` parameter refers to an inaccessible user" do
- user = create(:user)
-
- stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
-
- get api("/users"), username: user.username
-
- expect(response).to have_http_status(403)
- end
-
it "returns an empty response when an invalid `username` parameter is passed" do
get api("/users"), username: 'invalid'
- expect(response).to have_http_status(200)
+ expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(0)
end
+
+ context "when public level is restricted" do
+ before do
+ stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+ end
+
+ it "returns authorization error when the `username` parameter refers to an inaccessible user" do
+ get api("/users"), username: user.username
+
+ expect(response).to have_gitlab_http_status(403)
+ end
+
+ it "returns authorization error when the `username` parameter is not passed" do
+ get api("/users")
+
+ expect(response).to have_gitlab_http_status(403)
+ end
+ end
end
context "when authenticated" do
@@ -58,10 +64,10 @@ describe API::Users do
end
context 'when authenticate as a regular user' do
- it "renders 403" do
+ it "renders 200" do
get api("/users", user)
- expect(response).to have_gitlab_http_status(403)
+ expect(response).to have_gitlab_http_status(200)
end
end