1 files changed, 11 insertions, 20 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 164aea613e4..40096f367db 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -45,11 +45,14 @@ module API
         return nil
       end
 
-      identifier = sudo_identifier()
+      identifier = sudo_identifier
 
-      # If the sudo is the current user do nothing
-      if identifier && !(@current_user.id == identifier || @current_user.username == identifier)
+      if identifier
+        # We check for private_token because we cannot allow PAT to be used
         forbidden!('Must be admin to use sudo') unless @current_user.is_admin?
+        forbidden!('Private token must be specified in order to use sudo') unless private_token_used?
+
+        @impersonator = @current_user
         @current_user = User.by_username_or_id(identifier)
         not_found!("No user id or username for: #{identifier}") if @current_user.nil?
       end
@@ -109,7 +112,7 @@ module API
       if id =~ /^\d+$/
         Group.find_by(id: id)
       else
-        Group.find_by(path: id)
+        Group.find_by_full_path(id)
       end
     end
 
@@ -212,22 +215,6 @@ module API
       end
     end
 
-    def issuable_order_by
-      if params["order_by"] == 'updated_at'
-        'updated_at'
-      else
-        'created_at'
-      end
-    end
-
-    def issuable_sort
-      if params["sort"] == 'asc'
-        :asc
-      else
-        :desc
-      end
-    end
-
     def filter_by_iid(items, iid)
       items.where(iid: iid)
     end
@@ -362,6 +349,10 @@ module API
 
     private
 
+    def private_token_used?
+      private_token == @current_user.private_token
+    end
+
     def secret_token
       Gitlab::Shell.secret_token
     end