summaryrefslogtreecommitdiff
path: root/lib/api/users.rb
Commit message (Collapse)AuthorAgeFilesLines
* Added default order to UserFinderFrancisco Javier López2017-12-041-0/+2
|
* Skip confirmation user apiDaniel Juarez2017-11-211-1/+2
|
* Remove private_token from API user entityDouwe Maan2017-11-021-3/+1
|
* Merge branch 'master' into ↵Douwe Maan2017-10-051-11/+9
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | digitalmoksha/gitlab-ce-feature/verify_secondary_emails # Conflicts: # app/controllers/admin/users_controller.rb # app/controllers/confirmations_controller.rb # app/controllers/profiles/emails_controller.rb # app/models/user.rb # app/services/emails/base_service.rb # app/services/emails/destroy_service.rb # app/views/devise/mailer/confirmation_instructions.html.haml # lib/api/users.rb # spec/services/emails/destroy_service_spec.rb
| * Support custom attributes on usersMarkus Koller2017-09-281-0/+2
| |
| * refactor emails servicerefactor-servicesJames Lopez2017-09-281-4/+4
| |
| * refactor users update serviceJames Lopez2017-09-281-1/+1
| |
| * refactor services to match EE signatureJames Lopez2017-09-281-5/+5
| |
| * find_user users helper method no longer overrides find_user API helper method.37467-helper-method-from-users-endpoint-overrides-api-helper-methodTiago Botelho2017-09-261-2/+2
| |
* | fix calls to Emails::DestroyServiceBrett Walker2017-09-231-2/+2
| |
* | Send a confirmation email when the user adds a secondary email address. ↵Brett Walker2017-09-231-2/+0
|/ | | | Utilizes the Devise `confirmable` capabilities. Issue #37385
* Ensure we use `Entities::User` for non-admin `users/:id` API requestsRobert Speicher2017-09-151-1/+1
|
* API: Add GPG key management for adminsRobert Schilling2017-09-051-0/+80
|
* API: Add GPG key managementRobert Schilling2017-09-051-0/+70
|
* Update remaining endpointsRobert Schilling2017-08-281-2/+5
|
* Conditionally destroy a ressourceRobert Schilling2017-08-281-34/+13
|
* API: Respect the 'If-Unmodified-Since' for delete endpointsRobert Schilling2017-08-281-0/+28
|
* Include the `is_admin` field in the `GET /users/:id` API when current user ↵Rémy Coutable2017-08-111-9/+4
| | | | | | is an admin Signed-off-by: Rémy Coutable <remy@rymai.me>
* Update grape gemdz-update-grapeDmitriy Zaporozhets2017-07-201-0/+5
| | | | | | | | New version of the gem returns 200 status code on delete with content instead of 204 so we explicitly set status code to keep existing behavior Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
* Return `is_admin` attribute in the GET /user endpoint for adminsRémy Coutable2017-07-121-1/+10
| | | | Signed-off-by: Rémy Coutable <remy@rymai.me>
* fix specsJames Lopez2017-07-071-1/+1
|
* add created at filter logic to users finder and APIJames Lopez2017-07-071-0/+6
|
* Merge branch 'master' into '33580-fix-api-scoping'Douwe Maan2017-07-041-9/+20
|\ | | | | | | # Conflicts: # lib/api/users.rb
| * Simplify authentication logic in the v4 users API for !12445.Timothy Andrew2017-07-041-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | - Rather than using an explicit check to turn off authentication for the `/users` endpoint, simply call `authenticate_non_get!`. - All `GET` endpoints we wish to restrict already call `authenticated_as_admin!`, and so remain inacessible to anonymous users. - This _does_ open up the `/users/:id` endpoint to anonymous access. It contains the same access check that `/users` users, and so is safe for use here. - More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
| * Merge remote-tracking branch 'origin/master' into ↵Timothy Andrew2017-06-301-10/+10
| |\ | | | | | | | | | | | | | | | | | | 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8.
| * | Implement review comments for !12445 from @godfat and @rymai.Timothy Andrew2017-06-301-15/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE.
| * | Allow unauthenticated access to the `/api/v4/users` API.Timothy Andrew2017-06-261-6/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username. - We don't authenticate this API anymore, but instead - if the `current_user` is not present: - Verify that the `username` parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The `UsersFinder` class performs an exact match on the `username`, so we are guaranteed to get 0 or 1 users. - Verify that the resulting user (if any) is accessible to be viewed publicly by calling `can?(current_user, :read_user, user)`
* | | Initial attempt at refactoring API scope declarations.Timothy Andrew2017-06-281-1/+3
| |/ |/| | | | | | | | | | | | | | | | | - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set.
* | fix spec failuresJames Lopez2017-06-241-1/+1
| |
* | fix spec failuresJames Lopez2017-06-231-4/+4
| |
* | refactor update user service not to do auth checksJames Lopez2017-06-231-1/+1
| |
* | fix spec failuresJames Lopez2017-06-231-4/+6
| |
* | refactor emails serviceJames Lopez2017-06-231-8/+0
| |
* | update missing email actionsJames Lopez2017-06-231-6/+4
| |
* | fix specsJames Lopez2017-06-231-2/+2
| |
* | update to use emails destroy serviceJames Lopez2017-06-231-2/+3
| |
* | fixed specsJames Lopez2017-06-231-1/+1
| |
* | added service in the rest of controllers and classesJames Lopez2017-06-231-2/+2
| |
* | fix api and controller issuesJames Lopez2017-06-231-2/+7
| |
* | update notification settings, fix api specsJames Lopez2017-06-231-1/+3
|/
* Enable Style/DotPosition Rubocop :cop:Grzegorz Bizon2017-06-211-13/+13
|
* Re-instate is_admin flag in users API is current user is an adminMike Ricketts2017-06-201-1/+1
|
* Accept image for avatar in user APIvanadium232017-06-161-0/+1
|
* Merge branch '2563-backport-ee1942' into 'master'Grzegorz Bizon2017-06-071-4/+0
|\ | | | | | | | | | | | | Backport some EE changes from adding shared_runners_minutes_limit to the API Closes gitlab-ee#2563 See merge request !11936
| * Backport https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/1942Lin Jen-Shin2017-06-061-4/+0
| |
* | Introduce an Events APIMark Fletcher2017-06-061-21/+0
|/ | | | | | | | | | | * Meld the following disparate endpoints: * `/projects/:id/events` * `/events` * `/users/:id/events` + Add result filtering to the above endpoints: * action * target_type * before and after dates
* Refactor the DeleteUserWorkerNick Thomas2017-06-051-1/+1
|
* Allow users to be hard-deleted from the APINick Thomas2017-06-021-1/+2
|
* Create a Users FinderGeorge Andrinopoulos2017-05-151-10/+1
|
* Don't display the `is_admin?` flag for user API responses.Timothy Andrew2017-04-251-1/+1
| | | | | | | | | | | - To prevent an attacker from enumerating the `/users` API to get a list of all the admins. - Display the `is_admin?` flag wherever we display the `private_token` - at the moment, there are two instances: - When an admin uses `sudo` to view the `/user` endpoint - When logging in using the `/session` endpoint
View Lorry Controller Status