| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Scope declarations of the form:
allow_access_with_scope :read_user, if: -> (request) { request.get? }
will only apply for `GET` requests
- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
test for this case in the `AccessTokenValidationService` unit tests.
|
| |
|
| |
|
|\
| |
| |
| |
| | |
Allow admins to sudo to blocked users
See merge request !10842
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Currently, (for example) admins can't delete snippets for blocked users, which
is an unexpected limitation.
- We modify `authenticate!` to conduct the `access_api` policy check against the
`initial_current_user`, instead of the user being impersonated.
- Update CHANGELOG for !10842
|
|/
|
|
|
| |
Removed all the unnecessary include of `WaitForAjax` and `ApiHelpers` in the specs.
Removed unnecessary usage of `api:true`
|
|
|
|
|
| |
true is neither nil nor a user and doesn't make sense as the return
value of `current_user`
|
| |
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
|
|
| |
- Use whitespace to separate the setup, expectation and teardown phases.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Move the `Oauth2::AccessTokenValidationService` class to
`AccessTokenValidationService`, since it is now being used for
personal access token validation as well.
- Each API endpoint declares the scopes it accepts (if any). Currently,
the top level API module declares the `api` scope, and the `Users` API
module declares the `read_user` scope (for GET requests).
- Move the `find_user_by_private_token` from the API `Helpers` module to
the `APIGuard` module, to avoid littering `Helpers` with more
auth-related methods to support `find_user_by_private_token`
|
|
|
|
| |
Signed-off-by: Rémy Coutable <remy@rymai.me>
|
|
The issue was arising when `#current_user` was called a second time
after a user was impersonated: the `User#is_admin?` check would be
performed on it and it would fail.
Signed-off-by: Rémy Coutable <remy@rymai.me>
|