From 872e7b7efe923192d4ef90b01672038518ba66fc Mon Sep 17 00:00:00 2001 From: George Andrinopoulos Date: Mon, 15 May 2017 13:53:12 +0000 Subject: Create a Users Finder --- lib/api/users.rb | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 40acaebf670..3d83720b7b9 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -56,16 +56,7 @@ module API authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?) - users = User.all - users = User.where(username: params[:username]) if params[:username] - users = users.active if params[:active] - users = users.search(params[:search]) if params[:search].present? - users = users.blocked if params[:blocked] - - if current_user.admin? - users = users.joins(:identities).merge(Identity.with_extern_uid(params[:provider], params[:extern_uid])) if params[:extern_uid] && params[:provider] - users = users.external if params[:external] - end + users = UsersFinder.new(current_user, params).execute entity = current_user.admin? ? Entities::UserPublic : Entities::UserBasic present paginate(users), with: entity -- cgit v1.2.1 From c890c6aaf2939bc19292947bd8268d724fa7ddce Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Thu, 1 Jun 2017 17:14:39 +0100 Subject: Allow users to be hard-deleted from the API --- lib/api/users.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 3d83720b7b9..2070dbd8bc7 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -286,13 +286,14 @@ module API end params do requires :id, type: Integer, desc: 'The ID of the user' + optional :hard_delete, type: Boolean, desc: "Whether to remove a user's contributions" end delete ":id" do authenticated_as_admin! user = User.find_by(id: params[:id]) not_found!('User') unless user - DeleteUserWorker.perform_async(current_user.id, user.id) + DeleteUserWorker.perform_async(current_user.id, user.id, hard_delete: params[:hard_delete]) end desc 'Block a user. Available only for admins.' -- cgit v1.2.1 From 158581a447bb4976161eca26ddcb2fccd25888ab Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Fri, 2 Jun 2017 14:18:24 +0100 Subject: Refactor the DeleteUserWorker --- lib/api/users.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 2070dbd8bc7..e8694e90cf2 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -293,7 +293,7 @@ module API user = User.find_by(id: params[:id]) not_found!('User') unless user - DeleteUserWorker.perform_async(current_user.id, user.id, hard_delete: params[:hard_delete]) + user.delete_async(deleted_by: current_user, params: params) end desc 'Block a user. Available only for admins.' -- cgit v1.2.1 From ad3e180ed3d99494414cb1b367f6b4e40ec28b87 Mon Sep 17 00:00:00 2001 From: Mark Fletcher Date: Mon, 29 May 2017 13:49:17 +0800 Subject: Introduce an Events API * Meld the following disparate endpoints: * `/projects/:id/events` * `/events` * `/users/:id/events` + Add result filtering to the above endpoints: * action * target_type * before and after dates --- lib/api/users.rb | 21 --------------------- 1 file changed, 21 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index e8694e90cf2..3f87a403a09 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -328,27 +328,6 @@ module API end end - desc 'Get the contribution events of a specified user' do - detail 'This feature was introduced in GitLab 8.13.' - success Entities::Event - end - params do - requires :id, type: Integer, desc: 'The ID of the user' - use :pagination - end - get ':id/events' do - user = User.find_by(id: params[:id]) - not_found!('User') unless user - - events = user.events. - merge(ProjectsFinder.new(current_user: current_user).execute). - references(:project). - with_associations. - recent - - present paginate(events), with: Entities::Event - end - params do requires :user_id, type: Integer, desc: 'The ID of the user' end -- cgit v1.2.1 From d919f924bf32220237c389dc913093efead8928c Mon Sep 17 00:00:00 2001 From: Lin Jen-Shin Date: Tue, 6 Jun 2017 21:42:45 +0800 Subject: Backport https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/1942 --- lib/api/users.rb | 4 ---- 1 file changed, 4 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index e8694e90cf2..7d78c5a55a9 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -124,10 +124,6 @@ module API optional :name, type: String, desc: 'The name of the user' optional :username, type: String, desc: 'The username of the user' use :optional_attributes - at_least_one_of :email, :password, :name, :username, :skype, :linkedin, - :twitter, :website_url, :organization, :projects_limit, - :extern_uid, :provider, :bio, :location, :admin, - :can_create_group, :confirm, :external end put ":id" do authenticated_as_admin! -- cgit v1.2.1 From 83a9a472b3bd9c9d8e64805317cd27c144b65112 Mon Sep 17 00:00:00 2001 From: vanadium23 Date: Tue, 13 Jun 2017 20:23:49 +0300 Subject: Accept image for avatar in user API --- lib/api/users.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index dda64715ee1..7257ecb5b67 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -29,6 +29,7 @@ module API optional :can_create_group, type: Boolean, desc: 'Flag indicating the user can create groups' optional :skip_confirmation, type: Boolean, default: false, desc: 'Flag indicating the account is confirmed' optional :external, type: Boolean, desc: 'Flag indicating the user is an external user' + optional :avatar, type: File, desc: 'Avatar image for user' all_or_none_of :extern_uid, :provider end end -- cgit v1.2.1 From 0e7478064f3cf91fec8cffb86a74503ab3e0322d Mon Sep 17 00:00:00 2001 From: Mike Ricketts Date: Tue, 20 Jun 2017 14:54:29 +0000 Subject: Re-instate is_admin flag in users API is current user is an admin --- lib/api/users.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 7257ecb5b67..bfb69d6dc18 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -59,7 +59,7 @@ module API users = UsersFinder.new(current_user, params).execute - entity = current_user.admin? ? Entities::UserPublic : Entities::UserBasic + entity = current_user.admin? ? Entities::UserWithAdmin : Entities::UserBasic present paginate(users), with: entity end -- cgit v1.2.1 From 0430b7644101fc70ed4be6bf69ccf05b900f4cdf Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Wed, 21 Jun 2017 13:48:12 +0000 Subject: Enable Style/DotPosition Rubocop :cop: --- lib/api/users.rb | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index bfb69d6dc18..c10e3364382 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -103,13 +103,13 @@ module API if user.persisted? present user, with: Entities::UserPublic else - conflict!('Email has already been taken') if User. - where(email: user.email). - count > 0 + conflict!('Email has already been taken') if User + .where(email: user.email) + .count > 0 - conflict!('Username has already been taken') if User. - where(username: user.username). - count > 0 + conflict!('Username has already been taken') if User + .where(username: user.username) + .count > 0 render_validation_error!(user) end @@ -133,12 +133,12 @@ module API not_found!('User') unless user conflict!('Email has already been taken') if params[:email] && - User.where(email: params[:email]). - where.not(id: user.id).count > 0 + User.where(email: params[:email]) + .where.not(id: user.id).count > 0 conflict!('Username has already been taken') if params[:username] && - User.where(username: params[:username]). - where.not(id: user.id).count > 0 + User.where(username: params[:username]) + .where.not(id: user.id).count > 0 user_params = declared_params(include_missing: false) identity_attrs = user_params.slice(:provider, :extern_uid) @@ -517,9 +517,9 @@ module API get "activities" do authenticated_as_admin! - activities = User. - where(User.arel_table[:last_activity_on].gteq(params[:from])). - reorder(last_activity_on: :asc) + activities = User + .where(User.arel_table[:last_activity_on].gteq(params[:from])) + .reorder(last_activity_on: :asc) present paginate(activities), with: Entities::UserActivity end -- cgit v1.2.1 From ef6a4240e534f2a12dbfb45c2decd31abf9a3c26 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Thu, 15 Jun 2017 16:42:14 +0200 Subject: update notification settings, fix api specs --- lib/api/users.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index c10e3364382..733b65b1c8e 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -156,7 +156,9 @@ module API user_params[:password_expires_at] = Time.now if user_params[:password].present? - if user.update_attributes(user_params.except(:extern_uid, :provider)) + result = ::Users::UpdateService.new(current_user, user, user_params.except(:extern_uid, :provider)).execute + + if result[:status] == :success present user, with: Entities::UserPublic else render_validation_error!(user) -- cgit v1.2.1 From bf3a3f3652704fb261e6220e2199830ea22ec8d3 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 16 Jun 2017 10:29:43 +0200 Subject: fix api and controller issues --- lib/api/users.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 733b65b1c8e..ba59818ba84 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -277,7 +277,10 @@ module API not_found!('Email') unless email email.destroy - user.update_secondary_emails! + + Users::UpdateService.new(current_user, user).execute do |user| + user.update_secondary_emails! + end end desc 'Delete a user. Available only for admins.' do @@ -508,7 +511,9 @@ module API not_found!('Email') unless email email.destroy - current_user.update_secondary_emails! + Users::UpdateService.new(current_user, user).execute do |user| + user.update_secondary_emails! + end end desc 'Get a list of user activities' -- cgit v1.2.1 From 158550cf37cc2db9590f0212962f10ecc73082de Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 16 Jun 2017 11:12:06 +0200 Subject: added service in the rest of controllers and classes --- lib/api/users.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index ba59818ba84..2c632c85243 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -278,7 +278,7 @@ module API email.destroy - Users::UpdateService.new(current_user, user).execute do |user| + ::Users::UpdateService.new(current_user, user).execute do |user| user.update_secondary_emails! end end @@ -511,7 +511,7 @@ module API not_found!('Email') unless email email.destroy - Users::UpdateService.new(current_user, user).execute do |user| + ::Users::UpdateService.new(current_user, user).execute do |user| user.update_secondary_emails! end end -- cgit v1.2.1 From ad44af2faaaa872ee30922699f66ac78fa402336 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 16 Jun 2017 15:14:46 +0200 Subject: fixed specs --- lib/api/users.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 2c632c85243..f79b61ad85e 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -511,7 +511,7 @@ module API not_found!('Email') unless email email.destroy - ::Users::UpdateService.new(current_user, user).execute do |user| + ::Users::UpdateService.new(current_user, current_user).execute do |user| user.update_secondary_emails! end end -- cgit v1.2.1 From 3bab585bec5529c06ba4b0c4ae7e953b99edf6d3 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Mon, 19 Jun 2017 10:04:14 +0200 Subject: update to use emails destroy service --- lib/api/users.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index f79b61ad85e..236bae4a299 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -276,7 +276,7 @@ module API email = user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - email.destroy + Emails::DestroyService.new(current_user, self, email: email.email).execute ::Users::UpdateService.new(current_user, user).execute do |user| user.update_secondary_emails! @@ -510,7 +510,8 @@ module API email = current_user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - email.destroy + Emails::DestroyService.new(current_user, self, email: email.email).execute + ::Users::UpdateService.new(current_user, current_user).execute do |user| user.update_secondary_emails! end -- cgit v1.2.1 From 87bf08c96cf9f3c451d0746d11ceac149adf22db Mon Sep 17 00:00:00 2001 From: James Lopez Date: Mon, 19 Jun 2017 14:51:46 +0200 Subject: fix specs --- lib/api/users.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 236bae4a299..940f8b64026 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -276,7 +276,7 @@ module API email = user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - Emails::DestroyService.new(current_user, self, email: email.email).execute + Emails::DestroyService.new(current_user, user, email: email.email).execute ::Users::UpdateService.new(current_user, user).execute do |user| user.update_secondary_emails! @@ -510,7 +510,7 @@ module API email = current_user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - Emails::DestroyService.new(current_user, self, email: email.email).execute + Emails::DestroyService.new(current_user, current_user, email: email.email).execute ::Users::UpdateService.new(current_user, current_user).execute do |user| user.update_secondary_emails! -- cgit v1.2.1 From 831b2fccf9a2efc772d62c05f52c612f23a63ea9 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Mon, 19 Jun 2017 15:35:44 +0200 Subject: update missing email actions --- lib/api/users.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 940f8b64026..190e2e71884 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -98,7 +98,7 @@ module API authenticated_as_admin! params = declared_params(include_missing: false) - user = ::Users::CreateService.new(current_user, params).execute + user = ::Users::CreateService.new(current_user, params).execute(skip_authorization: true) if user.persisted? present user, with: Entities::UserPublic @@ -236,9 +236,7 @@ module API user = User.find_by(id: params.delete(:id)) not_found!('User') unless user - email = user.emails.new(declared_params(include_missing: false)) - - if email.save + if Emails::CreateService.new(current_user, user, declared_params(include_missing: false)).execute(skip_authorization: true) NotificationService.new.new_email(email) present email, with: Entities::Email else @@ -276,7 +274,7 @@ module API email = user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - Emails::DestroyService.new(current_user, user, email: email.email).execute + Emails::DestroyService.new(current_user, user, email: email.email).execute(skip_authorization: true) ::Users::UpdateService.new(current_user, user).execute do |user| user.update_secondary_emails! @@ -494,7 +492,7 @@ module API post "emails" do email = current_user.emails.new(declared_params) - if email.save + if Emails::CreateService.new(current_user, current_user, declared_params).execute NotificationService.new.new_email(email) present email, with: Entities::Email else -- cgit v1.2.1 From 785cbb79e255c8369ca5eb916207304f39d188ad Mon Sep 17 00:00:00 2001 From: James Lopez Date: Thu, 22 Jun 2017 08:55:07 +0200 Subject: refactor emails service --- lib/api/users.rb | 8 -------- 1 file changed, 8 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 190e2e71884..07e7c774f2b 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -275,10 +275,6 @@ module API not_found!('Email') unless email Emails::DestroyService.new(current_user, user, email: email.email).execute(skip_authorization: true) - - ::Users::UpdateService.new(current_user, user).execute do |user| - user.update_secondary_emails! - end end desc 'Delete a user. Available only for admins.' do @@ -509,10 +505,6 @@ module API not_found!('Email') unless email Emails::DestroyService.new(current_user, current_user, email: email.email).execute - - ::Users::UpdateService.new(current_user, current_user).execute do |user| - user.update_secondary_emails! - end end desc 'Get a list of user activities' -- cgit v1.2.1 From 12dc3992ea189452532587a2b30b8765c0f09381 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Thu, 22 Jun 2017 15:55:05 +0200 Subject: fix spec failures --- lib/api/users.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 07e7c774f2b..6d7f2e7e250 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -236,7 +236,9 @@ module API user = User.find_by(id: params.delete(:id)) not_found!('User') unless user - if Emails::CreateService.new(current_user, user, declared_params(include_missing: false)).execute(skip_authorization: true) + email = Emails::CreateService.new(current_user, user, declared_params(include_missing: false)).execute + + if email.errors.blank? NotificationService.new.new_email(email) present email, with: Entities::Email else @@ -274,7 +276,7 @@ module API email = user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - Emails::DestroyService.new(current_user, user, email: email.email).execute(skip_authorization: true) + Emails::DestroyService.new(current_user, user, email: email.email).execute end desc 'Delete a user. Available only for admins.' do @@ -486,9 +488,9 @@ module API requires :email, type: String, desc: 'The new email' end post "emails" do - email = current_user.emails.new(declared_params) + email = Emails::CreateService.new(current_user, current_user, declared_params).execute - if Emails::CreateService.new(current_user, current_user, declared_params).execute + if email.errors.blank? NotificationService.new.new_email(email) present email, with: Entities::Email else -- cgit v1.2.1 From b804db26485ea09dc93269898dc969ed692130a2 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 23 Jun 2017 11:34:07 +0200 Subject: refactor update user service not to do auth checks --- lib/api/users.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 6d7f2e7e250..175db3a4a18 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -156,7 +156,7 @@ module API user_params[:password_expires_at] = Time.now if user_params[:password].present? - result = ::Users::UpdateService.new(current_user, user, user_params.except(:extern_uid, :provider)).execute + result = ::Users::UpdateService.new(user, user_params.except(:extern_uid, :provider)).execute if result[:status] == :success present user, with: Entities::UserPublic -- cgit v1.2.1 From 859858c7e69a2ac3536e4e417fa6fff81d4b84ea Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 23 Jun 2017 21:13:46 +0200 Subject: fix spec failures --- lib/api/users.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 175db3a4a18..2eb776a539f 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -236,7 +236,7 @@ module API user = User.find_by(id: params.delete(:id)) not_found!('User') unless user - email = Emails::CreateService.new(current_user, user, declared_params(include_missing: false)).execute + email = Emails::CreateService.new(user,declared_params(include_missing: false)).execute if email.errors.blank? NotificationService.new.new_email(email) @@ -276,7 +276,7 @@ module API email = user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - Emails::DestroyService.new(current_user, user, email: email.email).execute + Emails::DestroyService.new(user, email: email.email).execute end desc 'Delete a user. Available only for admins.' do @@ -488,7 +488,7 @@ module API requires :email, type: String, desc: 'The new email' end post "emails" do - email = Emails::CreateService.new(current_user, current_user, declared_params).execute + email = Emails::CreateService.new(current_user, declared_params).execute if email.errors.blank? NotificationService.new.new_email(email) @@ -506,7 +506,7 @@ module API email = current_user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email - Emails::DestroyService.new(current_user, current_user, email: email.email).execute + Emails::DestroyService.new(current_user, email: email.email).execute end desc 'Get a list of user activities' -- cgit v1.2.1 From ae9531052392c3f66ddaf82094f88adc456af8e9 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Sat, 24 Jun 2017 10:00:23 +0200 Subject: fix spec failures --- lib/api/users.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 2eb776a539f..f9555842daf 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -236,7 +236,7 @@ module API user = User.find_by(id: params.delete(:id)) not_found!('User') unless user - email = Emails::CreateService.new(user,declared_params(include_missing: false)).execute + email = Emails::CreateService.new(user, declared_params(include_missing: false)).execute if email.errors.blank? NotificationService.new.new_email(email) -- cgit v1.2.1 From 20f679d620380b5b5e662b790c76caf256867b01 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Mon, 26 Jun 2017 07:20:30 +0000 Subject: Allow unauthenticated access to the `/api/v4/users` API. - The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username. - We don't authenticate this API anymore, but instead - if the `current_user` is not present: - Verify that the `username` parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The `UsersFinder` class performs an exact match on the `username`, so we are guaranteed to get 0 or 1 users. - Verify that the resulting user (if any) is accessible to be viewed publicly by calling `can?(current_user, :read_user, user)` --- lib/api/users.rb | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index c10e3364382..34619c90d8b 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -4,7 +4,7 @@ module API before do allow_access_with_scope :read_user if request.get? - authenticate! + authenticate! unless route_matches_description?("Get the list of users") end resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do @@ -51,15 +51,26 @@ module API use :pagination end get do - unless can?(current_user, :read_users_list) - render_api_error!("Not authorized.", 403) - end - authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?) users = UsersFinder.new(current_user, params).execute - entity = current_user.admin? ? Entities::UserWithAdmin : Entities::UserBasic + authorized = + if current_user + can?(current_user, :read_users_list) + else + # When `current_user` is not present, require that the `username` + # parameter is passed, to prevent an unauthenticated user from accessing + # a list of all the users on the GitLab instance. `UsersFinder` performs + # an exact match on the `username` parameter, so we are guaranteed to + # get either 0 or 1 `users` here. + params[:username].present? && + users.all? { |user| can?(current_user, :read_user, user) } + end + + render_api_error!("Not authorized.", 403) unless authorized + + entity = current_user.try(:admin?) ? Entities::UserWithAdmin : Entities::UserBasic present paginate(users), with: entity end -- cgit v1.2.1 From 6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Tue, 20 Jun 2017 07:40:24 +0000 Subject: Initial attempt at refactoring API scope declarations. - Declaring an endpoint's scopes in a `before` block has proved to be unreliable. For example, if we're accessing the `API::Users` endpoint - code in a `before` block in `API::API` wouldn't be able to see the scopes set in `API::Users` since the `API::API` `before` block runs first. - This commit moves these declarations to the class level, since they don't need to change once set. --- lib/api/users.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index f9555842daf..2cac8c089f2 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -1,9 +1,11 @@ module API class Users < Grape::API include PaginationParams + include APIGuard + + allow_access_with_scope :read_user, if: -> (request) { request.get? } before do - allow_access_with_scope :read_user if request.get? authenticate! end -- cgit v1.2.1 From 3c88a7869b87693ba8c3fb9814d39437dd569a31 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Thu, 29 Jun 2017 07:43:41 +0000 Subject: Implement review comments for !12445 from @godfat and @rymai. - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE. --- lib/api/users.rb | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 34619c90d8b..18ce58299e7 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -4,7 +4,7 @@ module API before do allow_access_with_scope :read_user if request.get? - authenticate! unless route_matches_description?("Get the list of users") + authenticate! unless request_matches_route?('GET', '/api/v4/users') end resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do @@ -55,22 +55,18 @@ module API users = UsersFinder.new(current_user, params).execute - authorized = - if current_user - can?(current_user, :read_users_list) - else - # When `current_user` is not present, require that the `username` - # parameter is passed, to prevent an unauthenticated user from accessing - # a list of all the users on the GitLab instance. `UsersFinder` performs - # an exact match on the `username` parameter, so we are guaranteed to - # get either 0 or 1 `users` here. - params[:username].present? && - users.all? { |user| can?(current_user, :read_user, user) } - end + authorized = can?(current_user, :read_users_list) + + # When `current_user` is not present, require that the `username` + # parameter is passed, to prevent an unauthenticated user from accessing + # a list of all the users on the GitLab instance. `UsersFinder` performs + # an exact match on the `username` parameter, so we are guaranteed to + # get either 0 or 1 `users` here. + authorized &&= params[:username].present? if current_user.blank? - render_api_error!("Not authorized.", 403) unless authorized + forbidden!("Not authorized to access /api/v4/users") unless authorized - entity = current_user.try(:admin?) ? Entities::UserWithAdmin : Entities::UserBasic + entity = current_user&.admin? ? Entities::UserWithAdmin : Entities::UserBasic present paginate(users), with: entity end -- cgit v1.2.1 From d1488268b2e31b8f3549c6e1e46955619535cd98 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Tue, 4 Jul 2017 12:19:48 +0000 Subject: Simplify authentication logic in the v4 users API for !12445. - Rather than using an explicit check to turn off authentication for the `/users` endpoint, simply call `authenticate_non_get!`. - All `GET` endpoints we wish to restrict already call `authenticated_as_admin!`, and so remain inacessible to anonymous users. - This _does_ open up the `/users/:id` endpoint to anonymous access. It contains the same access check that `/users` users, and so is safe for use here. - More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323 --- lib/api/users.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index bad4d76b428..5b9d9a71be4 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -4,10 +4,13 @@ module API before do allow_access_with_scope :read_user if request.get? - authenticate! unless request_matches_route?('GET', '/api/v4/users') end resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do + before do + authenticate_non_get! + end + helpers do def find_user(params) id = params[:user_id] || params[:id] @@ -405,6 +408,10 @@ module API end resource :user do + before do + authenticate! + end + desc 'Get the currently authenticated user' do success Entities::UserPublic end -- cgit v1.2.1 From 1a7d2aba3b06a1e4fcc3861eeb70af30fc3330f6 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 7 Jul 2017 09:29:00 +0200 Subject: add created at filter logic to users finder and API --- lib/api/users.rb | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 88bca235692..47a44ba9598 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -48,6 +48,8 @@ module API optional :active, type: Boolean, default: false, desc: 'Filters only active users' optional :external, type: Boolean, default: false, desc: 'Filters only external users' optional :blocked, type: Boolean, default: false, desc: 'Filters only blocked users' + optional :created_after, type: DateTime, desc: 'Return users created after the specified time' + optional :created_before, type: DateTime, desc: 'Return users created before the specified time' all_or_none_of :extern_uid, :provider use :pagination @@ -55,6 +57,10 @@ module API get do authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?) + unless current_user.admin? + params.except!(:created_after, :created_before) + end + users = UsersFinder.new(current_user, params).execute authorized = can?(current_user, :read_users_list) -- cgit v1.2.1 From 5e66c6568ba2a528e037eaf9d466cfb489b52891 Mon Sep 17 00:00:00 2001 From: James Lopez Date: Fri, 7 Jul 2017 16:09:30 +0200 Subject: fix specs --- lib/api/users.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 47a44ba9598..c469751c31c 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -57,7 +57,7 @@ module API get do authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?) - unless current_user.admin? + unless current_user&.admin? params.except!(:created_after, :created_before) end -- cgit v1.2.1 From 91f63820a540e7f3e7206dc8044e257cf28527dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Coutable?= Date: Wed, 12 Jul 2017 12:18:14 +0200 Subject: Return `is_admin` attribute in the GET /user endpoint for admins MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémy Coutable --- lib/api/users.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index c469751c31c..81c68ea2658 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -421,7 +421,16 @@ module API success Entities::UserPublic end get do - present current_user, with: sudo? ? Entities::UserWithPrivateDetails : Entities::UserPublic + entity = + if sudo? + Entities::UserWithPrivateDetails + elsif current_user.admin? + Entities::UserWithAdmin + else + Entities::UserPublic + end + + present current_user, with: entity end desc "Get the currently authenticated user's SSH keys" do -- cgit v1.2.1 From 6b8ad689da393125bb2d1e548211c9a50039b0a7 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 20 Jul 2017 16:33:18 +0300 Subject: Update grape gem New version of the gem returns 200 status code on delete with content instead of 204 so we explicitly set status code to keep existing behavior Signed-off-by: Dmitriy Zaporozhets --- lib/api/users.rb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index 81c68ea2658..a590f2692a2 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -235,6 +235,7 @@ module API key = user.keys.find_by(id: params[:key_id]) not_found!('Key') unless key + status 204 key.destroy end @@ -306,6 +307,7 @@ module API user = User.find_by(id: params[:id]) not_found!('User') unless user + status 204 user.delete_async(deleted_by: current_user, params: params) end @@ -406,6 +408,7 @@ module API requires :impersonation_token_id, type: Integer, desc: 'The ID of the impersonation token' end delete ':impersonation_token_id' do + status 204 find_impersonation_token.revoke! end end @@ -483,6 +486,7 @@ module API key = current_user.keys.find_by(id: params[:key_id]) not_found!('Key') unless key + status 204 key.destroy end @@ -534,6 +538,7 @@ module API email = current_user.emails.find_by(id: params[:email_id]) not_found!('Email') unless email + status 204 Emails::DestroyService.new(current_user, email: email.email).execute end -- cgit v1.2.1 From 09a348eb139178be534d181273a360a3125df9f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20Coutable?= Date: Fri, 11 Aug 2017 14:08:20 +0200 Subject: Include the `is_admin` field in the `GET /users/:id` API when current user is an admin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Rémy Coutable --- lib/api/users.rb | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) (limited to 'lib/api/users.rb') diff --git a/lib/api/users.rb b/lib/api/users.rb index a590f2692a2..e2019d6d512 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -79,22 +79,17 @@ module API end desc 'Get a single user' do - success Entities::UserBasic + success Entities::User end params do requires :id, type: Integer, desc: 'The ID of the user' end get ":id" do user = User.find_by(id: params[:id]) - not_found!('User') unless user + not_found!('User') unless user && can?(current_user, :read_user, user) - if current_user && current_user.admin? - present user, with: Entities::UserPublic - elsif can?(current_user, :read_user, user) - present user, with: Entities::User - else - render_api_error!("User not found.", 404) - end + opts = current_user&.admin? ? { with: Entities::UserWithAdmin } : {} + present user, opts end desc 'Create a user. Available only for admins.' do -- cgit v1.2.1