From 34b71e734b0b01dd28e18be4728f93fbd4d1a561 Mon Sep 17 00:00:00 2001
From: Timothy Andrew <mail@timothyandrew.net>
Date: Fri, 21 Apr 2017 09:47:58 +0000
Subject: Don't display the `is_admin?` flag for user API responses.

- To prevent an attacker from enumerating the `/users` API to get a list of all
  the admins.

- Display the `is_admin?` flag wherever we display the `private_token` - at the
  moment, there are two instances:

  - When an admin uses `sudo` to view the `/user` endpoint
  - When logging in using the `/session` endpoint
---
 spec/requests/api/v3/users_spec.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'spec/requests/api/v3/users_spec.rb')

diff --git a/spec/requests/api/v3/users_spec.rb b/spec/requests/api/v3/users_spec.rb
index b38cbe74b85..19465a9a4ea 100644
--- a/spec/requests/api/v3/users_spec.rb
+++ b/spec/requests/api/v3/users_spec.rb
@@ -276,5 +276,11 @@ describe API::V3::Users, api: true  do
 
       expect(new_user).to be_confirmed
     end
+
+    it 'does not reveal the `is_admin` flag of the user' do
+      post v3_api('/users', admin), attributes_for(:user)
+
+      expect(json_response['is_admin']).to be_nil
+    end
   end
 end
-- 
cgit v1.2.1