Commit 6dc424c9 authored by Sean McGivern's avatar Sean McGivern

Merge branch '29903-remove-user-is-admin-flag-from-api' into 'master'

Don't display the `is_admin?` flag for user API responses

Closes #29903

See merge request !10846
parents 9a905e1b 0befa887
---
title: Don't display the is_admin flag in most API responses
merge_request: 10846
author:
...@@ -48,7 +48,6 @@ Example of response ...@@ -48,7 +48,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2016-08-11T07:09:20.351Z", "created_at": "2016-08-11T07:09:20.351Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"location": null, "location": null,
"name": "Administrator", "name": "Administrator",
...@@ -106,7 +105,6 @@ Example of response ...@@ -106,7 +105,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2016-08-11T07:09:20.351Z", "created_at": "2016-08-11T07:09:20.351Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"location": null, "location": null,
"name": "Administrator", "name": "Administrator",
...@@ -195,7 +193,6 @@ Example of response ...@@ -195,7 +193,6 @@ Example of response
"avatar_url": "http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon", "avatar_url": "http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon",
"web_url": "http://localhost:3000/root", "web_url": "http://localhost:3000/root",
"created_at": "2016-08-11T07:09:20.351Z", "created_at": "2016-08-11T07:09:20.351Z",
"is_admin": true,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
......
...@@ -57,7 +57,6 @@ Example of response ...@@ -57,7 +57,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2015-12-21T13:14:24.077Z", "created_at": "2015-12-21T13:14:24.077Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"name": "Administrator", "name": "Administrator",
"skype": "", "skype": "",
...@@ -101,7 +100,6 @@ Example of response ...@@ -101,7 +100,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2015-12-21T13:14:24.077Z", "created_at": "2015-12-21T13:14:24.077Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"name": "Administrator", "name": "Administrator",
"skype": "", "skype": "",
...@@ -173,7 +171,6 @@ Example of response ...@@ -173,7 +171,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2015-12-21T13:14:24.077Z", "created_at": "2015-12-21T13:14:24.077Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"name": "Administrator", "name": "Administrator",
"skype": "", "skype": "",
...@@ -217,7 +214,6 @@ Example of response ...@@ -217,7 +214,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2015-12-21T13:14:24.077Z", "created_at": "2015-12-21T13:14:24.077Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"name": "Administrator", "name": "Administrator",
"skype": "", "skype": "",
...@@ -284,7 +280,6 @@ Example of response ...@@ -284,7 +280,6 @@ Example of response
"bio": null, "bio": null,
"created_at": "2015-12-21T13:14:24.077Z", "created_at": "2015-12-21T13:14:24.077Z",
"id": 1, "id": 1,
"is_admin": true,
"linkedin": "", "linkedin": "",
"name": "Administrator", "name": "Administrator",
"skype": "", "skype": "",
......
...@@ -26,7 +26,6 @@ Parameters: ...@@ -26,7 +26,6 @@ Parameters:
"avatar_url": "http://www.gravatar.com/avatar/cfa35b8cd2ec278026357769582fa563?s=40\u0026d=identicon", "avatar_url": "http://www.gravatar.com/avatar/cfa35b8cd2ec278026357769582fa563?s=40\u0026d=identicon",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2015-09-03T07:24:01.670Z", "created_at": "2015-09-03T07:24:01.670Z",
"is_admin": false,
"bio": null, "bio": null,
"skype": "", "skype": "",
"linkedin": "", "linkedin": "",
......
...@@ -62,7 +62,6 @@ GET /users ...@@ -62,7 +62,6 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z", "created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
...@@ -95,7 +94,6 @@ GET /users ...@@ -95,7 +94,6 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/2/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/2/index.jpg",
"web_url": "http://localhost:3000/jack_smith", "web_url": "http://localhost:3000/jack_smith",
"created_at": "2012-05-23T08:01:01Z", "created_at": "2012-05-23T08:01:01Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
...@@ -169,7 +167,6 @@ Parameters: ...@@ -169,7 +167,6 @@ Parameters:
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg", "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z", "created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
...@@ -200,7 +197,6 @@ Parameters: ...@@ -200,7 +197,6 @@ Parameters:
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z", "created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
...@@ -325,7 +321,6 @@ GET /user ...@@ -325,7 +321,6 @@ GET /user
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z", "created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
......
...@@ -14,7 +14,6 @@ module API ...@@ -14,7 +14,6 @@ module API
class User < UserBasic class User < UserBasic
expose :created_at expose :created_at
expose :admin?, as: :is_admin
expose :bio, :location, :skype, :linkedin, :twitter, :website_url, :organization expose :bio, :location, :skype, :linkedin, :twitter, :website_url, :organization
end end
...@@ -41,8 +40,9 @@ module API ...@@ -41,8 +40,9 @@ module API
expose :external expose :external
end end
class UserWithPrivateToken < UserPublic class UserWithPrivateDetails < UserPublic
expose :private_token expose :private_token
expose :admin?, as: :is_admin
end end
class Email < Grape::Entity class Email < Grape::Entity
......
module API module API
class Session < Grape::API class Session < Grape::API
desc 'Login to get token' do desc 'Login to get token' do
success Entities::UserWithPrivateToken success Entities::UserWithPrivateDetails
end end
params do params do
optional :login, type: String, desc: 'The username' optional :login, type: String, desc: 'The username'
...@@ -14,7 +14,7 @@ module API ...@@ -14,7 +14,7 @@ module API
return unauthorized! unless user return unauthorized! unless user
return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled? return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
present user, with: Entities::UserWithPrivateToken present user, with: Entities::UserWithPrivateDetails
end end
end end
end end
...@@ -433,7 +433,7 @@ module API ...@@ -433,7 +433,7 @@ module API
success Entities::UserPublic success Entities::UserPublic
end end
get do get do
present current_user, with: sudo? ? Entities::UserWithPrivateToken : Entities::UserPublic present current_user, with: sudo? ? Entities::UserWithPrivateDetails : Entities::UserPublic
end end
desc "Get the currently authenticated user's SSH keys" do desc "Get the currently authenticated user's SSH keys" do
......
...@@ -9,7 +9,6 @@ ...@@ -9,7 +9,6 @@
"avatar_url", "avatar_url",
"web_url", "web_url",
"created_at", "created_at",
"is_admin",
"bio", "bio",
"location", "location",
"skype", "skype",
...@@ -43,7 +42,6 @@ ...@@ -43,7 +42,6 @@
"avatar_url": { "type": "string" }, "avatar_url": { "type": "string" },
"web_url": { "type": "string" }, "web_url": { "type": "string" },
"created_at": { "type": "date" }, "created_at": { "type": "date" },
"is_admin": { "type": "boolean" },
"bio": { "type": ["string", "null"] }, "bio": { "type": ["string", "null"] },
"location": { "type": ["string", "null"] }, "location": { "type": ["string", "null"] },
"skype": { "type": "string" }, "skype": { "type": "string" },
......
...@@ -32,6 +32,12 @@ describe API::Keys do ...@@ -32,6 +32,12 @@ describe API::Keys do
expect(json_response['user']['id']).to eq(user.id) expect(json_response['user']['id']).to eq(user.id)
expect(json_response['user']['username']).to eq(user.username) expect(json_response['user']['username']).to eq(user.username)
end end
it "does not include the user's `is_admin` flag" do
get api("/keys/#{key.id}", admin)
expect(json_response['user']['is_admin']).to be_nil
end
end end
end end
end end
...@@ -135,6 +135,12 @@ describe API::Users do ...@@ -135,6 +135,12 @@ describe API::Users do
expect(json_response['username']).to eq(user.username) expect(json_response['username']).to eq(user.username)
end end
it "does not return the user's `is_admin` flag" do
get api("/users/#{user.id}", user)
expect(json_response['is_admin']).to be_nil
end
it "returns a 401 if unauthenticated" do it "returns a 401 if unauthenticated" do
get api("/users/9998") get api("/users/9998")
expect(response).to have_http_status(401) expect(response).to have_http_status(401)
...@@ -397,7 +403,6 @@ describe API::Users do ...@@ -397,7 +403,6 @@ describe API::Users do
it "updates admin status" do it "updates admin status" do
put api("/users/#{user.id}", admin), { admin: true } put api("/users/#{user.id}", admin), { admin: true }
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['is_admin']).to eq(true)
expect(user.reload.admin).to eq(true) expect(user.reload.admin).to eq(true)
end end
...@@ -411,7 +416,6 @@ describe API::Users do ...@@ -411,7 +416,6 @@ describe API::Users do
it "does not update admin status" do it "does not update admin status" do
put api("/users/#{admin_user.id}", admin), { can_create_group: false } put api("/users/#{admin_user.id}", admin), { can_create_group: false }
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
expect(json_response['is_admin']).to eq(true)
expect(admin_user.reload.admin).to eq(true) expect(admin_user.reload.admin).to eq(true)
expect(admin_user.can_create_group).to eq(false) expect(admin_user.can_create_group).to eq(false)
end end
......
...@@ -274,5 +274,11 @@ describe API::V3::Users do ...@@ -274,5 +274,11 @@ describe API::V3::Users do
expect(new_user).to be_confirmed expect(new_user).to be_confirmed
end end
it 'does not reveal the `is_admin` flag of the user' do
post v3_api('/users', admin), attributes_for(:user)
expect(json_response['is_admin']).to be_nil
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment