Commit ba820e87 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '35478-allow-admin-to-read-user-list' into 'master'

Allow admin to read_users_list even if it's restricted

Closes #35478

See merge request !13066
parents 4ab6675b 25e44edc
...@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy ...@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
prevent :log_in prevent :log_in
end end
rule { ~restricted_public_level }.policy do rule { admin | ~restricted_public_level }.policy do
enable :read_users_list enable :read_users_list
end end
end end
---
title: Allow admin to read_users_list even if it's restricted
merge_request: 13066
author:
...@@ -30,5 +30,25 @@ describe GlobalPolicy, models: true do ...@@ -30,5 +30,25 @@ describe GlobalPolicy, models: true do
it { is_expected.to be_allowed(:read_users_list) } it { is_expected.to be_allowed(:read_users_list) }
end end
end end
context "for an admin" do
let(:current_user) { create(:admin) }
context "when the public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it { is_expected.to be_allowed(:read_users_list) }
end
context "when the public level is not restricted" do
before do
stub_application_setting(restricted_visibility_levels: [])
end
it { is_expected.to be_allowed(:read_users_list) }
end
end
end end
end end
...@@ -55,17 +55,22 @@ describe API::Users do ...@@ -55,17 +55,22 @@ describe API::Users do
context "when public level is restricted" do context "when public level is restricted" do
before do before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
end end
context 'when authenticate as a regular user' do
it "renders 403" do it "renders 403" do
get api("/users") get api("/users", user)
expect(response).to have_http_status(403)
expect(response).to have_gitlab_http_status(403)
end
end end
it "renders 404" do context 'when authenticate as an admin' do
get api("/users/#{user.id}") it "renders 200" do
expect(response).to have_http_status(404) get api("/users", admin)
expect(response).to have_gitlab_http_status(200)
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment