Commit ce96d482 authored by Felipe Artur's avatar Felipe Artur

Insert users check into api

parent 07b38c3b
...@@ -91,8 +91,8 @@ class Ability ...@@ -91,8 +91,8 @@ class Ability
subject.group subject.group
end end
if group if group.public?
rules << :read_group if group.public? rules << :read_group
rules << :read_group_members unless restricted_public_level? rules << :read_group_members unless restricted_public_level?
end end
...@@ -483,7 +483,7 @@ class Ability ...@@ -483,7 +483,7 @@ class Ability
private private
def restricted_public_level? def restricted_public_level?
@public_restricted ||= current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
end end
def named_abilities(name) def named_abilities(name)
......
...@@ -79,6 +79,10 @@ module APIGuard ...@@ -79,6 +79,10 @@ module APIGuard
@current_user @current_user
end end
def public_access_restricted?
current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
end
private private
def find_access_token def find_access_token
@access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods) @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
......
...@@ -11,6 +11,10 @@ module API ...@@ -11,6 +11,10 @@ module API
# GET /users?search=Admin # GET /users?search=Admin
# GET /users?username=root # GET /users?username=root
get do get do
if !current_user && public_access_restricted?
render_api_error!("Not authorized.", 403)
end
if params[:username].present? if params[:username].present?
@users = User.where(username: params[:username]) @users = User.where(username: params[:username])
else else
...@@ -36,10 +40,12 @@ module API ...@@ -36,10 +40,12 @@ module API
get ":id" do get ":id" do
@user = User.find(params[:id]) @user = User.find(params[:id])
if current_user.is_admin? if current_user.present? && current_user.is_admin?
present @user, with: Entities::UserFull present @user, with: Entities::UserFull
else elsif can?(current_user, :read_user, @user)
present @user, with: Entities::User present @user, with: Entities::User
else
render_api_error!("User not found.", 404)
end end
end end
......
...@@ -30,8 +30,6 @@ describe UsersController do ...@@ -30,8 +30,6 @@ describe UsersController do
end end
describe 'when logged out' do describe 'when logged out' do
before { stub_application_setting(restricted_visibility_levels: []) }
it 'renders the show template' do it 'renders the show template' do
get :show, username: user.username get :show, username: user.username
......
...@@ -20,6 +20,24 @@ describe API::API, api: true do ...@@ -20,6 +20,24 @@ describe API::API, api: true do
end end
context "when authenticated" do context "when authenticated" do
#These specs are written just in case API authentication is not required anymore
context "when public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
end
it "renders 403" do
get api("/users")
expect(response.status).to eq(403)
end
it "renders 404" do
get api("/users/#{user.id}")
expect(response.status).to eq(404)
end
end
it "should return an array of users" do it "should return an array of users" do
get api("/users", user) get api("/users", user)
expect(response.status).to eq(200) expect(response.status).to eq(200)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment