Commit 39eac7b0 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'api_ldap' into 'master'

Check user access during API calls
parents 216704f3 223a8695
...@@ -16,6 +16,7 @@ v 6.9.0 ...@@ -16,6 +16,7 @@ v 6.9.0
- Two Step MR creation process - Two Step MR creation process
- Remove unwanted files from satellite working directory with git clean -fdx - Remove unwanted files from satellite working directory with git clean -fdx
- Accept merge request via API (sponsored by O'Reilly Media) - Accept merge request via API (sponsored by O'Reilly Media)
- Add more access checks during API calls
v 6.8.0 v 6.8.0
- Ability to at mention users that are participating in issue and merge req. discussion - Ability to at mention users that are participating in issue and merge req. discussion
......
...@@ -8,6 +8,11 @@ module API ...@@ -8,6 +8,11 @@ module API
def current_user def current_user
private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
@current_user ||= User.find_by(authentication_token: private_token) @current_user ||= User.find_by(authentication_token: private_token)
unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
return nil
end
identifier = sudo_identifier() identifier = sudo_identifier()
# If the sudo is the current user do nothing # If the sudo is the current user do nothing
......
...@@ -61,18 +61,7 @@ module Gitlab ...@@ -61,18 +61,7 @@ module Gitlab
private private
def user_allowed?(user) def user_allowed?(user)
return false if user.blocked? Gitlab::UserAccess.allowed?(user)
if Gitlab.config.ldap.enabled
if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
Gitlab::LDAP::Access.open do |adapter|
return false unless adapter.allowed?(user)
end
end
end
true
end end
end end
end end
module Gitlab
module UserAccess
def self.allowed?(user)
return false if user.blocked?
if Gitlab.config.ldap.enabled
if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
Gitlab::LDAP::Access.open do |adapter|
return false unless adapter.allowed?(user)
end
end
end
true
end
end
end
...@@ -39,6 +39,17 @@ describe API, api: true do ...@@ -39,6 +39,17 @@ describe API, api: true do
end end
describe ".current_user" do describe ".current_user" do
it "should return nil for an invalid token" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
current_user.should be_nil
end
it "should return nil for a user without access" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
Gitlab::UserAccess.stub(allowed?: false)
current_user.should be_nil
end
it "should leave user as is when sudo not specified" do it "should leave user as is when sudo not specified" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
current_user.should == user current_user.should == user
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment