Commit 25e44edc authored by Lin Jen-Shin's avatar Lin Jen-Shin

Allow admin to read_users_list even if it's restricted

parent d95e6da0
......@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
prevent :log_in
end
rule { ~restricted_public_level }.policy do
rule { admin | ~restricted_public_level }.policy do
enable :read_users_list
end
end
---
title: Allow admin to read_users_list even if it's restricted
merge_request: 13066
author:
......@@ -30,5 +30,25 @@ describe GlobalPolicy, models: true do
it { is_expected.to be_allowed(:read_users_list) }
end
end
context "for an admin" do
let(:current_user) { create(:admin) }
context "when the public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it { is_expected.to be_allowed(:read_users_list) }
end
context "when the public level is not restricted" do
before do
stub_application_setting(restricted_visibility_levels: [])
end
it { is_expected.to be_allowed(:read_users_list) }
end
end
end
end
......@@ -55,17 +55,22 @@ describe API::Users do
context "when public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
end
it "renders 403" do
get api("/users")
expect(response).to have_http_status(403)
context 'when authenticate as a regular user' do
it "renders 403" do
get api("/users", user)
expect(response).to have_gitlab_http_status(403)
end
end
it "renders 404" do
get api("/users/#{user.id}")
expect(response).to have_http_status(404)
context 'when authenticate as an admin' do
it "renders 200" do
get api("/users", admin)
expect(response).to have_gitlab_http_status(200)
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment