An error occurred fetching the project authors.
  1. 28 Sep, 2017 1 commit
  2. 26 Sep, 2017 1 commit
  3. 18 Sep, 2017 1 commit
  4. 05 Sep, 2017 2 commits
  5. 28 Aug, 2017 1 commit
  6. 11 Aug, 2017 1 commit
  7. 01 Aug, 2017 1 commit
  8. 25 Jul, 2017 1 commit
  9. 12 Jul, 2017 1 commit
  10. 11 Jul, 2017 1 commit
  11. 07 Jul, 2017 3 commits
  12. 05 Jul, 2017 1 commit
    • Timothy Andrew's avatar
      Fix build for !12300. · 94258a65
      Timothy Andrew authored
      - The `/users` and `/users/:id` APIs are now accessible without
        authentication (!12445), and so scopes are not relevant for these endpoints.
      
      - Previously, we were testing our scope declaration against these two methods.
        This commit moves these tests to other `GET` user endpoints which still
        require authentication.
      94258a65
  13. 04 Jul, 2017 1 commit
  14. 30 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Implement review comments for !12445 from @godfat and @rymai. · 3c88a786
      Timothy Andrew authored
      - Use `GlobalPolicy` to authorize the users that a non-authenticated user can
        fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
        visibility level is not restricted.
      
      - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
        the `username` parameter is passed.
      
      - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
        route + method, rather than the description.
      
      - Change the type of `current_user` check in `UsersFinder` to be more
        compatible with EE.
      3c88a786
  15. 28 Jun, 2017 3 commits
    • Timothy Andrew's avatar
      Test `/users` endpoints for the `read_user` scope. · 157c05f4
      Timothy Andrew authored
      - Test `GET` endpoints to check that the scope is allowed.
      - Test `POST` endpoints to check that the scope is disallowed.
      - Test both `v3` and `v4` endpoints.
      157c05f4
    • Timothy Andrew's avatar
      Allow API scope declarations to be applied conditionally. · 80c1ebaa
      Timothy Andrew authored
      - Scope declarations of the form:
      
          allow_access_with_scope :read_user, if: -> (request) { request.get? }
      
        will only apply for `GET` requests
      
      - Add a negative test to a `POST` endpoint in the `users` API to test this. Also
        test for this case in the `AccessTokenValidationService` unit tests.
      80c1ebaa
    • Timothy Andrew's avatar
      Initial attempt at refactoring API scope declarations. · 6f192250
      Timothy Andrew authored
      - Declaring an endpoint's scopes in a `before` block has proved to be
        unreliable. For example, if we're accessing the `API::Users` endpoint - code
        in a `before` block in `API::API` wouldn't be able to see the scopes set in
        `API::Users` since the `API::API` `before` block runs first.
      
      - This commit moves these declarations to the class level, since they don't need
        to change once set.
      6f192250
  16. 26 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6
      Timothy Andrew authored
      - The issue filtering frontend code needs access to this API for non-logged-in
        users + public projects. It uses the API to fetch information for a user by
        username.
      
      - We don't authenticate this API anymore, but instead - if the `current_user` is
        not present:
      
        - Verify that the `username` parameter has been passed. This disallows an
          unauthenticated user from grabbing a list of all users on the instance. The
          `UsersFinder` class performs an exact match on the `username`, so we are
          guaranteed to get 0 or 1 users.
        - Verify that the resulting user (if any) is accessible to be viewed publicly
          by calling `can?(current_user, :read_user, user)`
      20f679d6
  17. 23 Jun, 2017 3 commits
  18. 21 Jun, 2017 1 commit
  19. 20 Jun, 2017 1 commit
  20. 16 Jun, 2017 1 commit
  21. 14 Jun, 2017 1 commit
  22. 06 Jun, 2017 2 commits
  23. 02 Jun, 2017 1 commit
  24. 24 May, 2017 3 commits
  25. 25 Apr, 2017 1 commit
    • Timothy Andrew's avatar
      Don't display the `is_admin?` flag for user API responses. · 34b71e73
      Timothy Andrew authored
      - To prevent an attacker from enumerating the `/users` API to get a list of all
        the admins.
      
      - Display the `is_admin?` flag wherever we display the `private_token` - at the
        moment, there are two instances:
      
        - When an admin uses `sudo` to view the `/user` endpoint
        - When logging in using the `/session` endpoint
      34b71e73
  26. 21 Apr, 2017 1 commit
  27. 18 Apr, 2017 1 commit
  28. 14 Apr, 2017 2 commits
  29. 02 Apr, 2017 1 commit