• Timothy Andrew's avatar
    Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6
    Timothy Andrew authored
    - The issue filtering frontend code needs access to this API for non-logged-in
      users + public projects. It uses the API to fetch information for a user by
      username.
    
    - We don't authenticate this API anymore, but instead - if the `current_user` is
      not present:
    
      - Verify that the `username` parameter has been passed. This disallows an
        unauthenticated user from grabbing a list of all users on the instance. The
        `UsersFinder` class performs an exact match on the `username`, so we are
        guaranteed to get 0 or 1 users.
      - Verify that the resulting user (if any) is accessible to be viewed publicly
        by calling `can?(current_user, :read_user, user)`
    20f679d6
helpers.rb 11.3 KB