Merge branch '35697-allow-logged-in-user-to-read-user-list' into 'master'

Allow logged in users to read user list under public restriction Closes #35697 See merge request !13201

Merge branch '35697-allow-logged-in-user-to-read-user-list' into 'master'
Allow logged in users to read user list under public restriction Closes #35697 See merge request !13201
0d6b46c0 · Rémy Coutable · cfa41e62 · 0d35b081 · 0d6b46c0 · 0d6b46c0
Commit 0d6b46c0 authored Aug 01, 2017 by Rémy Coutable
3 changed files
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
    prevent :log_in
  end

-  rule { admin | ~restricted_public_level }.policy do
+  rule { ~(anonymous & restricted_public_level) }.policy do
    enable :read_users_list
  end
 end
--- a/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml
+++ b/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml
+---
+title: Allow any logged in users to read_users_list even if it's restricted
+merge_request: 13201
+author:
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -16,37 +16,43 @@ describe API::Users do
      it "returns authorization error when the `username` parameter is not passed" do
        get api("/users")

-        expect(response).to have_http_status(403)
+        expect(response).to have_gitlab_http_status(403)
      end

      it "returns the user when a valid `username` parameter is passed" do
-        user = create(:user)
-
        get api("/users"), username: user.username

-        expect(response).to have_http_status(200)
+        expect(response).to have_gitlab_http_status(200)
        expect(json_response).to be_an Array
        expect(json_response.size).to eq(1)
        expect(json_response[0]['id']).to eq(user.id)
        expect(json_response[0]['username']).to eq(user.username)
      end

-      it "returns authorization error when the `username` parameter refers to an inaccessible user" do
-        user = create(:user)
+      it "returns an empty response when an invalid `username` parameter is passed" do
+        get api("/users"), username: 'invalid'

+        expect(response).to have_gitlab_http_status(200)
+        expect(json_response).to be_an Array
+        expect(json_response.size).to eq(0)
+      end
+
+      context "when public level is restricted" do
+        before do
          stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+        end

+        it "returns authorization error when the `username` parameter refers to an inaccessible user" do
          get api("/users"), username: user.username

-        expect(response).to have_http_status(403)
+          expect(response).to have_gitlab_http_status(403)
        end

-      it "returns an empty response when an invalid `username` parameter is passed" do
-        get api("/users"), username: 'invalid'
+        it "returns authorization error when the `username` parameter is not passed" do
+          get api("/users")

-        expect(response).to have_http_status(200)
-        expect(json_response).to be_an Array
-        expect(json_response.size).to eq(0)
+          expect(response).to have_gitlab_http_status(403)
+        end
      end
    end

@@ -58,10 +64,10 @@ describe API::Users do
        end

        context 'when authenticate as a regular user' do
-          it "renders 403" do
+          it "renders 200" do
            get api("/users", user)

-            expect(response).to have_gitlab_http_status(403)
+            expect(response).to have_gitlab_http_status(200)
          end
        end