Commit 0d6b46c0 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '35697-allow-logged-in-user-to-read-user-list' into 'master'

Allow logged in users to read user list under public restriction

Closes #35697

See merge request !13201
parents cfa41e62 0d35b081
......@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
prevent :log_in
end
rule { admin | ~restricted_public_level }.policy do
rule { ~(anonymous & restricted_public_level) }.policy do
enable :read_users_list
end
end
---
title: Allow any logged in users to read_users_list even if it's restricted
merge_request: 13201
author:
......@@ -16,37 +16,43 @@ describe API::Users do
it "returns authorization error when the `username` parameter is not passed" do
get api("/users")
expect(response).to have_http_status(403)
expect(response).to have_gitlab_http_status(403)
end
it "returns the user when a valid `username` parameter is passed" do
user = create(:user)
get api("/users"), username: user.username
expect(response).to have_http_status(200)
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(1)
expect(json_response[0]['id']).to eq(user.id)
expect(json_response[0]['username']).to eq(user.username)
end
it "returns authorization error when the `username` parameter refers to an inaccessible user" do
user = create(:user)
it "returns an empty response when an invalid `username` parameter is passed" do
get api("/users"), username: 'invalid'
expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(0)
end
context "when public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it "returns authorization error when the `username` parameter refers to an inaccessible user" do
get api("/users"), username: user.username
expect(response).to have_http_status(403)
expect(response).to have_gitlab_http_status(403)
end
it "returns an empty response when an invalid `username` parameter is passed" do
get api("/users"), username: 'invalid'
it "returns authorization error when the `username` parameter is not passed" do
get api("/users")
expect(response).to have_http_status(200)
expect(json_response).to be_an Array
expect(json_response.size).to eq(0)
expect(response).to have_gitlab_http_status(403)
end
end
end
......@@ -58,10 +64,10 @@ describe API::Users do
end
context 'when authenticate as a regular user' do
it "renders 403" do
it "renders 200" do
get api("/users", user)
expect(response).to have_gitlab_http_status(403)
expect(response).to have_gitlab_http_status(200)
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment