Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ce96d482
Commit
ce96d482
authored
Apr 06, 2016
by
Felipe Artur
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Insert users check into api
parent
07b38c3b
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
33 additions
and
7 deletions
+33
-7
app/models/ability.rb
app/models/ability.rb
+3
-3
lib/api/api_guard.rb
lib/api/api_guard.rb
+4
-0
lib/api/users.rb
lib/api/users.rb
+8
-2
spec/controllers/users_controller_spec.rb
spec/controllers/users_controller_spec.rb
+0
-2
spec/requests/api/users_spec.rb
spec/requests/api/users_spec.rb
+18
-0
No files found.
app/models/ability.rb
View file @
ce96d482
...
@@ -91,8 +91,8 @@ class Ability
...
@@ -91,8 +91,8 @@ class Ability
subject
.
group
subject
.
group
end
end
if
group
if
group
.
public?
rules
<<
:read_group
if
group
.
public?
rules
<<
:read_group
rules
<<
:read_group_members
unless
restricted_public_level?
rules
<<
:read_group_members
unless
restricted_public_level?
end
end
...
@@ -483,7 +483,7 @@ class Ability
...
@@ -483,7 +483,7 @@ class Ability
private
private
def
restricted_public_level?
def
restricted_public_level?
@public_restricted
||=
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
end
end
def
named_abilities
(
name
)
def
named_abilities
(
name
)
...
...
lib/api/api_guard.rb
View file @
ce96d482
...
@@ -79,6 +79,10 @@ module APIGuard
...
@@ -79,6 +79,10 @@ module APIGuard
@current_user
@current_user
end
end
def
public_access_restricted?
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
end
private
private
def
find_access_token
def
find_access_token
@access_token
||=
Doorkeeper
.
authenticate
(
doorkeeper_request
,
Doorkeeper
.
configuration
.
access_token_methods
)
@access_token
||=
Doorkeeper
.
authenticate
(
doorkeeper_request
,
Doorkeeper
.
configuration
.
access_token_methods
)
...
...
lib/api/users.rb
View file @
ce96d482
...
@@ -11,6 +11,10 @@ module API
...
@@ -11,6 +11,10 @@ module API
# GET /users?search=Admin
# GET /users?search=Admin
# GET /users?username=root
# GET /users?username=root
get
do
get
do
if
!
current_user
&&
public_access_restricted?
render_api_error!
(
"Not authorized."
,
403
)
end
if
params
[
:username
].
present?
if
params
[
:username
].
present?
@users
=
User
.
where
(
username:
params
[
:username
])
@users
=
User
.
where
(
username:
params
[
:username
])
else
else
...
@@ -36,10 +40,12 @@ module API
...
@@ -36,10 +40,12 @@ module API
get
":id"
do
get
":id"
do
@user
=
User
.
find
(
params
[
:id
])
@user
=
User
.
find
(
params
[
:id
])
if
current_user
.
is_admin?
if
current_user
.
present?
&&
current_user
.
is_admin?
present
@user
,
with:
Entities
::
UserFull
present
@user
,
with:
Entities
::
UserFull
els
e
els
if
can?
(
current_user
,
:read_user
,
@user
)
present
@user
,
with:
Entities
::
User
present
@user
,
with:
Entities
::
User
else
render_api_error!
(
"User not found."
,
404
)
end
end
end
end
...
...
spec/controllers/users_controller_spec.rb
View file @
ce96d482
...
@@ -30,8 +30,6 @@ describe UsersController do
...
@@ -30,8 +30,6 @@ describe UsersController do
end
end
describe
'when logged out'
do
describe
'when logged out'
do
before
{
stub_application_setting
(
restricted_visibility_levels:
[])
}
it
'renders the show template'
do
it
'renders the show template'
do
get
:show
,
username:
user
.
username
get
:show
,
username:
user
.
username
...
...
spec/requests/api/users_spec.rb
View file @
ce96d482
...
@@ -20,6 +20,24 @@ describe API::API, api: true do
...
@@ -20,6 +20,24 @@ describe API::API, api: true do
end
end
context
"when authenticated"
do
context
"when authenticated"
do
#These specs are written just in case API authentication is not required anymore
context
"when public level is restricted"
do
before
do
stub_application_setting
(
restricted_visibility_levels:
[
Gitlab
::
VisibilityLevel
::
PUBLIC
])
allow_any_instance_of
(
API
::
Helpers
).
to
receive
(
:authenticate!
).
and_return
(
true
)
end
it
"renders 403"
do
get
api
(
"/users"
)
expect
(
response
.
status
).
to
eq
(
403
)
end
it
"renders 404"
do
get
api
(
"/users/
#{
user
.
id
}
"
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
it
"should return an array of users"
do
it
"should return an array of users"
do
get
api
(
"/users"
,
user
)
get
api
(
"/users"
,
user
)
expect
(
response
.
status
).
to
eq
(
200
)
expect
(
response
.
status
).
to
eq
(
200
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment