Commit 727dff3f authored by Timothy Andrew's avatar Timothy Andrew

Don't expose a user's private token in the `/api/v3/user` API.

- This would allow anyone with a personal access token (even a read-only
  token, once scopes are implemented) to escalate their access by
  obtaining the private token.
parent 4d042afe
...@@ -310,8 +310,7 @@ GET /user ...@@ -310,8 +310,7 @@ GET /user
"can_create_group": true, "can_create_group": true,
"can_create_project": true, "can_create_project": true,
"two_factor_enabled": true, "two_factor_enabled": true,
"external": false, "external": false
"private_token": "dd34asd13as"
} }
``` ```
......
...@@ -327,7 +327,7 @@ module API ...@@ -327,7 +327,7 @@ module API
# Example Request: # Example Request:
# GET /user # GET /user
get do get do
present @current_user, with: Entities::UserLogin present @current_user, with: Entities::UserFull
end end
# Get currently authenticated user's keys # Get currently authenticated user's keys
......
...@@ -605,6 +605,7 @@ describe API::API, api: true do ...@@ -605,6 +605,7 @@ describe API::API, api: true do
expect(json_response['can_create_project']).to eq(user.can_create_project?) expect(json_response['can_create_project']).to eq(user.can_create_project?)
expect(json_response['can_create_group']).to eq(user.can_create_group?) expect(json_response['can_create_group']).to eq(user.can_create_group?)
expect(json_response['projects_limit']).to eq(user.projects_limit) expect(json_response['projects_limit']).to eq(user.projects_limit)
expect(json_response['private_token']).to be_blank
end end
it "returns 401 error if user is unauthenticated" do it "returns 401 error if user is unauthenticated" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment