summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLin Jen-Shin <godfat@godfat.org>2017-07-25 16:44:02 +0800
committerLin Jen-Shin <godfat@godfat.org>2017-07-25 16:49:26 +0800
commit25e44edc30b5ca61267487248db9330da3e48a6c (patch)
treeaed26c4fb1e0ac1fc9dd76d64bcf16318a49ba42
parentd95e6da0d582cd4b0d333b3b6a1bfa3a565b874e (diff)
downloadgitlab-ce-25e44edc30b5ca61267487248db9330da3e48a6c.tar.gz
Allow admin to read_users_list even if it's restricted
-rw-r--r--app/policies/global_policy.rb2
-rw-r--r--changelogs/unreleased/35478-allow-admin-to-read-user-list.yml4
-rw-r--r--spec/policies/global_policy_spec.rb20
-rw-r--r--spec/requests/api/users_spec.rb19
4 files changed, 37 insertions, 8 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 55eefa76d3f..1c91425f589 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
prevent :log_in
end
- rule { ~restricted_public_level }.policy do
+ rule { admin | ~restricted_public_level }.policy do
enable :read_users_list
end
end
diff --git a/changelogs/unreleased/35478-allow-admin-to-read-user-list.yml b/changelogs/unreleased/35478-allow-admin-to-read-user-list.yml
new file mode 100644
index 00000000000..da4b730f0ca
--- /dev/null
+++ b/changelogs/unreleased/35478-allow-admin-to-read-user-list.yml
@@ -0,0 +1,4 @@
+---
+title: Allow admin to read_users_list even if it's restricted
+merge_request: 13066
+author:
diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index bb0fa0c0e9c..c3e2b603c4b 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -30,5 +30,25 @@ describe GlobalPolicy, models: true do
it { is_expected.to be_allowed(:read_users_list) }
end
end
+
+ context "for an admin" do
+ let(:current_user) { create(:admin) }
+
+ context "when the public level is restricted" do
+ before do
+ stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+ end
+
+ it { is_expected.to be_allowed(:read_users_list) }
+ end
+
+ context "when the public level is not restricted" do
+ before do
+ stub_application_setting(restricted_visibility_levels: [])
+ end
+
+ it { is_expected.to be_allowed(:read_users_list) }
+ end
+ end
end
end
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 877bde3b9a6..66b165b438b 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -55,17 +55,22 @@ describe API::Users do
context "when public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
- allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
end
- it "renders 403" do
- get api("/users")
- expect(response).to have_http_status(403)
+ context 'when authenticate as a regular user' do
+ it "renders 403" do
+ get api("/users", user)
+
+ expect(response).to have_gitlab_http_status(403)
+ end
end
- it "renders 404" do
- get api("/users/#{user.id}")
- expect(response).to have_http_status(404)
+ context 'when authenticate as an admin' do
+ it "renders 200" do
+ get api("/users", admin)
+
+ expect(response).to have_gitlab_http_status(200)
+ end
end
end