diff options
author | Rémy Coutable <remy@rymai.me> | 2017-08-01 07:46:14 +0000 |
---|---|---|
committer | James Edwards-Jones <jedwardsjones@gitlab.com> | 2017-08-11 19:34:06 +0100 |
commit | 8702cfcad2e9ad174749284e48ecc1ff44652bc4 (patch) | |
tree | 271b69ab3e4ddc1f3f172bfef34ef2a71f9d5e30 | |
parent | 2c79d921f99430a96ed8ebfb0a0cd3387ac39512 (diff) | |
download | gitlab-ce-8702cfcad2e9ad174749284e48ecc1ff44652bc4.tar.gz |
Merge branch '35697-allow-logged-in-user-to-read-user-list' into 'master'
Allow logged in users to read user list under public restriction
Closes #35697
See merge request !13201
-rw-r--r-- | app/policies/global_policy.rb | 2 | ||||
-rw-r--r-- | changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml | 4 | ||||
-rw-r--r-- | spec/requests/api/users_spec.rb | 40 |
3 files changed, 28 insertions, 18 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 1c91425f589..1be7bbe9953 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy prevent :log_in end - rule { admin | ~restricted_public_level }.policy do + rule { ~(anonymous & restricted_public_level) }.policy do enable :read_users_list end end diff --git a/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml b/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml new file mode 100644 index 00000000000..54b2e71bef9 --- /dev/null +++ b/changelogs/unreleased/35697-allow-logged-in-user-to-read-user-list.yml @@ -0,0 +1,4 @@ +--- +title: Allow any logged in users to read_users_list even if it's restricted +merge_request: 13201 +author: diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index 50a2521bafb..52d4c81ccd7 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -16,38 +16,44 @@ describe API::Users do it "returns authorization error when the `username` parameter is not passed" do get api("/users") - expect(response).to have_http_status(403) + expect(response).to have_gitlab_http_status(403) end it "returns the user when a valid `username` parameter is passed" do - user = create(:user) - get api("/users"), username: user.username - expect(response).to have_http_status(200) + expect(response).to have_gitlab_http_status(200) expect(json_response).to be_an Array expect(json_response.size).to eq(1) expect(json_response[0]['id']).to eq(user.id) expect(json_response[0]['username']).to eq(user.username) end - it "returns authorization error when the `username` parameter refers to an inaccessible user" do - user = create(:user) - - stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) - - get api("/users"), username: user.username - - expect(response).to have_http_status(403) - end - it "returns an empty response when an invalid `username` parameter is passed" do get api("/users"), username: 'invalid' - expect(response).to have_http_status(200) + expect(response).to have_gitlab_http_status(200) expect(json_response).to be_an Array expect(json_response.size).to eq(0) end + + context "when public level is restricted" do + before do + stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) + end + + it "returns authorization error when the `username` parameter refers to an inaccessible user" do + get api("/users"), username: user.username + + expect(response).to have_gitlab_http_status(403) + end + + it "returns authorization error when the `username` parameter is not passed" do + get api("/users") + + expect(response).to have_gitlab_http_status(403) + end + end end context "when authenticated" do @@ -58,10 +64,10 @@ describe API::Users do end context 'when authenticate as a regular user' do - it "renders 403" do + it "renders 200" do get api("/users", user) - expect(response).to have_gitlab_http_status(403) + expect(response).to have_gitlab_http_status(200) end end |