diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-26 07:20:30 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-26 07:20:30 +0000 |
| commit | 20f679d620380b5b5e662b790c76caf256867b01 (patch) | |
| tree | 186b69dfdb75768e5dc75bf01cb3092e1c8b06b7 /app/finders | |
| parent | f0886918845f8292889db7e30033b7051147f3b0 (diff) | |
| download | gitlab-ce-20f679d620380b5b5e662b790c76caf256867b01.tar.gz | |
Allow unauthenticated access to the `/api/v4/users` API.
- The issue filtering frontend code needs access to this API for non-logged-in
users + public projects. It uses the API to fetch information for a user by
username.
- We don't authenticate this API anymore, but instead - if the `current_user` is
not present:
- Verify that the `username` parameter has been passed. This disallows an
unauthenticated user from grabbing a list of all users on the instance. The
`UsersFinder` class performs an exact match on the `username`, so we are
guaranteed to get 0 or 1 users.
- Verify that the resulting user (if any) is accessible to be viewed publicly
by calling `can?(current_user, :read_user, user)`
Diffstat (limited to 'app/finders')
| -rw-r--r-- | app/finders/users_finder.rb | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb index dbd50d1db7c..0534317df8f 100644 --- a/app/finders/users_finder.rb +++ b/app/finders/users_finder.rb @@ -27,8 +27,11 @@ class UsersFinder users = by_search(users) users = by_blocked(users) users = by_active(users) - users = by_external_identity(users) - users = by_external(users) + + if current_user + users = by_external_identity(users) + users = by_external(users) + end users end |