diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-29 07:43:41 +0000 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-30 13:06:03 +0000 |
commit | 3c88a7869b87693ba8c3fb9814d39437dd569a31 (patch) | |
tree | 4335dcc017f75c382757047a37d7936704cfe9d5 /app | |
parent | c39e4ccfb7cb76b9bdb613399aba2c2467b77751 (diff) | |
download | gitlab-ce-3c88a7869b87693ba8c3fb9814d39437dd569a31.tar.gz |
Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
Diffstat (limited to 'app')
-rw-r--r-- | app/finders/users_finder.rb | 11 | ||||
-rw-r--r-- | app/policies/base_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/user_policy.rb | 6 |
4 files changed, 12 insertions, 14 deletions
diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb index 0534317df8f..07deceb827b 100644 --- a/app/finders/users_finder.rb +++ b/app/finders/users_finder.rb @@ -27,11 +27,8 @@ class UsersFinder users = by_search(users) users = by_blocked(users) users = by_active(users) - - if current_user - users = by_external_identity(users) - users = by_external(users) - end + users = by_external_identity(users) + users = by_external(users) users end @@ -63,13 +60,13 @@ class UsersFinder end def by_external_identity(users) - return users unless current_user.admin? && params[:extern_uid] && params[:provider] + return users unless current_user&.admin? && params[:extern_uid] && params[:provider] users.joins(:identities).merge(Identity.with_extern_uid(params[:provider], params[:extern_uid])) end def by_external(users) - return users = users.where.not(external: true) unless current_user.admin? + return users = users.where.not(external: true) unless current_user&.admin? return users unless params[:external] users.external diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 623424c63e0..261a2e780c5 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -1,4 +1,6 @@ class BasePolicy + include Gitlab::CurrentSettings + class RuleSet attr_reader :can_set, :cannot_set def initialize(can_set, cannot_set) @@ -124,4 +126,8 @@ class BasePolicy yield @rule_set end + + def restricted_public_level? + current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) + end end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 2683aaad981..e9be43a5037 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -1,9 +1,10 @@ class GlobalPolicy < BasePolicy def rules + can! :read_users_list unless restricted_public_level? + return unless @user can! :create_group if @user.can_create_group - can! :read_users_list unless @user.blocked? || @user.internal? can! :log_in unless @user.access_locked? diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 229846e368c..265c56aba53 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -1,6 +1,4 @@ class UserPolicy < BasePolicy - include Gitlab::CurrentSettings - def rules can! :read_user if @user || !restricted_public_level? @@ -12,8 +10,4 @@ class UserPolicy < BasePolicy cannot! :destroy_user if @subject.ghost? end end - - def restricted_public_level? - current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) - end end |