Merge branch 'api_ldap' into 'master'

Check user access during API calls
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-15 16:57:05 +0000
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-15 16:57:05 +0000
commit: 39eac7b0b92ac65edf22ce860174e6049af13032 (patch)
tree: e7a699dd8c95f2f9db19240f0747ef73e594db5b /lib/api/helpers.rb
parent: 216704f31a30c61fc6a627d94396a6dacfed456e (diff)
parent: 223a8695be207aa1725d9ae3755e4d0396dfe9f0 (diff)
download: gitlab-ce-39eac7b0b92ac65edf22ce860174e6049af13032.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 7ee4b9d1381..654c1f62c6c 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -8,6 +8,11 @@ module API
     def current_user
       private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
       @current_user ||= User.find_by(authentication_token: private_token)
+
+      unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
+        return nil
+      end
+
       identifier = sudo_identifier()
 
       # If the sudo is the current user do nothing
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2014-05-15 16:57:05 +0000
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2014-05-15 16:57:05 +0000
commit	39eac7b0b92ac65edf22ce860174e6049af13032 (patch)
tree	e7a699dd8c95f2f9db19240f0747ef73e594db5b /lib/api/helpers.rb
parent	216704f31a30c61fc6a627d94396a6dacfed456e (diff)
parent	223a8695be207aa1725d9ae3755e4d0396dfe9f0 (diff)
download	gitlab-ce-39eac7b0b92ac65edf22ce860174e6049af13032.tar.gz