diff options
| author | Izaak Alpert <ihalpert@blackberry.com> | 2013-03-28 14:37:44 -0400 |
|---|---|---|
| committer | Izaak Alpert <ialpert@blackberry.com> | 2013-09-09 12:04:38 -0400 |
| commit | e86e8818327059279247db3a451994c6a62ab161 (patch) | |
| tree | 5af04da559f21450b9c12d575f0fefe4958937b8 /lib/api/helpers.rb | |
| parent | 9ad5d9a4c6a3e292ddde7e46949f739eb63c746e (diff) | |
| download | gitlab-ce-e86e8818327059279247db3a451994c6a62ab161.tar.gz | |
API: admin users can sudo commands as other users
-Specifying a header of SUDO or adding a :sudo with either user id, or username of the user will set the current_user to be that user if your identifying private_token/PRIVATE_TOKEN is an administrator token
Diffstat (limited to 'lib/api/helpers.rb')
| -rw-r--r-- | lib/api/helpers.rb | 44 |
1 files changed, 39 insertions, 5 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index f857d4133b2..996d3adb174 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -1,7 +1,41 @@ module API module APIHelpers + PRIVATE_TOKEN_HEADER = "HTTP_PRIVATE_TOKEN" + PRIVATE_TOKEN_PARAM = :private_token + SUDO_HEADER ="HTTP_SUDO" + SUDO_PARAM = :sudo + def current_user - @current_user ||= User.find_by_authentication_token(params[:private_token] || env["HTTP_PRIVATE_TOKEN"]) + @current_user ||= User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]) + identifier = sudo_identifier() + # If the sudo is the current user do nothing + if (identifier && !(@current_user.id == identifier || @current_user.username == identifier)) + render_api_error!('403 Forbidden: Must be admin to use sudo', 403) unless @current_user.is_admin? + begin + + if (identifier.is_a?(Integer)) + user = User.find_by_id(identifier) + else + user = User.find_by_username(identifier) + end + if user.nil? + not_found!("No user id or username for: #{identifier}") + end + @current_user = user + rescue => ex + not_found!("No user id or username for: #{identifier}") + end + end + @current_user + end + + def sudo_identifier() + identifier = params[SUDO_PARAM] == nil ? env[SUDO_HEADER] : params[SUDO_PARAM] + if (!!(identifier =~ /^[0-9]+$/)) + identifier.to_i + else + identifier + end end def user_project @@ -95,10 +129,10 @@ module API def abilities @abilities ||= begin - abilities = Six.new - abilities << Ability - abilities - end + abilities = Six.new + abilities << Ability + abilities + end end end end |