diff options
| author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-11-08 18:49:38 +0200 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-11-08 18:49:38 +0200 |
| commit | 9d79d6e152858605afeddeeb10f43a5efbdf0376 (patch) | |
| tree | 95ed8d26a9c54cfb8a64536881bce173feeda584 /lib/api/helpers.rb | |
| parent | dfade97edffdec9a1e042c620b98e799d74794cf (diff) | |
| download | gitlab-ce-9d79d6e152858605afeddeeb10f43a5efbdf0376.tar.gz | |
Make sure private_token for API is a string
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Diffstat (limited to 'lib/api/helpers.rb')
| -rw-r--r-- | lib/api/helpers.rb | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index edc662eaaab..b0f8d5a6da9 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -6,19 +6,23 @@ module API SUDO_PARAM = :sudo def current_user - @current_user ||= User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]) + private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s + @current_user ||= User.find_by_authentication_token(private_token) identifier = sudo_identifier() + # If the sudo is the current user do nothing if (identifier && !(@current_user.id == identifier || @current_user.username == identifier)) render_api_error!('403 Forbidden: Must be admin to use sudo', 403) unless @current_user.is_admin? @current_user = User.by_username_or_id(identifier) not_found!("No user id or username for: #{identifier}") if @current_user.nil? end + @current_user end def sudo_identifier() identifier ||= params[SUDO_PARAM] ||= env[SUDO_HEADER] + # Regex for integers if (!!(identifier =~ /^[0-9]+$/)) identifier.to_i @@ -29,6 +33,7 @@ module API def set_current_user_for_thread Thread.current[:current_user] = current_user + begin yield ensure |