diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-07-04 12:19:48 +0000 | 
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-07-04 12:19:48 +0000 | 
| commit | d1488268b2e31b8f3549c6e1e46955619535cd98 (patch) | |
| tree | 649bce69f61984ae85205e340b54f1d6bc121f17 /lib/api/users.rb | |
| parent | 96e986327c4dad9248f9013f191119ffafe4a6d8 (diff) | |
| download | gitlab-ce-d1488268b2e31b8f3549c6e1e46955619535cd98.tar.gz | |
Simplify authentication logic in the v4 users API for !12445.
- Rather than using an explicit check to turn off authentication for the
  `/users` endpoint, simply call `authenticate_non_get!`.
- All `GET` endpoints we wish to restrict already call
  `authenticated_as_admin!`, and so remain inacessible to anonymous users.
- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
  the same access check that `/users` users, and so is safe for use here.
- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
Diffstat (limited to 'lib/api/users.rb')
| -rw-r--r-- | lib/api/users.rb | 9 | 
1 files changed, 8 insertions, 1 deletions
| diff --git a/lib/api/users.rb b/lib/api/users.rb index bad4d76b428..5b9d9a71be4 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -4,10 +4,13 @@ module API      before do        allow_access_with_scope :read_user if request.get? -      authenticate! unless request_matches_route?('GET', '/api/v4/users')      end      resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do +      before do +        authenticate_non_get! +      end +        helpers do          def find_user(params)            id = params[:user_id] || params[:id] @@ -405,6 +408,10 @@ module API      end      resource :user do +      before do +        authenticate! +      end +        desc 'Get the currently authenticated user' do          success Entities::UserPublic        end | 
