diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-29 07:43:41 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-30 13:06:03 +0000 |
| commit | 3c88a7869b87693ba8c3fb9814d39437dd569a31 (patch) | |
| tree | 4335dcc017f75c382757047a37d7936704cfe9d5 /lib/api | |
| parent | c39e4ccfb7cb76b9bdb613399aba2c2467b77751 (diff) | |
| download | gitlab-ce-3c88a7869b87693ba8c3fb9814d39437dd569a31.tar.gz | |
Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/helpers.rb | 4 | ||||
| -rw-r--r-- | lib/api/users.rb | 26 |
2 files changed, 13 insertions, 17 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 1322afaa64f..a3aec8889d7 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -410,8 +410,8 @@ module API # Does the current route match the route identified by # `description`? - def route_matches_description?(description) - options.dig(:route_options, :description) == description + def request_matches_route?(method, route) + request.request_method == method && request.path == route end end end diff --git a/lib/api/users.rb b/lib/api/users.rb index 34619c90d8b..18ce58299e7 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -4,7 +4,7 @@ module API before do allow_access_with_scope :read_user if request.get? - authenticate! unless route_matches_description?("Get the list of users") + authenticate! unless request_matches_route?('GET', '/api/v4/users') end resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do @@ -55,22 +55,18 @@ module API users = UsersFinder.new(current_user, params).execute - authorized = - if current_user - can?(current_user, :read_users_list) - else - # When `current_user` is not present, require that the `username` - # parameter is passed, to prevent an unauthenticated user from accessing - # a list of all the users on the GitLab instance. `UsersFinder` performs - # an exact match on the `username` parameter, so we are guaranteed to - # get either 0 or 1 `users` here. - params[:username].present? && - users.all? { |user| can?(current_user, :read_user, user) } - end + authorized = can?(current_user, :read_users_list) + + # When `current_user` is not present, require that the `username` + # parameter is passed, to prevent an unauthenticated user from accessing + # a list of all the users on the GitLab instance. `UsersFinder` performs + # an exact match on the `username` parameter, so we are guaranteed to + # get either 0 or 1 `users` here. + authorized &&= params[:username].present? if current_user.blank? - render_api_error!("Not authorized.", 403) unless authorized + forbidden!("Not authorized to access /api/v4/users") unless authorized - entity = current_user.try(:admin?) ? Entities::UserWithAdmin : Entities::UserBasic + entity = current_user&.admin? ? Entities::UserWithAdmin : Entities::UserBasic present paginate(users), with: entity end |