diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2016-08-26 09:37:57 +0530 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2016-08-31 12:33:24 +0530 |
| commit | 727dff3f158b9ef852b2b014d4efe0abd69a23d0 (patch) | |
| tree | 0f2a3d3819fd4ac40c614555e237a15f9fefc3dd /lib/api | |
| parent | 4d042afeced540c0acd887714d8ec7c962b7c507 (diff) | |
| download | gitlab-ce-727dff3f158b9ef852b2b014d4efe0abd69a23d0.tar.gz | |
Don't expose a user's private token in the `/api/v3/user` API.
- This would allow anyone with a personal access token (even a read-only
token, once scopes are implemented) to escalate their access by
obtaining the private token.
Diffstat (limited to 'lib/api')
| -rw-r--r-- | lib/api/users.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb index 8a376d3c2a3..c440305ff0f 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -327,7 +327,7 @@ module API # Example Request: # GET /user get do - present @current_user, with: Entities::UserLogin + present @current_user, with: Entities::UserFull end # Get currently authenticated user's keys |