diff options
| -rw-r--r-- | lib/api/helpers.rb | 5 | ||||
| -rw-r--r-- | spec/requests/api/api_helpers_spec.rb | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 7ee4b9d1381..654c1f62c6c 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -8,6 +8,11 @@ module API def current_user private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s @current_user ||= User.find_by(authentication_token: private_token) + + unless @current_user && Gitlab::UserAccess.allowed?(@current_user) + return nil + end + identifier = sudo_identifier() # If the sudo is the current user do nothing diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb index 2dcbce09b27..a4869476574 100644 --- a/spec/requests/api/api_helpers_spec.rb +++ b/spec/requests/api/api_helpers_spec.rb @@ -44,6 +44,11 @@ describe API, api: true do current_user.should be_nil end + it "should return nil for a user without access" do + Gitlab::UserAccess.stub(allowed?: false) + current_user.should be_nil + end + it "should leave user as is when sudo not specified" do env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token current_user.should == user |