From 34b71e734b0b01dd28e18be4728f93fbd4d1a561 Mon Sep 17 00:00:00 2001
From: Timothy Andrew <mail@timothyandrew.net>
Date: Fri, 21 Apr 2017 09:47:58 +0000
Subject: Don't display the `is_admin?` flag for user API responses.

- To prevent an attacker from enumerating the `/users` API to get a list of all
  the admins.

- Display the `is_admin?` flag wherever we display the `private_token` - at the
  moment, there are two instances:

  - When an admin uses `sudo` to view the `/user` endpoint
  - When logging in using the `/session` endpoint
---
 lib/api/session.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/api/session.rb')

diff --git a/lib/api/session.rb b/lib/api/session.rb
index 002ffd1d154..016415c3023 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -1,7 +1,7 @@
 module API
   class Session < Grape::API
     desc 'Login to get token' do
-      success Entities::UserWithPrivateToken
+      success Entities::UserWithPrivateDetails
     end
     params do
       optional :login, type: String, desc: 'The username'
@@ -14,7 +14,7 @@ module API
 
       return unauthorized! unless user
       return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
-      present user, with: Entities::UserWithPrivateToken
+      present user, with: Entities::UserWithPrivateDetails
     end
   end
 end
-- 
cgit v1.2.1