From 3e4b45fc216875ff25647675d92448a53a740d9b Mon Sep 17 00:00:00 2001
From: Robert Speicher <rspeicher@gmail.com>
Date: Thu, 14 Dec 2017 13:32:55 -0600
Subject: Only include the user's ID in the time_spent command's update hash

Previously, this would include the entire User record in the update
hash, which was rendered in the response using `to_json`, erroneously
exposing every attribute of that record, including their (now removed)
private token.

Now we only include the user ID, and perform the lookup on-demand.
---
 lib/api/time_tracking_endpoints.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/api/time_tracking_endpoints.rb')

diff --git a/lib/api/time_tracking_endpoints.rb b/lib/api/time_tracking_endpoints.rb
index df4632346dd..2bb451dea89 100644
--- a/lib/api/time_tracking_endpoints.rb
+++ b/lib/api/time_tracking_endpoints.rb
@@ -85,7 +85,7 @@ module API
 
         update_issuable(spend_time: {
           duration: Gitlab::TimeTrackingFormatter.parse(params.delete(:duration)),
-          user: current_user
+          user_id: current_user.id
         })
       end
 
@@ -97,7 +97,7 @@ module API
         authorize! update_issuable_key, load_issuable
 
         status :ok
-        update_issuable(spend_time: { duration: :reset, user: current_user })
+        update_issuable(spend_time: { duration: :reset, user_id: current_user.id })
       end
 
       desc "Show time stats for a project #{issuable_name}"
-- 
cgit v1.2.1