From fa7d99ebd4cd86134e33f9f79e2b92f50de3af6c Mon Sep 17 00:00:00 2001
From: Robert Schilling <rschilling@student.tugraz.at>
Date: Sat, 16 Apr 2016 10:23:36 +0200
Subject: API: Present an array of Gitlab::Git::Tag instead of array of rugged
 tags

---
 lib/api/tags.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/api')

diff --git a/lib/api/tags.rb b/lib/api/tags.rb
index d1a10479e44..3e1ed3fe5c7 100644
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
@@ -12,7 +12,7 @@ module API
       # Example Request:
       #   GET /projects/:id/repository/tags
       get ":id/repository/tags" do
-        present user_project.repo.tags.sort_by(&:name).reverse,
+        present user_project.repository.tags.sort_by(&:name).reverse,
                 with: Entities::RepoTag, project: user_project
       end
 
-- 
cgit v1.2.1


From ce96d482d9056e9acdfea02d055c2706653cba92 Mon Sep 17 00:00:00 2001
From: Felipe Artur <felipefac@gmail.com>
Date: Wed, 6 Apr 2016 18:09:24 -0300
Subject: Insert users check into api

---
 lib/api/api_guard.rb |  4 ++++
 lib/api/users.rb     | 10 ++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

(limited to 'lib/api')

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index b9994fcefda..6ce5529abfa 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -79,6 +79,10 @@ module APIGuard
       @current_user
     end
 
+    def public_access_restricted?
+      current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
+    end
+
     private
     def find_access_token
       @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 0a14bac07c0..9647a40686e 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -11,6 +11,10 @@ module API
       #  GET /users?search=Admin
       #  GET /users?username=root
       get do
+        if !current_user && public_access_restricted?
+          render_api_error!("Not authorized.", 403)
+        end
+
         if params[:username].present?
           @users = User.where(username: params[:username])
         else
@@ -36,10 +40,12 @@ module API
       get ":id" do
         @user = User.find(params[:id])
 
-        if current_user.is_admin?
+        if current_user.present? && current_user.is_admin?
           present @user, with: Entities::UserFull
-        else
+        elsif can?(current_user, :read_user, @user)
           present @user, with: Entities::User
+        else
+          render_api_error!("User not found.", 404)
         end
       end
 
-- 
cgit v1.2.1


From 820c08cefd78e593e94012061be29000d523ffd0 Mon Sep 17 00:00:00 2001
From: Felipe Artur <felipefac@gmail.com>
Date: Tue, 12 Apr 2016 12:04:33 -0300
Subject: Fix documentation and improve permissions code

---
 lib/api/api_guard.rb | 4 ----
 lib/api/users.rb     | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

(limited to 'lib/api')

diff --git a/lib/api/api_guard.rb b/lib/api/api_guard.rb
index 6ce5529abfa..b9994fcefda 100644
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -79,10 +79,6 @@ module APIGuard
       @current_user
     end
 
-    def public_access_restricted?
-      current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
-    end
-
     private
     def find_access_token
       @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 9647a40686e..315268fc0ca 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -11,7 +11,7 @@ module API
       #  GET /users?search=Admin
       #  GET /users?username=root
       get do
-        if !current_user && public_access_restricted?
+        unless can?(current_user, :read_users_list, nil)
           render_api_error!("Not authorized.", 403)
         end
 
-- 
cgit v1.2.1


From 2366768d3b28ea70c91fc49c471e66152650d442 Mon Sep 17 00:00:00 2001
From: Felipe Artur <felipefac@gmail.com>
Date: Wed, 13 Apr 2016 15:37:17 -0300
Subject: Add changelog entry

---
 lib/api/users.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/api')

diff --git a/lib/api/users.rb b/lib/api/users.rb
index 315268fc0ca..ea6fa2dc8a8 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -40,7 +40,7 @@ module API
       get ":id" do
         @user = User.find(params[:id])
 
-        if current_user.present? && current_user.is_admin?
+        if current_user && current_user.is_admin?
           present @user, with: Entities::UserFull
         elsif can?(current_user, :read_user, @user)
           present @user, with: Entities::User
-- 
cgit v1.2.1


From b9698d2b4512cca4687579aafba6a4403cbc6067 Mon Sep 17 00:00:00 2001
From: Yorick Peterse <yorickpeterse@gmail.com>
Date: Mon, 18 Apr 2016 17:42:48 +0200
Subject: Add "action" tag to /internal/allowed API

This allows us to re-use any other analytics that rely on the "action"
tag having a value set.
---
 lib/api/internal.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'lib/api')

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 2200208b946..8cfa1f1556b 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -23,9 +23,11 @@ module API
       end
 
       post "/allowed" do
+        Gitlab::Metrics.tag_transaction('action', 'Grape#/internal/allowed')
+
         status 200
 
-        actor = 
+        actor =
           if params[:key_id]
             Key.find_by(id: params[:key_id])
           elsif params[:user_id]
@@ -33,7 +35,7 @@ module API
           end
 
         project_path = params[:project]
-        
+
         # Check for *.wiki repositories.
         # Strip out the .wiki from the pathname before finding the
         # project. This applies the correct project permissions to
-- 
cgit v1.2.1