From 727dff3f158b9ef852b2b014d4efe0abd69a23d0 Mon Sep 17 00:00:00 2001
From: Timothy Andrew <mail@timothyandrew.net>
Date: Fri, 26 Aug 2016 09:37:57 +0530
Subject: Don't expose a user's private token in the `/api/v3/user` API.

- This would allow anyone with a personal access token (even a read-only
  token, once scopes are implemented) to escalate their access by
  obtaining the private token.
---
 spec/requests/api/users_spec.rb | 1 +
 1 file changed, 1 insertion(+)

(limited to 'spec/requests/api/users_spec.rb')

diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 0bbba64a6d5..ef73778efa9 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -605,6 +605,7 @@ describe API::API, api: true  do
       expect(json_response['can_create_project']).to eq(user.can_create_project?)
       expect(json_response['can_create_group']).to eq(user.can_create_group?)
       expect(json_response['projects_limit']).to eq(user.projects_limit)
+      expect(json_response['private_token']).to be_blank
     end
 
     it "returns 401 error if user is unauthenticated" do
-- 
cgit v1.2.1