Check user access status in API for current_user
This commit is contained in:
parent
34fd557055
commit
02b85fd236
|
@ -8,6 +8,11 @@ module API
|
|||
def current_user
|
||||
private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
|
||||
@current_user ||= User.find_by(authentication_token: private_token)
|
||||
|
||||
unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
|
||||
return nil
|
||||
end
|
||||
|
||||
identifier = sudo_identifier()
|
||||
|
||||
# If the sudo is the current user do nothing
|
||||
|
|
|
@ -44,6 +44,11 @@ describe API, api: true do
|
|||
current_user.should be_nil
|
||||
end
|
||||
|
||||
it "should return nil for a user without access" do
|
||||
Gitlab::UserAccess.stub(allowed?: false)
|
||||
current_user.should be_nil
|
||||
end
|
||||
|
||||
it "should leave user as is when sudo not specified" do
|
||||
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
|
||||
current_user.should == user
|
||||
|
|
Loading…
Reference in New Issue