Merge branch '33260-allow-admins-to-list-admins' into 'master'

Re-instate is_admin flag in users API is current user is an admin

Closes #33260

See merge request !12211
This commit is contained in:
Rémy Coutable 2017-06-20 14:54:30 +00:00
commit 1d15ad02cb
6 changed files with 53 additions and 4 deletions

View file

@ -0,0 +1,4 @@
---
title: Reinstate is_admin flag in users api when authenticated user is an admin
merge_request: 12211
author: rickettm

View file

@ -62,6 +62,7 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null,
"location": null,
"skype": "",
@ -94,6 +95,7 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/2/index.jpg",
"web_url": "http://localhost:3000/jack_smith",
"created_at": "2012-05-23T08:01:01Z",
"is_admin": false,
"bio": null,
"location": null,
"skype": "",
@ -197,6 +199,7 @@ Parameters:
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null,
"location": null,
"skype": "",

View file

@ -43,11 +43,14 @@ module API
expose :external
end
class UserWithPrivateDetails < UserPublic
expose :private_token
class UserWithAdmin < UserPublic
expose :admin?, as: :is_admin
end
class UserWithPrivateDetails < UserWithAdmin
expose :private_token
end
class Email < Grape::Entity
expose :id, :email
end

View file

@ -59,7 +59,7 @@ module API
users = UsersFinder.new(current_user, params).execute
entity = current_user.admin? ? Entities::UserPublic : Entities::UserBasic
entity = current_user.admin? ? Entities::UserWithAdmin : Entities::UserBasic
present paginate(users), with: entity
end

View file

@ -11,7 +11,7 @@ describe API::Users do
let(:not_existing_user_id) { (User.maximum('id') || 0 ) + 10 }
let(:not_existing_pat_id) { (PersonalAccessToken.maximum('id') || 0 ) + 10 }
describe "GET /users" do
describe 'GET /users' do
context "when unauthenticated" do
it "returns authentication error" do
get api("/users")
@ -76,6 +76,12 @@ describe API::Users do
expect(response).to have_http_status(403)
end
it 'does not reveal the `is_admin` flag of the user' do
get api('/users', user)
expect(json_response.first.keys).not_to include 'is_admin'
end
end
context "when admin" do
@ -92,6 +98,7 @@ describe API::Users do
expect(json_response.first.keys).to include 'two_factor_enabled'
expect(json_response.first.keys).to include 'last_sign_in_at'
expect(json_response.first.keys).to include 'confirmed_at'
expect(json_response.first.keys).to include 'is_admin'
end
it "returns an array of external users" do

View file

@ -7,6 +7,38 @@ describe API::V3::Users do
let(:email) { create(:email, user: user) }
let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
describe 'GET /users' do
context 'when authenticated' do
it 'returns an array of users' do
get v3_api('/users', user)
expect(response).to have_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
username = user.username
expect(json_response.detect do |user|
user['username'] == username
end['username']).to eq(username)
end
end
context 'when authenticated as user' do
it 'does not reveal the `is_admin` flag of the user' do
get v3_api('/users', user)
expect(json_response.first.keys).not_to include 'is_admin'
end
end
context 'when authenticated as admin' do
it 'reveals the `is_admin` flag of the user' do
get v3_api('/users', admin)
expect(json_response.first.keys).to include 'is_admin'
end
end
end
describe 'GET /user/:id/keys' do
before { admin }