Merge branch 'api_ldap' into 'master'

Check user access during API calls
This commit is contained in:
Dmitriy Zaporozhets 2014-05-15 16:57:05 +00:00
commit 39eac7b0b9
5 changed files with 36 additions and 12 deletions

View file

@ -16,6 +16,7 @@ v 6.9.0
- Two Step MR creation process - Two Step MR creation process
- Remove unwanted files from satellite working directory with git clean -fdx - Remove unwanted files from satellite working directory with git clean -fdx
- Accept merge request via API (sponsored by O'Reilly Media) - Accept merge request via API (sponsored by O'Reilly Media)
- Add more access checks during API calls
v 6.8.0 v 6.8.0
- Ability to at mention users that are participating in issue and merge req. discussion - Ability to at mention users that are participating in issue and merge req. discussion

View file

@ -8,6 +8,11 @@ module API
def current_user def current_user
private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
@current_user ||= User.find_by(authentication_token: private_token) @current_user ||= User.find_by(authentication_token: private_token)
unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
return nil
end
identifier = sudo_identifier() identifier = sudo_identifier()
# If the sudo is the current user do nothing # If the sudo is the current user do nothing

View file

@ -61,18 +61,7 @@ module Gitlab
private private
def user_allowed?(user) def user_allowed?(user)
return false if user.blocked? Gitlab::UserAccess.allowed?(user)
if Gitlab.config.ldap.enabled
if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
Gitlab::LDAP::Access.open do |adapter|
return false unless adapter.allowed?(user)
end
end
end
true
end end
end end
end end

18
lib/gitlab/user_access.rb Normal file
View file

@ -0,0 +1,18 @@
module Gitlab
module UserAccess
def self.allowed?(user)
return false if user.blocked?
if Gitlab.config.ldap.enabled
if user.ldap_user?
# Check if LDAP user exists and match LDAP user_filter
Gitlab::LDAP::Access.open do |adapter|
return false unless adapter.allowed?(user)
end
end
end
true
end
end
end

View file

@ -39,6 +39,17 @@ describe API, api: true do
end end
describe ".current_user" do describe ".current_user" do
it "should return nil for an invalid token" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
current_user.should be_nil
end
it "should return nil for a user without access" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
Gitlab::UserAccess.stub(allowed?: false)
current_user.should be_nil
end
it "should leave user as is when sudo not specified" do it "should leave user as is when sudo not specified" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
current_user.should == user current_user.should == user