Merge branch 'more-secure-api' into 'master'
More secure api Dont expose user email via API. Fixes #1314
This commit is contained in:
commit
87fd342a23
|
@ -35,6 +35,7 @@ v 7.0.0
|
||||||
- Be more selective when killing stray Sidekiqs
|
- Be more selective when killing stray Sidekiqs
|
||||||
- Check LDAP user filter during sign-in
|
- Check LDAP user filter during sign-in
|
||||||
- Remove wall feature (no data loss - you can take it from database)
|
- Remove wall feature (no data loss - you can take it from database)
|
||||||
|
- Dont expose user emails via API unless you are admin
|
||||||
|
|
||||||
v 6.9.2
|
v 6.9.2
|
||||||
- Revert the commit that broke the LDAP user filter
|
- Revert the commit that broke the LDAP user filter
|
||||||
|
|
|
@ -37,13 +37,9 @@
|
||||||
|
|
||||||
projectUserFormatResult: (user) ->
|
projectUserFormatResult: (user) ->
|
||||||
if user.avatar_url
|
if user.avatar_url
|
||||||
avatar = gon.relative_url_root + user.avatar_url
|
avatar = user.avatar_url
|
||||||
else if gon.gravatar_enabled
|
|
||||||
avatar = gon.gravatar_url
|
|
||||||
avatar = avatar.replace('%{hash}', md5(user.email))
|
|
||||||
avatar = avatar.replace('%{size}', '24')
|
|
||||||
else
|
else
|
||||||
avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
|
avatar = gon.default_avatar_url
|
||||||
|
|
||||||
if user.id == ''
|
if user.id == ''
|
||||||
avatarMarkup = ''
|
avatarMarkup = ''
|
||||||
|
|
|
@ -1,13 +1,9 @@
|
||||||
$ ->
|
$ ->
|
||||||
userFormatResult = (user) ->
|
userFormatResult = (user) ->
|
||||||
if user.avatar_url
|
if user.avatar_url
|
||||||
avatar = gon.relative_url_root + user.avatar_url
|
avatar = user.avatar_url
|
||||||
else if gon.gravatar_enabled
|
|
||||||
avatar = gon.gravatar_url
|
|
||||||
avatar = avatar.replace('%{hash}', md5(user.email))
|
|
||||||
avatar = avatar.replace('%{size}', '24')
|
|
||||||
else
|
else
|
||||||
avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
|
avatar = gon.default_avatar_url
|
||||||
|
|
||||||
"<div class='user-result'>
|
"<div class='user-result'>
|
||||||
<div class='user-image'><img class='avatar s24' src='#{avatar}'></div>
|
<div class='user-image'><img class='avatar s24' src='#{avatar}'></div>
|
||||||
|
|
|
@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base
|
||||||
def add_gon_variables
|
def add_gon_variables
|
||||||
gon.default_issues_tracker = Project.issues_tracker.default_value
|
gon.default_issues_tracker = Project.issues_tracker.default_value
|
||||||
gon.api_version = API::API.version
|
gon.api_version = API::API.version
|
||||||
gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
|
|
||||||
gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
|
gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
|
||||||
gon.gravatar_enabled = Gitlab.config.gravatar.enabled
|
gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
|
||||||
|
|
||||||
if current_user
|
if current_user
|
||||||
gon.current_user_id = current_user.id
|
gon.current_user_id = current_user.id
|
||||||
|
|
|
@ -60,23 +60,21 @@ module ApplicationHelper
|
||||||
|
|
||||||
def avatar_icon(user_email = '', size = nil)
|
def avatar_icon(user_email = '', size = nil)
|
||||||
user = User.find_by(email: user_email)
|
user = User.find_by(email: user_email)
|
||||||
if user && user.avatar.present?
|
|
||||||
user.avatar.url
|
if user
|
||||||
|
user.avatar_url(size) || default_avatar
|
||||||
else
|
else
|
||||||
gravatar_icon(user_email, size)
|
gravatar_icon(user_email, size)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def gravatar_icon(user_email = '', size = nil)
|
def gravatar_icon(user_email = '', size = nil)
|
||||||
size = 40 if size.nil? || size <= 0
|
GravatarService.new.execute(user_email, size) ||
|
||||||
|
default_avatar
|
||||||
if !Gitlab.config.gravatar.enabled || user_email.blank?
|
|
||||||
image_path('no_avatar.png')
|
|
||||||
else
|
|
||||||
gravatar_url = request.ssl? || gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
|
|
||||||
user_email.strip!
|
|
||||||
sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def default_avatar
|
||||||
|
image_path('no_avatar.png')
|
||||||
end
|
end
|
||||||
|
|
||||||
def last_commit(project)
|
def last_commit(project)
|
||||||
|
|
|
@ -482,4 +482,12 @@ class User < ActiveRecord::Base
|
||||||
def public_profile?
|
def public_profile?
|
||||||
authorized_projects.public_only.any?
|
authorized_projects.public_only.any?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def avatar_url(size = nil)
|
||||||
|
if avatar.present?
|
||||||
|
URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
|
||||||
|
else
|
||||||
|
GravatarService.new.execute(email, size)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
class GravatarService
|
||||||
|
def execute(email, size = nil)
|
||||||
|
if gravatar_config.enabled && email.present?
|
||||||
|
size = 40 if size.nil? || size <= 0
|
||||||
|
|
||||||
|
sprintf gravatar_url,
|
||||||
|
hash: Digest::MD5.hexdigest(email.strip.downcase),
|
||||||
|
size: size,
|
||||||
|
email: email.strip
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def gitlab_config
|
||||||
|
Gitlab.config.gitlab
|
||||||
|
end
|
||||||
|
|
||||||
|
def gravatar_config
|
||||||
|
Gitlab.config.gravatar
|
||||||
|
end
|
||||||
|
|
||||||
|
def gravatar_url
|
||||||
|
if gitlab_config.https
|
||||||
|
gravatar_config.ssl_url
|
||||||
|
else
|
||||||
|
gravatar_config.plain_url
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -6,6 +6,34 @@ Get a list of users.
|
||||||
|
|
||||||
This function takes pagination parameters `page` and `per_page` to restrict the list of users.
|
This function takes pagination parameters `page` and `per_page` to restrict the list of users.
|
||||||
|
|
||||||
|
### For normal users:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /users
|
||||||
|
```
|
||||||
|
|
||||||
|
```json
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"id": 1,
|
||||||
|
"username": "john_smith",
|
||||||
|
"name": "John Smith",
|
||||||
|
"state": "active",
|
||||||
|
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": 2,
|
||||||
|
"username": "jack_smith",
|
||||||
|
"name": "Jack Smith",
|
||||||
|
"state": "blocked",
|
||||||
|
"avatar_url": "http://gravatar.com/../e32131cd8.jpeg",
|
||||||
|
}
|
||||||
|
]
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### For admins:
|
||||||
|
|
||||||
```
|
```
|
||||||
GET /users
|
GET /users
|
||||||
```
|
```
|
||||||
|
@ -29,6 +57,7 @@ GET /users
|
||||||
"theme_id": 1,
|
"theme_id": 1,
|
||||||
"color_scheme_id": 2,
|
"color_scheme_id": 2,
|
||||||
"is_admin": false,
|
"is_admin": false,
|
||||||
|
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
|
||||||
"can_create_group": true
|
"can_create_group": true
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -48,6 +77,7 @@ GET /users
|
||||||
"theme_id": 1,
|
"theme_id": 1,
|
||||||
"color_scheme_id": 3,
|
"color_scheme_id": 3,
|
||||||
"is_admin": false,
|
"is_admin": false,
|
||||||
|
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
|
||||||
"can_create_group": true,
|
"can_create_group": true,
|
||||||
"can_create_project": true
|
"can_create_project": true
|
||||||
}
|
}
|
||||||
|
@ -62,6 +92,29 @@ Also see `def search query` in `app/models/user.rb`.
|
||||||
|
|
||||||
Get a single user.
|
Get a single user.
|
||||||
|
|
||||||
|
#### For user:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /users/:id
|
||||||
|
```
|
||||||
|
|
||||||
|
Parameters:
|
||||||
|
|
||||||
|
- `id` (required) - The ID of a user
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"id": 1,
|
||||||
|
"username": "john_smith",
|
||||||
|
"name": "John Smith",
|
||||||
|
"state": "active",
|
||||||
|
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
#### For admin:
|
||||||
|
|
||||||
```
|
```
|
||||||
GET /users/:id
|
GET /users/:id
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,28 +1,27 @@
|
||||||
module API
|
module API
|
||||||
module Entities
|
module Entities
|
||||||
class User < Grape::Entity
|
|
||||||
expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url,
|
|
||||||
:theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
|
|
||||||
expose :is_admin?, as: :is_admin
|
|
||||||
expose :can_create_group?, as: :can_create_group
|
|
||||||
expose :can_create_project?, as: :can_create_project
|
|
||||||
|
|
||||||
expose :avatar_url do |user, options|
|
|
||||||
if user.avatar.present?
|
|
||||||
user.avatar.url
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
class UserSafe < Grape::Entity
|
class UserSafe < Grape::Entity
|
||||||
expose :name, :username
|
expose :name, :username
|
||||||
end
|
end
|
||||||
|
|
||||||
class UserBasic < Grape::Entity
|
class UserBasic < UserSafe
|
||||||
expose :id, :username, :email, :name, :state, :created_at
|
expose :id, :state, :avatar_url
|
||||||
end
|
end
|
||||||
|
|
||||||
class UserLogin < User
|
class User < UserBasic
|
||||||
|
expose :created_at
|
||||||
|
expose :is_admin?, as: :is_admin
|
||||||
|
expose :bio, :skype, :linkedin, :twitter, :website_url
|
||||||
|
end
|
||||||
|
|
||||||
|
class UserFull < User
|
||||||
|
expose :email
|
||||||
|
expose :theme_id, :color_scheme_id, :extern_uid, :provider
|
||||||
|
expose :can_create_group?, as: :can_create_group
|
||||||
|
expose :can_create_project?, as: :can_create_project
|
||||||
|
end
|
||||||
|
|
||||||
|
class UserLogin < UserFull
|
||||||
expose :private_token
|
expose :private_token
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -59,4 +59,3 @@ module API
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -209,7 +209,7 @@ module API
|
||||||
@users = User.where(id: user_project.team.users.map(&:id))
|
@users = User.where(id: user_project.team.users.map(&:id))
|
||||||
@users = @users.search(params[:search]) if params[:search].present?
|
@users = @users.search(params[:search]) if params[:search].present?
|
||||||
@users = paginate @users
|
@users = paginate @users
|
||||||
present @users, with: Entities::User
|
present @users, with: Entities::UserBasic
|
||||||
end
|
end
|
||||||
|
|
||||||
# Get a project labels
|
# Get a project labels
|
||||||
|
|
|
@ -13,7 +13,12 @@ module API
|
||||||
@users = @users.active if params[:active].present?
|
@users = @users.active if params[:active].present?
|
||||||
@users = @users.search(params[:search]) if params[:search].present?
|
@users = @users.search(params[:search]) if params[:search].present?
|
||||||
@users = paginate @users
|
@users = paginate @users
|
||||||
present @users, with: Entities::User
|
|
||||||
|
if current_user.is_admin?
|
||||||
|
present @users, with: Entities::UserFull
|
||||||
|
else
|
||||||
|
present @users, with: Entities::UserBasic
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Get a single user
|
# Get a single user
|
||||||
|
@ -24,7 +29,12 @@ module API
|
||||||
# GET /users/:id
|
# GET /users/:id
|
||||||
get ":id" do
|
get ":id" do
|
||||||
@user = User.find(params[:id])
|
@user = User.find(params[:id])
|
||||||
present @user, with: Entities::User
|
|
||||||
|
if current_user.is_admin?
|
||||||
|
present @user, with: Entities::UserFull
|
||||||
|
else
|
||||||
|
present @user, with: Entities::UserBasic
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Create user. Available only for admin
|
# Create user. Available only for admin
|
||||||
|
@ -53,7 +63,7 @@ module API
|
||||||
admin = attrs.delete(:admin)
|
admin = attrs.delete(:admin)
|
||||||
user.admin = admin unless admin.nil?
|
user.admin = admin unless admin.nil?
|
||||||
if user.save
|
if user.save
|
||||||
present user, with: Entities::User
|
present user, with: Entities::UserFull
|
||||||
else
|
else
|
||||||
not_found!
|
not_found!
|
||||||
end
|
end
|
||||||
|
@ -87,7 +97,7 @@ module API
|
||||||
admin = attrs.delete(:admin)
|
admin = attrs.delete(:admin)
|
||||||
user.admin = admin unless admin.nil?
|
user.admin = admin unless admin.nil?
|
||||||
if user.update_attributes(attrs, as: :admin)
|
if user.update_attributes(attrs, as: :admin)
|
||||||
present user, with: Entities::User
|
present user, with: Entities::UserFull
|
||||||
else
|
else
|
||||||
not_found!
|
not_found!
|
||||||
end
|
end
|
||||||
|
|
|
@ -67,10 +67,9 @@ describe ApplicationHelper do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should call gravatar_icon when no avatar is present" do
|
it "should call gravatar_icon when no avatar is present" do
|
||||||
user = create(:user)
|
user = create(:user, email: 'test@example.com')
|
||||||
user.save!
|
user.save!
|
||||||
allow(self).to receive(:gravatar_icon).and_return('gravatar_method_called')
|
avatar_icon(user.email).to_s.should == "http://www.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=40&d=mm"
|
||||||
avatar_icon(user.email).to_s.should == "gravatar_method_called"
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -87,12 +86,12 @@ describe ApplicationHelper do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return default gravatar url" do
|
it "should return default gravatar url" do
|
||||||
allow(self).to receive(:request).and_return(double(:ssl? => false))
|
Gitlab.config.gitlab.stub(https: false)
|
||||||
gravatar_icon(user_email).should match('http://www.gravatar.com/avatar/b58c6f14d292556214bd64909bcdb118')
|
gravatar_icon(user_email).should match('http://www.gravatar.com/avatar/b58c6f14d292556214bd64909bcdb118')
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should use SSL when appropriate" do
|
it "should use SSL when appropriate" do
|
||||||
allow(self).to receive(:request).and_return(double(:ssl? => true))
|
Gitlab.config.gitlab.stub(https: true)
|
||||||
gravatar_icon(user_email).should match('https://secure.gravatar.com')
|
gravatar_icon(user_email).should match('https://secure.gravatar.com')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -93,7 +93,7 @@ describe API::API, api: true do
|
||||||
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!'
|
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!'
|
||||||
response.status.should == 201
|
response.status.should == 201
|
||||||
json_response['body'].should == 'hi!'
|
json_response['body'].should == 'hi!'
|
||||||
json_response['author']['email'].should == user.email
|
json_response['author']['username'].should == user.username
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return a 400 bad request error if body not given" do
|
it "should return a 400 bad request error if body not given" do
|
||||||
|
@ -112,7 +112,7 @@ describe API::API, api: true do
|
||||||
post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user), body: 'hi!'
|
post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user), body: 'hi!'
|
||||||
response.status.should == 201
|
response.status.should == 201
|
||||||
json_response['body'].should == 'hi!'
|
json_response['body'].should == 'hi!'
|
||||||
json_response['author']['email'].should == user.email
|
json_response['author']['username'].should == user.username
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return a 400 bad request error if body not given" do
|
it "should return a 400 bad request error if body not given" do
|
||||||
|
|
|
@ -21,7 +21,7 @@ describe API::API, api: true do
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response.should be_an Array
|
json_response.should be_an Array
|
||||||
json_response.count.should == 2
|
json_response.count.should == 2
|
||||||
json_response.map { |u| u['email'] }.should include user.email
|
json_response.map { |u| u['username'] }.should include user.username
|
||||||
end
|
end
|
||||||
|
|
||||||
it "finds team members with query string" do
|
it "finds team members with query string" do
|
||||||
|
@ -29,7 +29,7 @@ describe API::API, api: true do
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response.should be_an Array
|
json_response.should be_an Array
|
||||||
json_response.count.should == 1
|
json_response.count.should == 1
|
||||||
json_response.first['email'].should == user.email
|
json_response.first['username'].should == user.username
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return a 404 error if id not found" do
|
it "should return a 404 error if id not found" do
|
||||||
|
@ -44,7 +44,7 @@ describe API::API, api: true do
|
||||||
it "should return project team member" do
|
it "should return project team member" do
|
||||||
get api("/projects/#{project.id}/members/#{user.id}", user)
|
get api("/projects/#{project.id}/members/#{user.id}", user)
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response['email'].should == user.email
|
json_response['username'].should == user.username
|
||||||
json_response['access_level'].should == UsersProject::MASTER
|
json_response['access_level'].should == UsersProject::MASTER
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -62,7 +62,7 @@ describe API::API, api: true do
|
||||||
}.to change { UsersProject.count }.by(1)
|
}.to change { UsersProject.count }.by(1)
|
||||||
|
|
||||||
response.status.should == 201
|
response.status.should == 201
|
||||||
json_response['email'].should == user2.email
|
json_response['username'].should == user2.username
|
||||||
json_response['access_level'].should == UsersProject::DEVELOPER
|
json_response['access_level'].should == UsersProject::DEVELOPER
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@ describe API::API, api: true do
|
||||||
}.not_to change { UsersProject.count }.by(1)
|
}.not_to change { UsersProject.count }.by(1)
|
||||||
|
|
||||||
response.status.should == 201
|
response.status.should == 201
|
||||||
json_response['email'].should == user2.email
|
json_response['username'].should == user2.username
|
||||||
json_response['access_level'].should == UsersProject::DEVELOPER
|
json_response['access_level'].should == UsersProject::DEVELOPER
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -101,7 +101,7 @@ describe API::API, api: true do
|
||||||
it "should update project team member" do
|
it "should update project team member" do
|
||||||
put api("/projects/#{project.id}/members/#{user3.id}", user), access_level: UsersProject::MASTER
|
put api("/projects/#{project.id}/members/#{user3.id}", user), access_level: UsersProject::MASTER
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response['email'].should == user3.email
|
json_response['username'].should == user3.username
|
||||||
json_response['access_level'].should == UsersProject::MASTER
|
json_response['access_level'].should == UsersProject::MASTER
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -37,7 +37,7 @@ describe API::API, api: true do
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response.should be_an Array
|
json_response.should be_an Array
|
||||||
json_response.first['name'].should == project.name
|
json_response.first['name'].should == project.name
|
||||||
json_response.first['owner']['email'].should == user.email
|
json_response.first['owner']['username'].should == user.username
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -65,7 +65,7 @@ describe API::API, api: true do
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response.should be_an Array
|
json_response.should be_an Array
|
||||||
json_response.first['name'].should == project.name
|
json_response.first['name'].should == project.name
|
||||||
json_response.first['owner']['email'].should == user.email
|
json_response.first['owner']['username'].should == user.username
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -270,7 +270,7 @@ describe API::API, api: true do
|
||||||
get api("/projects/#{project.id}", user)
|
get api("/projects/#{project.id}", user)
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response['name'].should == project.name
|
json_response['name'].should == project.name
|
||||||
json_response['owner']['email'].should == user.email
|
json_response['owner']['username'].should == user.username
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return a project by path name" do
|
it "should return a project by path name" do
|
||||||
|
|
|
@ -20,7 +20,18 @@ describe API::API, api: true do
|
||||||
get api("/users", user)
|
get api("/users", user)
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response.should be_an Array
|
json_response.should be_an Array
|
||||||
json_response.first['email'].should == user.email
|
json_response.first['username'].should == user.username
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context "when admin" do
|
||||||
|
it "should return an array of users" do
|
||||||
|
get api("/users", admin)
|
||||||
|
response.status.should == 200
|
||||||
|
json_response.should be_an Array
|
||||||
|
json_response.first.keys.should include 'email'
|
||||||
|
json_response.first.keys.should include 'extern_uid'
|
||||||
|
json_response.first.keys.should include 'can_create_project'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -29,7 +40,7 @@ describe API::API, api: true do
|
||||||
it "should return a user by id" do
|
it "should return a user by id" do
|
||||||
get api("/users/#{user.id}", user)
|
get api("/users/#{user.id}", user)
|
||||||
response.status.should == 200
|
response.status.should == 200
|
||||||
json_response['email'].should == user.email
|
json_response['username'].should == user.username
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return a 401 if unauthenticated" do
|
it "should return a 401 if unauthenticated" do
|
||||||
|
|
Loading…
Reference in New Issue