kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Insert users check into api

Browse source
This commit is contained in:
Felipe Artur 2016-04-06 18:09:24 -03:00
parent 07b38c3b38
commit ce96d482d9
5 changed files with 33 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/models/ability.rb
View file

@ -91,8 +91,8 @@ class Ability
subject.group subject.group
end end
if group if group.public?
rules << :read_group if group.public? rules << :read_group
rules << :read_group_members unless restricted_public_level? rules << :read_group_members unless restricted_public_level?
end end
@ -483,7 +483,7 @@ class Ability
private private
def restricted_public_level? def restricted_public_level?
@public_restricted ||= current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
end end
def named_abilities(name) def named_abilities(name)

4
lib/api/api_guard.rb
View file

@ -79,6 +79,10 @@ module APIGuard
@current_user @current_user
end end
def public_access_restricted?
current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
end
private private
def find_access_token def find_access_token
@access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods) @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)

10
lib/api/users.rb
View file

@ -11,6 +11,10 @@ module API
# GET /users?search=Admin # GET /users?search=Admin
# GET /users?username=root # GET /users?username=root
get do get do
if !current_user && public_access_restricted?
render_api_error!("Not authorized.", 403)
end
if params[:username].present? if params[:username].present?
@users = User.where(username: params[:username]) @users = User.where(username: params[:username])
else else
@ -36,10 +40,12 @@ module API
get ":id" do get ":id" do
@user = User.find(params[:id]) @user = User.find(params[:id])
if current_user.is_admin? if current_user.present? && current_user.is_admin?
present @user, with: Entities::UserFull present @user, with: Entities::UserFull
else elsif can?(current_user, :read_user, @user)
present @user, with: Entities::User present @user, with: Entities::User
else
render_api_error!("User not found.", 404)
end end
end end

2
spec/controllers/users_controller_spec.rb
View file

@ -30,8 +30,6 @@ describe UsersController do
end end
describe 'when logged out' do describe 'when logged out' do
before { stub_application_setting(restricted_visibility_levels: []) }
it 'renders the show template' do it 'renders the show template' do
get :show, username: user.username get :show, username: user.username

18
spec/requests/api/users_spec.rb
View file

@ -20,6 +20,24 @@ describe API::API, api: true do
end end
context "when authenticated" do context "when authenticated" do
#These specs are written just in case API authentication is not required anymore
context "when public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
allow_any_instance_of(API::Helpers).to receive(:authenticate!).and_return(true)
end
it "renders 403" do
get api("/users")
expect(response.status).to eq(403)
end
it "renders 404" do
get api("/users/#{user.id}")
expect(response.status).to eq(404)
end
end
it "should return an array of users" do it "should return an array of users" do
get api("/users", user) get api("/users", user)
expect(response.status).to eq(200) expect(response.status).to eq(200)