Timothy Andrew
34b71e734b
Don't display the is_admin? flag for user API responses.
...
- To prevent an attacker from enumerating the `/users` API to get a list of all
the admins.
- Display the `is_admin?` flag wherever we display the `private_token` - at the
moment, there are two instances:
- When an admin uses `sudo` to view the `/user` endpoint
- When logging in using the `/session` endpoint
2017-04-25 09:46:05 +00:00
tiagonbotelho
3ed96afc47
adds impersonator variable and makes sudo usage overall more clear
2016-12-07 14:42:51 +00:00
Robert Schilling
603ebe55f0
Grapify the session API
2016-11-09 17:36:35 +01:00
Patricio Cano
a4137411c6
Small refactor and syntax fixes.
2016-08-18 16:47:26 -05:00
Patricio Cano
e2f9c87600
Added checks for 2FA to the API /sessions endpoint and the Resource Owner Password Credentials flow.
2016-08-18 16:47:26 -05:00
Jacob Vosmaer
0e896ffe4e
Improve Gitlab::Auth method names
...
Auth.find was a very generic name for a very specific method.
Auth.find_in_gitlab_or_ldap was inaccurate in GitLab EE where it also
looks in Kerberos.
2016-06-10 14:51:16 +02:00
Jacob Vosmaer
fea591e5c5
Rename finder to find_in_gitlab_or_ldap
2016-06-02 13:42:18 +02:00
Jacob Vosmaer
d1f5019511
Use correct auth finder
2016-05-02 13:19:39 +02:00
Jacob Vosmaer
b1ffc9f0fe
Make CI/Oauth/rate limiting reusable
2016-04-29 18:58:55 +02:00
Dmitriy Zaporozhets
559e83d300
Add LDAP support to /api/session
2013-07-16 11:28:19 +03:00
Dmitriy Zaporozhets
634cbd7138
Refactor API classes. So api classes like Gitlab::Issues become API::Issues
2013-05-14 15:33:31 +03:00
Nihad Abbasov
b08d33f6a9
API: return 401 for invalid session
2012-09-20 08:38:08 -07:00
Dmitriy Zaporozhets
9aafe77e70
I want be able to get token via api. Used for mobile applications
2012-09-20 17:45:07 +03:00
