Commit graph

7 commits

Author SHA1 Message Date
Sean McGivern
6dc424c949 Merge branch '29903-remove-user-is-admin-flag-from-api' into 'master'
Don't display the `is_admin?` flag for user API responses

Closes #29903

See merge request !10846
2017-04-25 10:57:32 +00:00
Timothy Andrew
34b71e734b Don't display the is_admin? flag for user API responses.
- To prevent an attacker from enumerating the `/users` API to get a list of all
  the admins.

- Display the `is_admin?` flag wherever we display the `private_token` - at the
  moment, there are two instances:

  - When an admin uses `sudo` to view the `/user` endpoint
  - When logging in using the `/session` endpoint
2017-04-25 09:46:05 +00:00
Jacopo
ff76adb547 Unnecessary "include WaitForAjax" and "include ApiHelpers"
Removed all the unnecessary include of `WaitForAjax` and `ApiHelpers` in the specs.
Removed unnecessary usage of `api:true`
2017-04-21 22:32:02 +02:00
Livier
eb4f15571d Changed API spec files to describe the correct class
Restore changes for api spec files

Fix error in rspec Users

Delete extra space Repositories-spec
2016-11-28 10:55:27 -07:00
tiagonbotelho
1d268a89de adds second batch of tests changed to active tense 2016-08-09 15:11:39 +01:00
Z.J. van de Weg
abca19da8b Use HTTP matchers if possible 2016-06-27 20:10:42 +02:00
Artem V. Navrotskiy
8ec59bd18b Add API method for get user by ID of an SSH key 2015-09-03 15:47:22 +03:00