Sean McGivern
6dc424c949
Merge branch '29903-remove-user-is-admin-flag-from-api' into 'master'
...
Don't display the `is_admin?` flag for user API responses
Closes #29903
See merge request !10846
2017-04-25 10:57:32 +00:00
Timothy Andrew
34b71e734b
Don't display the is_admin?
flag for user API responses.
...
- To prevent an attacker from enumerating the `/users` API to get a list of all
the admins.
- Display the `is_admin?` flag wherever we display the `private_token` - at the
moment, there are two instances:
- When an admin uses `sudo` to view the `/user` endpoint
- When logging in using the `/session` endpoint
2017-04-25 09:46:05 +00:00
Jacopo
ff76adb547
Unnecessary "include WaitForAjax" and "include ApiHelpers"
...
Removed all the unnecessary include of `WaitForAjax` and `ApiHelpers` in the specs.
Removed unnecessary usage of `api:true`
2017-04-21 22:32:02 +02:00
Livier
eb4f15571d
Changed API spec files to describe the correct class
...
Restore changes for api spec files
Fix error in rspec Users
Delete extra space Repositories-spec
2016-11-28 10:55:27 -07:00
tiagonbotelho
1d268a89de
adds second batch of tests changed to active tense
2016-08-09 15:11:39 +01:00
Z.J. van de Weg
abca19da8b
Use HTTP matchers if possible
2016-06-27 20:10:42 +02:00
Artem V. Navrotskiy
8ec59bd18b
Add API method for get user by ID of an SSH key
2015-09-03 15:47:22 +03:00