Commit graph

17 commits

Author SHA1 Message Date
Bob Van Landuyt
d801dd1774 Allows access_(git|api) to anonymous users
The `access_git` and `access_api` were currently never checked for
anonymous users. And they would also be allowed access:

  An anonymous user can clone and pull from a public repo

  An anonymous user can request public information from the API

So the policy didn't actually reflect what we were enforcing.
2018-05-10 17:02:27 +02:00
Bob Van Landuyt
f7f13f9db0 Block access to API & git when terms are enforced
When terms are enforced, but the user has not accepted the terms
access to the API & git is rejected with a message directing the user
to the web app to accept the terms.
2018-05-10 17:02:27 +02:00
Phil Hughes
93aa6d04c2
moved fork checks into policies 2017-09-29 12:14:39 +01:00
Markus Koller
e9eae3eb0d Support custom attributes on users 2017-09-28 16:49:42 +00:00
Lin Jen-Shin (godfat)
0d35b08180 Allow logged in users to read user list under public restriction 2017-08-01 07:46:13 +00:00
Lin Jen-Shin
25e44edc30 Allow admin to read_users_list even if it's restricted 2017-07-25 16:49:26 +08:00
Timothy Andrew
96e986327c Implement review comments for !12445 from @jneen.
- Fix duplicate `prevent` declaration
- Add spec for `GlobalPolicy`
2017-07-03 05:14:00 +00:00
Timothy Andrew
5dedea358d Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api
- Modify policy code to work with the `DeclarativePolicy` refactor
  in 37c401433b.
2017-06-30 13:45:51 +00:00
Timothy Andrew
3c88a7869b Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
  fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
  visibility level is not restricted.

- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
  the `username` parameter is passed.

- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
  route + method, rather than the description.

- Change the type of `current_user` check in `UsersFinder` to be more
  compatible with EE.
2017-06-30 13:06:03 +00:00
http://jneen.net/
37c401433b convert all the policies to DeclarativePolicy 2017-06-27 12:44:37 -07:00
Eric Eastwood
ea090291bb Rename "Slash commands" to "Quick actions"
Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/27070

Deprecate "chat commands" in favor of "slash commands"

We looked for things like:

 - `slash commmand`
 - `slash_command`
 - `slash-command`
 - `SlashCommand`
2017-06-15 09:01:56 -05:00
Felipe Artur
60c121ebc2 Backport permissions and multi-line array to CE 2017-04-07 10:53:29 +01:00
http://jneen.net/
f7a111e976 use policies to protect sending email 2017-03-09 11:49:53 -08:00
http://jneen.net/
0ea04cc5bf use the policy stack to protect logins 2017-03-09 11:49:52 -08:00
http://jneen.net/
d9cfed07cd add User#internal? and some global permissions 2017-03-09 11:49:52 -08:00
http://jneen.net/
b7d3000013 line break after guard clause 2016-08-30 11:39:22 -07:00
http://jneen.net/
9a0ea13501 factor in global permissions 2016-08-30 11:39:22 -07:00