Commit graph

7 commits

Author SHA1 Message Date
Markus Koller
e9eae3eb0d Support custom attributes on users 2017-09-28 16:49:42 +00:00
James Lopez
cda7cbde03 refactor created at filter to use model scopes 2017-07-07 18:31:50 +02:00
James Lopez
377244dd45 refactor filters 2017-07-07 11:38:01 +02:00
James Lopez
1a7d2aba3b add created at filter logic to users finder and API 2017-07-07 10:38:57 +02:00
Timothy Andrew
3c88a7869b Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
  fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
  visibility level is not restricted.

- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
  the `username` parameter is passed.

- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
  route + method, rather than the description.

- Change the type of `current_user` check in `UsersFinder` to be more
  compatible with EE.
2017-06-30 13:06:03 +00:00
Timothy Andrew
20f679d620 Allow unauthenticated access to the /api/v4/users API.
- The issue filtering frontend code needs access to this API for non-logged-in
  users + public projects. It uses the API to fetch information for a user by
  username.

- We don't authenticate this API anymore, but instead - if the `current_user` is
  not present:

  - Verify that the `username` parameter has been passed. This disallows an
    unauthenticated user from grabbing a list of all users on the instance. The
    `UsersFinder` class performs an exact match on the `username`, so we are
    guaranteed to get 0 or 1 users.
  - Verify that the resulting user (if any) is accessible to be viewed publicly
    by calling `can?(current_user, :read_user, user)`
2017-06-26 07:20:30 +00:00
George Andrinopoulos
872e7b7efe Create a Users Finder 2017-05-15 13:53:12 +00:00