Commit graph

5 commits

Author SHA1 Message Date
Timothy Andrew
5dedea358d Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api
- Modify policy code to work with the `DeclarativePolicy` refactor
  in 37c401433b.
2017-06-30 13:45:51 +00:00
Timothy Andrew
3c88a7869b Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
  fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
  visibility level is not restricted.

- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
  the `username` parameter is passed.

- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
  route + method, rather than the description.

- Change the type of `current_user` check in `UsersFinder` to be more
  compatible with EE.
2017-06-30 13:06:03 +00:00
http://jneen.net/
37c401433b convert all the policies to DeclarativePolicy 2017-06-27 12:44:37 -07:00
Timothy Andrew
6fdb17cbbe
Don't allow deleting a ghost user.
- Add a `destroy_user` ability. This didn't exist before, and was implicit in
  other abilities (only admins could access the admin area, so only they could
  destroy all users; a user can only access their own account page, and so can
  destroy only themselves).

- Grant this ability to admins, and when the current user is trying to destroy
  themselves. Disallow destroying ghost users in all cases.

- Modify the `Users::DestroyService` to check this ability. Also check it in
  views to decide whether or not to show the "Delete User" button.

- Add a short summary of the Ghost User to the bio.
2017-02-24 16:50:20 +05:30
http://jneen.net/
a340829c42 port UserPolicy 2016-08-30 11:39:22 -07:00