20f679d620
- The issue filtering frontend code needs access to this API for non-logged-in
users + public projects. It uses the API to fetch information for a user by
username.
- We don't authenticate this API anymore, but instead - if the `current_user` is
not present:
- Verify that the `username` parameter has been passed. This disallows an
unauthenticated user from grabbing a list of all users on the instance. The
`UsersFinder` class performs an exact match on the `username`, so we are
guaranteed to get 0 or 1 users.
- Verify that the resulting user (if any) is accessible to be viewed publicly
by calling `can?(current_user, :read_user, user)`
|
||
|---|---|---|
| .. | ||
| api | ||
| ci/api | ||
| projects | ||
| git_http_spec.rb | ||
| jwt_controller_spec.rb | ||
| lfs_http_spec.rb | ||
| openid_connect_spec.rb | ||
| request_profiler_spec.rb | ||