lib · 20f679d620380b5b5e662b790c76caf256867b01 · Forest Godfrey / gitlab-ce

Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6

authored Jun 26, 2017

- The issue filtering frontend code needs access to this API for non-logged-in
  users + public projects. It uses the API to fetch information for a user by
  username.

- We don't authenticate this API anymore, but instead - if the `current_user` is
  not present:

  - Verify that the `username` parameter has been passed. This disallows an
    unauthenticated user from grabbing a list of all users on the instance. The
    `UsersFinder` class performs an exact match on the `username`, so we are
    guaranteed to get 0 or 1 users.
  - Verify that the resulting user (if any) is accessible to be viewed publicly
    by calling `can?(current_user, :read_user, user)`

20f679d6

Name	Last commit	Last update
..
api		Loading commit data...
assets		Loading commit data...
backup		Loading commit data...
banzai		Loading commit data...
bitbucket		Loading commit data...
ci		Loading commit data...
constraints		Loading commit data...
container_registry		Loading commit data...
generators/rails/post_deployment_migration		Loading commit data...
github		Loading commit data...
gitlab		Loading commit data...
json_web_token		Loading commit data...
mattermost		Loading commit data...
microsoft_teams		Loading commit data...
omni_auth		Loading commit data...
peek/rblineprof		Loading commit data...
rouge		Loading commit data...
support		Loading commit data...
system_check		Loading commit data...
tasks		Loading commit data...
additional_email_headers_interceptor.rb		Loading commit data...
banzai.rb		Loading commit data...
disable_email_interceptor.rb		Loading commit data...
email_template_interceptor.rb		Loading commit data...
event_filter.rb		Loading commit data...
expand_variables.rb		Loading commit data...
extracts_path.rb		Loading commit data...
feature.rb		Loading commit data...
file_size_validator.rb		Loading commit data...
file_streamer.rb		Loading commit data...
gitlab.rb		Loading commit data...
gt_one_coercion.rb		Loading commit data...
repository_cache.rb		Loading commit data...
static_model.rb		Loading commit data...
system_check.rb		Loading commit data...
unfold_form.rb		Loading commit data...
uploaded_file.rb		Loading commit data...
version_check.rb		Loading commit data...