spec · 34b71e734b0b01dd28e18be4728f93fbd4d1a561 · Forest Godfrey / gitlab-ce

Don't display the `is_admin?` flag for user API responses. · 34b71e73

authored Apr 21, 2017

- To prevent an attacker from enumerating the `/users` API to get a list of all
  the admins.

- Display the `is_admin?` flag wherever we display the `private_token` - at the
  moment, there are two instances:

  - When an admin uses `sudo` to view the `/user` endpoint
  - When logging in using the `/session` endpoint

34b71e73

Name	Last commit	Last update
..
bin		Loading commit data...
config		Loading commit data...
controllers		Loading commit data...
db/production		Loading commit data...
factories		Loading commit data...
features		Loading commit data...
finders		Loading commit data...
fixtures		Loading commit data...
helpers		Loading commit data...
initializers		Loading commit data...
javascripts		Loading commit data...
lib		Loading commit data...
mailers		Loading commit data...
migrations		Loading commit data...
models		Loading commit data...
policies		Loading commit data...
presenters		Loading commit data...
requests		Loading commit data...
routing		Loading commit data...
rubocop/cop		Loading commit data...
serializers		Loading commit data...
services		Loading commit data...
support		Loading commit data...
tasks		Loading commit data...
uploaders		Loading commit data...
views		Loading commit data...
workers		Loading commit data...
factories_spec.rb		Loading commit data...
rails_helper.rb		Loading commit data...
rake_helper.rb		Loading commit data...
simplecov_env.rb		Loading commit data...
spec_helper.rb		Loading commit data...