spec/requests/api · c39e4ccfb7cb76b9bdb613399aba2c2467b77751 · Forest Godfrey / gitlab-ce

Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6

authored Jun 26, 2017

- The issue filtering frontend code needs access to this API for non-logged-in
  users + public projects. It uses the API to fetch information for a user by
  username.

- We don't authenticate this API anymore, but instead - if the `current_user` is
  not present:

  - Verify that the `username` parameter has been passed. This disallows an
    unauthenticated user from grabbing a list of all users on the instance. The
    `UsersFinder` class performs an exact match on the `username`, so we are
    guaranteed to get 0 or 1 users.
  - Verify that the resulting user (if any) is accessible to be viewed publicly
    by calling `can?(current_user, :read_user, user)`

20f679d6

Name	Last commit	Last update
..
v3		Loading commit data...
access_requests_spec.rb		Loading commit data...
award_emoji_spec.rb		Loading commit data...
boards_spec.rb		Loading commit data...
branches_spec.rb		Loading commit data...
broadcast_messages_spec.rb		Loading commit data...
commit_statuses_spec.rb		Loading commit data...
commits_spec.rb		Loading commit data...
deploy_keys_spec.rb		Loading commit data...
deployments_spec.rb		Loading commit data...
doorkeeper_access_spec.rb		Loading commit data...
environments_spec.rb		Loading commit data...
events_spec.rb		Loading commit data...
features_spec.rb		Loading commit data...
files_spec.rb		Loading commit data...
groups_spec.rb		Loading commit data...
helpers_spec.rb		Loading commit data...
internal_spec.rb		Loading commit data...
issues_spec.rb		Loading commit data...
jobs_spec.rb		Loading commit data...
keys_spec.rb		Loading commit data...
labels_spec.rb		Loading commit data...
lint_spec.rb		Loading commit data...
members_spec.rb		Loading commit data...
merge_request_diffs_spec.rb		Loading commit data...
merge_requests_spec.rb		Loading commit data...
milestones_spec.rb		Loading commit data...
namespaces_spec.rb		Loading commit data...
notes_spec.rb		Loading commit data...
notification_settings_spec.rb		Loading commit data...
oauth_tokens_spec.rb		Loading commit data...
pipeline_schedules_spec.rb		Loading commit data...
pipelines_spec.rb		Loading commit data...
project_hooks_spec.rb		Loading commit data...
project_snippets_spec.rb		Loading commit data...
projects_spec.rb		Loading commit data...
repositories_spec.rb		Loading commit data...
runner_spec.rb		Loading commit data...
runners_spec.rb		Loading commit data...
services_spec.rb		Loading commit data...
session_spec.rb		Loading commit data...
settings_spec.rb		Loading commit data...
sidekiq_metrics_spec.rb		Loading commit data...
snippets_spec.rb		Loading commit data...
system_hooks_spec.rb		Loading commit data...
tags_spec.rb		Loading commit data...
templates_spec.rb		Loading commit data...
todos_spec.rb		Loading commit data...
triggers_spec.rb		Loading commit data...
users_spec.rb		Loading commit data...
variables_spec.rb		Loading commit data...
version_spec.rb		Loading commit data...