find_by_token is overriden by TokenAuthenticatable which can be easily
missed or confused with #find_by(:token) defined by ActiveRecord. First
step for safer usage is to remove #find_by.
This gives admins the ability to send a `skip_confirmation` flag in the
`POST /users/:id/email` API endpoint to skip the verification step and
assume the given e-mail address is verified.
Closes#50876
This ensures that we have more visibility in the number of SQL queries
that are executed in web requests. The current threshold is hardcoded to
100 as we will rarely (maybe once or twice) change it.
In production and development we use Sentry if enabled, in the test
environment we raise an error. This feature is also only enabled in
production/staging when running on GitLab.com as it's not very useful to
other users.
New version of the gem returns 200 status code on delete with content
instead of 204 so we explicitly set status code to keep existing
behavior
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
- Rather than using an explicit check to turn off authentication for the
`/users` endpoint, simply call `authenticate_non_get!`.
- All `GET` endpoints we wish to restrict already call
`authenticated_as_admin!`, and so remain inacessible to anonymous users.
- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
the same access check that `/users` users, and so is safe for use here.
- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
- Declaring an endpoint's scopes in a `before` block has proved to be
unreliable. For example, if we're accessing the `API::Users` endpoint - code
in a `before` block in `API::API` wouldn't be able to see the scopes set in
`API::Users` since the `API::API` `before` block runs first.
- This commit moves these declarations to the class level, since they don't need
to change once set.
- The issue filtering frontend code needs access to this API for non-logged-in
users + public projects. It uses the API to fetch information for a user by
username.
- We don't authenticate this API anymore, but instead - if the `current_user` is
not present:
- Verify that the `username` parameter has been passed. This disallows an
unauthenticated user from grabbing a list of all users on the instance. The
`UsersFinder` class performs an exact match on the `username`, so we are
guaranteed to get 0 or 1 users.
- Verify that the resulting user (if any) is accessible to be viewed publicly
by calling `can?(current_user, :read_user, user)`
Imre Farkas
William George
Douwe Maan
Ronald Claveau
Rémy Coutable
Alexis Reigel
gfyoung
Robert Speicher
Yorick Peterse
Stan Hu
Bob Van Landuyt
JX Terry
Marko, Peter
Lin Jen-Shin
Francisco Javier López
Dmitriy Zaporozhets
Markus Koller
Daniel Juarez
Douwe Maan
Markus Koller
James Lopez
Tiago Botelho
Brett Walker
Robert Speicher
Robert Schilling
Timothy Andrew