- This would allow anyone with a personal access token (even a read-only
token, once scopes are implemented) to escalate their access by
obtaining the private token.
To prevent loose of group data you need to transfer or remove group
first before you can remove user
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
* users (#6878, #3526, #4209): Validation error messages are now exposed through 400 responses, 409 response are sent in case of duplicate email or username
* MRs (#5335): 409 responses are sent in case of duplicate merge request (source/target branches), 422 responses are sent when submiting MR fo/from unrelated forks
* issues
* labels
* projects
To prevent leaking of users info we reduce amount of user information
retrieved via API for normal users.
What user can get via API:
* if not admin: only id, state, name, username and avatar_url
* if admin: all user information
* about himself: all informaion
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Complements POST operation added in gitlabhq/gitlabhq#3146
Implement DELETE /users/:uid/keys/:id for admin users
Fix "Line is too long. [83/80]"
Use single quotes as advised
Use single quotes as advised
Use single quotes as advised
Fix missing space around { and }
Fix typo in documentation
Only catch ActiveRecord::RecordNotFound, let other exceptions propagate
Raise a "404 Not found" if key to be deleted cannot be found
As requested by @jvanbaarsen in https://github.com/gitlabhq/gitlabhq/pull/6781#discussion_r11735114
Remove tab
Unconfigured vim on this box, grrrr./
Also, is_admin and can_create_group are exposed in the user information.
Fixed attributes_for_keys to process properly keys with boolean values (since false.present? is false).
Most of these are comments but a few are strings for users.
Might be an idea to run this from time to time:
https://github.com/lyda/misspell-check
It runs mostly clean now.
Added a helper method to check if required parameters are given in an API call. Can be used
to return a `400 Bad Request` return code if a required attribute is missing.
Code clean up and fixed tests.
The users API updated with return codes, e.g. if required parameters are missing
a `400 Bad Request` error is returned instead of `404`. Fixes return codes of functions,
e.g. deletion of a ssh key is an idempotent function now.
The API documentation is updated to reflect the current status of the API. Descriptions
are more detailed and complete, infos to return values are added to all functions.
Rémy Coutable
Dmitriy Zaporozhets
Timothy Andrew
Grzegorz Bizon
Felipe Artur
Robert Schilling
Achilleas Pipinellis
Zeger-Jan van de Weg
Gabriel Mazetto
Michi302
Stan Hu
Patricio Cano
Douwe Maan
Steve Norman
RICKETTM@uk.ibm.com
Valery Sizov
Matthew Monaco
jubianchi
Timm Friebe
skv
Jerome Dalbert
Boyan Tabakov
Izaak Alpert
Alex Denisov
Kevin Lyda
Sebastian Ziebell
Angus MacArthur