New version of the gem returns 200 status code on delete with content
instead of 204 so we explicitly set status code to keep existing
behavior
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
- Rather than using an explicit check to turn off authentication for the
`/users` endpoint, simply call `authenticate_non_get!`.
- All `GET` endpoints we wish to restrict already call
`authenticated_as_admin!`, and so remain inacessible to anonymous users.
- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
the same access check that `/users` users, and so is safe for use here.
- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
- Declaring an endpoint's scopes in a `before` block has proved to be
unreliable. For example, if we're accessing the `API::Users` endpoint - code
in a `before` block in `API::API` wouldn't be able to see the scopes set in
`API::Users` since the `API::API` `before` block runs first.
- This commit moves these declarations to the class level, since they don't need
to change once set.
- The issue filtering frontend code needs access to this API for non-logged-in
users + public projects. It uses the API to fetch information for a user by
username.
- We don't authenticate this API anymore, but instead - if the `current_user` is
not present:
- Verify that the `username` parameter has been passed. This disallows an
unauthenticated user from grabbing a list of all users on the instance. The
`UsersFinder` class performs an exact match on the `username`, so we are
guaranteed to get 0 or 1 users.
- Verify that the resulting user (if any) is accessible to be viewed publicly
by calling `can?(current_user, :read_user, user)`
* Meld the following disparate endpoints:
* `/projects/:id/events`
* `/events`
* `/users/:id/events`
+ Add result filtering to the above endpoints:
* action
* target_type
* before and after dates
- To prevent an attacker from enumerating the `/users` API to get a list of all
the admins.
- Display the `is_admin?` flag wherever we display the `private_token` - at the
moment, there are two instances:
- When an admin uses `sudo` to view the `/user` endpoint
- When logging in using the `/session` endpoint
Extended ProjectFinder in order to handle the following options:
- current_user - which user use
- project_ids_relation: int[] - project ids to use
- params:
- trending: boolean
- non_public: boolean
- starred: boolean
- sort: string
- visibility_level: int
- tags: string[]
- personal: boolean
- search: string
- non_archived: boolean
GroupProjectsFinder now inherits from ProjectsFinder.
Changed the code in order to use the new available options.
* Changed name of delete_user_service and worker to destroy
* Move and change delete_group_service to Groups::DestroyService
* Rename Notes::DeleteService to Notes::DestroyService
- Move the `Oauth2::AccessTokenValidationService` class to
`AccessTokenValidationService`, since it is now being used for
personal access token validation as well.
- Each API endpoint declares the scopes it accepts (if any). Currently,
the top level API module declares the `api` scope, and the `Users` API
module declares the `read_user` scope (for GET requests).
- Move the `find_user_by_private_token` from the API `Helpers` module to
the `APIGuard` module, to avoid littering `Helpers` with more
auth-related methods to support `find_user_by_private_token`
The issue was arising when `#current_user` was called a second time
after a user was impersonated: the `User#is_admin?` check would be
performed on it and it would fail.
Signed-off-by: Rémy Coutable <remy@rymai.me>
- This would allow anyone with a personal access token (even a read-only
token, once scopes are implemented) to escalate their access by
obtaining the private token.
To prevent loose of group data you need to transfer or remove group
first before you can remove user
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
* users (#6878, #3526, #4209): Validation error messages are now exposed through 400 responses, 409 response are sent in case of duplicate email or username
* MRs (#5335): 409 responses are sent in case of duplicate merge request (source/target branches), 422 responses are sent when submiting MR fo/from unrelated forks
* issues
* labels
* projects
To prevent leaking of users info we reduce amount of user information
retrieved via API for normal users.
What user can get via API:
* if not admin: only id, state, name, username and avatar_url
* if admin: all user information
* about himself: all informaion
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Complements POST operation added in gitlabhq/gitlabhq#3146
Implement DELETE /users/:uid/keys/:id for admin users
Fix "Line is too long. [83/80]"
Use single quotes as advised
Use single quotes as advised
Use single quotes as advised
Fix missing space around { and }
Fix typo in documentation
Only catch ActiveRecord::RecordNotFound, let other exceptions propagate
Raise a "404 Not found" if key to be deleted cannot be found
As requested by @jvanbaarsen in https://github.com/gitlabhq/gitlabhq/pull/6781#discussion_r11735114
Remove tab
Unconfigured vim on this box, grrrr./
Also, is_admin and can_create_group are exposed in the user information.
Fixed attributes_for_keys to process properly keys with boolean values (since false.present? is false).
Most of these are comments but a few are strings for users.
Might be an idea to run this from time to time:
https://github.com/lyda/misspell-check
It runs mostly clean now.
Added a helper method to check if required parameters are given in an API call. Can be used
to return a `400 Bad Request` return code if a required attribute is missing.
Code clean up and fixed tests.
The users API updated with return codes, e.g. if required parameters are missing
a `400 Bad Request` error is returned instead of `404`. Fixes return codes of functions,
e.g. deletion of a ssh key is an idempotent function now.
The API documentation is updated to reflect the current status of the API. Descriptions
are more detailed and complete, infos to return values are added to all functions.
The 2 reasons are :
- creation of user fail if name is empty : in after_save, it tries to create a
namespace with namespace.name = user.name and namespece validates presence
Namespace#name
- in the web app links to team members are broken with empty User#name because
they are of the form <a href'...'> user.name </a>
Robert Schilling
Rémy Coutable
Dmitriy Zaporozhets
James Lopez
Douwe Maan
Timothy Andrew
Grzegorz Bizon
Mike Ricketts
vanadium23
Lin Jen-Shin
Mark Fletcher
Nick Thomas
George Andrinopoulos
Robert Speicher
Robin Bobbitt
Sean McGivern
Oswaldo Ferreira
blackst0ne
Jacopo
Stan Hu
http://jneen.net/
Tiago Botelho
Simon Vocella
Douwe Maan
Joost Rijneveld
dixpac
Arsenev Vladislav
Yatish Mehta
Airat Shigapov
Grzegorz Bizon
Felipe Artur
Achilleas Pipinellis
Zeger-Jan van de Weg
Gabriel Mazetto
Michi302
Patricio Cano
Steve Norman
Valery Sizov
Matthew Monaco
jubianchi
Timm Friebe
skv
Jerome Dalbert
Boyan Tabakov
Izaak Alpert
Alex Denisov
Kevin Lyda
Sebastian Ziebell
Angus MacArthur
Cyril
Nihad Abbasov
Robert Speicher