- To prevent an attacker from enumerating the `/users` API to get a list of all
the admins.
- Display the `is_admin?` flag wherever we display the `private_token` - at the
moment, there are two instances:
- When an admin uses `sudo` to view the `/user` endpoint
- When logging in using the `/session` endpoint
The issue was arising when `#current_user` was called a second time
after a user was impersonated: the `User#is_admin?` check would be
performed on it and it would fail.
Signed-off-by: Rémy Coutable <remy@rymai.me>
API: New /users/:id/events endpoint
## What does this MR do?
If add a new `/users/:id/events` endpoint to retrieve a user's contribution events. The events returned are filtered so that only the events for projects that the current user can see are returned (similarly to what we do at the controller level).
## Why was this MR needed?
Because it's a nice feature to calculate leaderboards, for instance for #17815.
## What are the relevant issue numbers?
Closes#20866.
See merge request !6771
* Add newline to user organization spec according to test guide
* Remove unnecessary comments from user organization database migration
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
- This would allow anyone with a personal access token (even a read-only
token, once scopes are implemented) to escalate their access by
obtaining the private token.
There is a race condition in DestroyGroupService now that projects are deleted asynchronously:
1. User attempts to delete group
2. DestroyGroupService iterates through all projects and schedules a Sidekiq job to delete each Project
3. DestroyGroupService destroys the Group, leaving all its projects without a namespace
4. Projects::DestroyService runs later but the can?(current_user,
:remove_project) is `false` because the user no longer has permission to
destroy projects with no namespace.
5. This leaves the project in pending_delete state with no namespace/group.
Projects without a namespace or group also adds another problem: it's not possible to destroy the container
registry tags, since container_registry_path_with_namespace is the wrong value.
The fix is to destroy the group asynchronously and to run execute directly on Projects::DestroyService.
Closes#17893
Sean McGivern
Timothy Andrew
Jacopo
Robert Speicher
Robin Bobbitt
Rémy Coutable
Sean McGivern
Stan Hu
Douwe Maan
Tiago Botelho
Adam Niedzielski
Simon Vocella
Robert Schilling
Joost Rijneveld
George Andrinopoulos
Mark Fletcher
Livier
Yatish Mehta
Airat Shigapov
Dmitriy Zaporozhets