To avoid having to specify an actual password to create users, admins
can now use the `force_random_password` parameter to let Devise generate
a password.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63826
Updates specs to use new rails5 format.
The old format:
`get :show, { some: params }, { some: headers }`
The new format:
`get :show, params: { some: params }, headers: { some: headers }`
This gives admins the ability to send a `skip_confirmation` flag in the
`POST /users/:id/email` API endpoint to skip the verification step and
assume the given e-mail address is verified.
Closes#50876
`perform_enqueued_jobs` is a Sidekiq method.
Using this method violates the Dependency inversion principle[0].
This commit replaces `perform_enqueued_jobs` with ActiveJob's abstract
method `perform_enqueued_jobs` in specs.
[0]: https://en.wikipedia.org/wiki/Dependency_inversion_principle
- The `/users` and `/users/:id` APIs are now accessible without
authentication (!12445), and so scopes are not relevant for these endpoints.
- Previously, we were testing our scope declaration against these two methods.
This commit moves these tests to other `GET` user endpoints which still
require authentication.
- Rather than using an explicit check to turn off authentication for the
`/users` endpoint, simply call `authenticate_non_get!`.
- All `GET` endpoints we wish to restrict already call
`authenticated_as_admin!`, and so remain inacessible to anonymous users.
- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
the same access check that `/users` users, and so is safe for use here.
- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
- Test `GET` endpoints to check that the scope is allowed.
- Test `POST` endpoints to check that the scope is disallowed.
- Test both `v3` and `v4` endpoints.
- Scope declarations of the form:
allow_access_with_scope :read_user, if: -> (request) { request.get? }
will only apply for `GET` requests
- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
test for this case in the `AccessTokenValidationService` unit tests.
Stan Hu
manojmj
Adam Hegyi
Imre Farkas
Thiago Presa
Nermin Vehabovic
Rémy Coutable
Robert Schilling
blackst0ne
William George
Ronald Claveau
Bob Van Landuyt
JX Terry
Francisco Javier López
Robert Speicher
Dmitriy Zaporozhets
Daniel Juarez
Markus Koller
Douwe Maan
Jacopo
Tiago Botelho
Lin Jen-Shin (godfat)
Paul Charlton
James Lopez
Timothy Andrew
Douwe Maan