Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Allow unauthenticated access to the `/api/v4/users` API

Review changes
Download
Patches
Plain diff

Timothy Andrew requested to merge 34141-allow-unauthenticated-access-to-the-users-api into master Jun 26, 2017

Overview 35
Commits 6
Pipelines 9
Changes 8

What does this MR do?

The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username.
We don't authenticate this API anymore, but instead - if the current_user is not present:
- Verify that the username parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The UsersFinder class performs an exact match on the username, so we are guaranteed to get 0 or 1 users.
- Verify that the resulting user (if any) is accessible to be viewed publicly by calling can?(current_user, :read_user, user)

Are there points in the code the reviewer needs to double check?

Are we leaking any user information we shouldn't?
Any other authorization issues?

References

Closes #34141 (closed)
EE conflicts fixed in https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2247

Tasks

Investigation
Implementation
Tests
- Added
- Passing
Meta
- CHANGELOG entry created
- Branch has no merge conflicts with master
- Squashed related commits together
- Check for clean merge with EE
- Documentation added/updated
Review
- Reviewer
- Maintainer
Wait for merge
Wait for EE merge

Edited Jun 26, 2017 by Timothy Andrew

Merge request reports

Assignee Loading

Reviewers Loading

Request review from

Loading

Time tracking Loading

Loading