403 error accessing users list in API after 9.4

Summary

I am using the gitlab-ce api in version 4. After upgrading to Gitlab 9.4, I got a 403 error when trying to access user list in v3 and v4 API.

My Private token works fine when accessing to /api/v4/projects or /api/v4/user return current user.

Steps to reproduce

  • Upgrade to gitlab 9.4
  • Access /api/v4/users

What is the current bug behavior?

An error 403 prevents me from accessing users list in API.

What is the expected correct behavior?

Returning users list

Relevant logs and/or screenshots

JSON Output

{"message":"403 Forbidden  - Not authorized to access /api/v4/users"}
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/api/v3/users" for 10.249.1.189 at 2017-07-24 14:17:47 +0200

==> /var/log/gitlab/nginx/gitlab_access.log <==
10.249.1.189 - - [24/Jul/2017:14:21:26 +0200] "GET /api/v4/users HTTP/1.1" 403 69 "-" "GuzzleHttp/6.2.1 curl/7.51.0 PHP/7.0.15"

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:		Debian 8.8
Current User:	git
Using RVM:	no
Ruby Version:	2.3.3p222
Gem Version:	2.6.6
Bundler Version:1.13.7
Rake Version:	10.5.0
Redis Version:	3.2.5
Git Version:	2.13.0
Sidekiq Version:5.0.0
Go Version:	unknown

GitLab information
Version:	9.4.0
Revision:	9bbe2ac
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
URL:		http://gitlab
HTTP Clone URL:	http://gitlab/some-group/some-project.git
SSH Clone URL:	git@gitlab:some-group/some-project.git
Using LDAP:	no
Using Omniauth:	no


GitLab Shell
Version:	5.3.1
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab Shell ...

GitLab Shell version >= 5.3.1 ? ... OK (5.3.1)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
18/1 ... ok
49/2 ... ok
49/3 ... ok
23/4 ... ok
49/5 ... ok
48/6 ... ok
48/7 ... ok
48/8 ... ok
48/9 ... ok
48/10 ... ok
48/11 ... ok
49/12 ... ok
49/13 ... ok
23/14 ... ok
23/15 ... ok
23/16 ... ok
23/17 ... ok
23/18 ... ok
23/19 ... ok
49/20 ... ok
50/21 ... ok
47/23 ... ok
44/25 ... ok
47/26 ... ok
44/27 ... ok
23/28 ... ok
26/29 ... ok
49/30 ... ok
18/31 ... ok
18/33 ... ok
18/42 ... ok
49/43 ... ok
47/54 ... ok
18/55 ... ok
18/57 ... ok
18/59 ... ok
18/60 ... ok
26/61 ... ok
26/62 ... repository is empty
26/63 ... ok
44/67 ... ok
44/69 ... ok
44/73 ... ok
44/74 ... repository is empty
44/76 ... ok
26/77 ... repository is empty
26/78 ... repository is empty
44/79 ... repository is empty
44/80 ... ok
44/81 ... repository is empty
44/84 ... repository is empty
44/87 ... repository is empty
44/88 ... ok
44/91 ... repository is empty
44/92 ... ok
44/93 ... repository is empty
26/95 ... ok
44/96 ... repository is empty
44/97 ... repository is empty
44/100 ... ok
44/101 ... ok
44/103 ... ok
44/104 ... repository is empty
44/105 ... repository is empty
44/106 ... repository is empty
44/107 ... repository is empty
44/108 ... repository is empty
44/111 ... repository is empty
44/112 ... repository is empty
44/113 ... repository is empty
44/114 ... repository is empty
44/116 ... repository is empty
44/117 ... ok
44/118 ... ok
44/119 ... repository is empty
44/120 ... repository is empty
44/121 ... repository is empty
44/122 ... repository is empty
44/123 ... repository is empty
44/124 ... repository is empty
44/125 ... repository is empty
44/126 ... repository is empty
44/127 ... repository is empty
44/128 ... repository is empty
44/129 ... repository is empty
44/130 ... repository is empty
44/131 ... repository is empty
44/132 ... ok
44/133 ... ok
93/135 ... ok
26/136 ... ok
48/137 ... repository is empty
26/138 ... ok
44/139 ... ok
44/140 ... ok
26/142 ... ok
44/143 ... repository is empty
85/144 ... repository is empty
86/145 ... ok
87/146 ... ok
86/147 ... ok
86/148 ... ok
86/149 ... ok
87/150 ... ok
87/151 ... ok
87/152 ... ok
87/153 ... ok
87/154 ... ok
86/155 ... ok
93/156 ... ok
44/157 ... ok
44/159 ... repository is empty
87/160 ... ok
87/161 ... repository is empty
87/162 ... repository is empty
87/163 ... repository is empty
87/164 ... repository is empty
87/165 ... repository is empty
87/166 ... repository is empty
87/167 ... ok
48/168 ... ok
26/170 ... repository is empty
48/171 ... repository is empty
89/172 ... repository is empty
48/173 ... ok
87/174 ... ok
87/175 ... ok
26/176 ... ok
44/177 ... repository is empty
44/179 ... ok
44/180 ... ok
92/181 ... ok
92/183 ... repository is empty
44/184 ... repository is empty
44/185 ... ok
92/186 ... repository is empty
44/188 ... ok
44/189 ... ok
44/191 ... repository is empty
44/192 ... ok
44/193 ... repository is empty
44/194 ... repository is empty
44/196 ... ok
44/197 ... repository is empty
44/198 ... repository is empty
44/199 ... repository is empty
86/200 ... ok
44/201 ... ok
26/202 ... ok
26/203 ... ok
26/204 ... ok
95/205 ... ok
95/206 ... ok
92/207 ... ok
26/208 ... ok
26/209 ... ok
48/210 ... ok
48/211 ... ok
48/212 ... ok
92/213 ... repository is empty
92/214 ... repository is empty
93/215 ... repository is empty
44/216 ... ok
92/217 ... repository is empty
44/218 ... ok
44/219 ... ok
93/220 ... repository is empty
44/221 ... ok
44/222 ... ok
92/223 ... repository is empty
158/224 ... ok
158/225 ... ok
92/226 ... repository is empty
92/227 ... repository is empty
92/228 ... repository is empty
92/229 ... repository is empty
92/230 ... repository is empty
92/231 ... repository is empty
92/232 ... repository is empty
92/233 ... repository is empty
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Reply by email ...


Reply by email is disabled in config/gitlab.yml


Checking Reply by email ... Finished


Checking LDAP ...


LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
18/1 ... yes
49/2 ... yes
49/3 ... yes
23/4 ... yes
49/5 ... yes
48/6 ... yes
48/7 ... yes
48/8 ... yes
48/9 ... yes
48/10 ... yes
48/11 ... yes
49/12 ... yes
49/13 ... yes
23/14 ... yes
23/15 ... yes
23/16 ... yes
23/17 ... yes
23/18 ... yes
23/19 ... yes
49/20 ... yes
50/21 ... yes
47/23 ... yes
44/25 ... yes
47/26 ... yes
44/27 ... yes
23/28 ... yes
26/29 ... yes
49/30 ... yes
18/31 ... yes
18/33 ... yes
18/42 ... yes
49/43 ... yes
47/54 ... yes
18/55 ... yes
18/57 ... yes
18/59 ... yes
18/60 ... yes
26/61 ... yes
26/62 ... yes
26/63 ... yes
44/67 ... yes
44/69 ... yes
44/73 ... yes
44/74 ... yes
44/76 ... yes
26/77 ... yes
26/78 ... yes
44/79 ... yes
44/80 ... yes
44/81 ... yes
44/84 ... yes
44/87 ... yes
44/88 ... yes
44/91 ... yes
44/92 ... yes
44/93 ... yes
26/95 ... yes
44/96 ... yes
44/97 ... yes
44/100 ... yes
44/101 ... yes
44/103 ... yes
44/104 ... yes
44/105 ... yes
44/106 ... yes
44/107 ... yes
44/108 ... yes
44/111 ... yes
44/112 ... yes
44/113 ... yes
44/114 ... yes
44/116 ... yes
44/117 ... yes
44/118 ... yes
44/119 ... yes
44/120 ... yes
44/121 ... yes
44/122 ... yes
44/123 ... yes
44/124 ... yes
44/125 ... yes
44/126 ... yes
44/127 ... yes
44/128 ... yes
44/129 ... yes
44/130 ... yes
44/131 ... yes
44/132 ... yes
44/133 ... yes
93/135 ... yes
26/136 ... yes
48/137 ... yes
26/138 ... yes
44/139 ... yes
44/140 ... yes
26/142 ... yes
44/143 ... yes
85/144 ... yes
86/145 ... yes
87/146 ... yes
86/147 ... yes
86/148 ... yes
86/149 ... yes
87/150 ... yes
87/151 ... yes
87/152 ... yes
87/153 ... yes
87/154 ... yes
86/155 ... yes
93/156 ... yes
44/157 ... yes
44/159 ... yes
87/160 ... yes
87/161 ... yes
87/162 ... yes
87/163 ... yes
87/164 ... yes
87/165 ... yes
87/166 ... yes
87/167 ... yes
48/168 ... yes
26/170 ... yes
48/171 ... yes
89/172 ... yes
48/173 ... yes
87/174 ... yes
87/175 ... yes
26/176 ... yes
44/177 ... yes
44/179 ... yes
44/180 ... yes
92/181 ... yes
92/183 ... yes
44/184 ... yes
44/185 ... yes
92/186 ... yes
44/188 ... yes
44/189 ... yes
44/191 ... yes
44/192 ... yes
44/193 ... yes
44/194 ... yes
44/196 ... yes
44/197 ... yes
44/198 ... yes
44/199 ... yes
86/200 ... yes
44/201 ... yes
26/202 ... yes
26/203 ... yes
26/204 ... yes
95/205 ... yes
95/206 ... yes
92/207 ... yes
26/208 ... yes
26/209 ... yes
48/210 ... yes
48/211 ... yes
48/212 ... yes
92/213 ... yes
92/214 ... yes
93/215 ... yes
44/216 ... yes
92/217 ... yes
44/218 ... yes
44/219 ... yes
93/220 ... yes
44/221 ... yes
44/222 ... yes
92/223 ... yes
158/224 ... yes
158/225 ... yes
92/226 ... yes
92/227 ... yes
92/228 ... yes
92/229 ... yes
92/230 ... yes
92/231 ... yes
92/232 ... yes
92/233 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.3 ? ... yes (2.3.3)
Git version >= 2.7.3 ? ... yes (2.13.0)
Active users: ... 106


Checking GitLab ... Finished
Edited by Rémi Heens