Skip to content

Allow unauthenticated access to the `/api/v4/users` API

What does this MR do?

  • The issue filtering frontend code needs access to this API for non-logged-in users + public projects. It uses the API to fetch information for a user by username.

  • We don't authenticate this API anymore, but instead - if the current_user is not present:

    • Verify that the username parameter has been passed. This disallows an unauthenticated user from grabbing a list of all users on the instance. The UsersFinder class performs an exact match on the username, so we are guaranteed to get 0 or 1 users.
    • Verify that the resulting user (if any) is accessible to be viewed publicly by calling can?(current_user, :read_user, user)

Are there points in the code the reviewer needs to double check?

  • Are we leaking any user information we shouldn't?
  • Any other authorization issues?

References

/cc @winh

Tasks

  • Investigation
  • Implementation
  • Tests
    • Added
    • Passing
  • Meta
    • CHANGELOG entry created
    • Branch has no merge conflicts with master
    • Squashed related commits together
    • Check for clean merge with EE
    • Documentation added/updated
  • Review
    • Reviewer
    • Maintainer
  • Wait for merge
  • Wait for EE merge
Edited by Timothy Andrew

Merge request reports

Loading