diff options
author | Douwe Maan <douwe@selenight.nl> | 2017-10-12 15:38:39 +0300 |
---|---|---|
committer | Douwe Maan <douwe@selenight.nl> | 2017-11-02 13:39:03 +0300 |
commit | 3f24f9ed182f5226210349b8e67e484e132ce971 (patch) | |
tree | 6f6a9148f3d89ea2d19cefe90470a8dca4dabc64 /lib/api/helpers.rb | |
parent | a1781a49416790f727b3dd3453bf704723e72b90 (diff) |
Add sudo API scope
Diffstat (limited to 'lib/api/helpers.rb')
-rw-r--r-- | lib/api/helpers.rb | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index 7a2ec865860..b1b855fdd9c 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -41,6 +41,8 @@ module API sudo! + validate_access_token!(scopes: scopes_registered_for_endpoint) unless sudo? + @current_user end @@ -385,7 +387,7 @@ module API return @initial_current_user if defined?(@initial_current_user) begin - @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user } + @initial_current_user = Gitlab::Auth::UniqueIpsLimiter.limit_user! { find_current_user! } rescue APIGuard::UnauthorizedError unauthorized! end @@ -393,24 +395,26 @@ module API def sudo! return unless sudo_identifier - return unless initial_current_user + + raise UnauthorizedError unless initial_current_user unless initial_current_user.admin? forbidden!('Must be admin to use sudo') end - # Only private tokens should be used for the SUDO feature - unless private_token == initial_current_user.private_token - forbidden!('Private token must be specified in order to use sudo') + unless access_token + forbidden!('Must be authenticated using an OAuth or Personal Access Token to use sudo') end + validate_access_token!(scopes: [:sudo]) + sudoed_user = find_user(sudo_identifier) - if sudoed_user - @current_user = sudoed_user - else + unless sudoed_user not_found!("No user id or username for: #{sudo_identifier}") end + + @current_user = sudoed_user end def sudo_identifier |