diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 15:52:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-09-29 15:53:07 +0300 |
commit | 86842c660b55c74269649851bb694e40367e8bef (patch) | |
tree | 1d98de2bf98750f187c27d9957ecff419ae86b63 /lib | |
parent | b56d907a1d9065c3df354007fa00daf30626a478 (diff) |
Add latest changes from gitlab-org/security/gitlab@14-3-stable-ee
Diffstat (limited to 'lib')
-rw-r--r-- | lib/api/users.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/api/users.rb b/lib/api/users.rb index e3271b8b9b2..944be990c2f 100644 --- a/lib/api/users.rb +++ b/lib/api/users.rb @@ -140,7 +140,10 @@ module API end # rubocop: disable CodeReuse/ActiveRecord get ":id", feature_category: :users do + forbidden!('Not authorized!') unless current_user + user = User.find_by(id: params[:id]) + not_found!('User') unless user && can?(current_user, :read_user, user) opts = { with: current_user&.admin? ? Entities::UserDetailsWithAdmin : Entities::User, current_user: current_user } @@ -156,6 +159,7 @@ module API end get ":user_id/status", requirements: API::USER_REQUIREMENTS, feature_category: :users do user = find_user(params[:user_id]) + not_found!('User') unless user && can?(current_user, :read_user, user) present user.status || {}, with: Entities::UserStatus @@ -203,6 +207,8 @@ module API use :pagination end get ':id/following', feature_category: :users do + forbidden!('Not authorized!') unless current_user + user = find_user(params[:id]) not_found!('User') unless user && can?(current_user, :read_user_profile, user) @@ -217,6 +223,8 @@ module API use :pagination end get ':id/followers', feature_category: :users do + forbidden!('Not authorized!') unless current_user + user = find_user(params[:id]) not_found!('User') unless user && can?(current_user, :read_user_profile, user) |