diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2016-08-26 07:07:57 +0300 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2016-08-31 10:03:24 +0300 |
| commit | 727dff3f158b9ef852b2b014d4efe0abd69a23d0 (patch) | |
| tree | 0f2a3d3819fd4ac40c614555e237a15f9fefc3dd /spec | |
| parent | 4d042afeced540c0acd887714d8ec7c962b7c507 (diff) | |
Don't expose a user's private token in the `/api/v3/user` API.
- This would allow anyone with a personal access token (even a read-only
token, once scopes are implemented) to escalate their access by
obtaining the private token.
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/requests/api/users_spec.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index 0bbba64a6d5..ef73778efa9 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -605,6 +605,7 @@ describe API::API, api: true do expect(json_response['can_create_project']).to eq(user.can_create_project?) expect(json_response['can_create_group']).to eq(user.can_create_group?) expect(json_response['projects_limit']).to eq(user.projects_limit) + expect(json_response['private_token']).to be_blank end it "returns 401 error if user is unauthenticated" do |