diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-29 10:43:41 +0300 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-30 16:06:03 +0300 |
| commit | 3c88a7869b87693ba8c3fb9814d39437dd569a31 (patch) | |
| tree | 4335dcc017f75c382757047a37d7936704cfe9d5 /spec | |
| parent | c39e4ccfb7cb76b9bdb613399aba2c2467b77751 (diff) | |
Implement review comments for !12445 from @godfat and @rymai.
- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
visibility level is not restricted.
- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
the `username` parameter is passed.
- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
route + method, rather than the description.
- Change the type of `current_user` check in `UsersFinder` to be more
compatible with EE.
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/requests/api/users_spec.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index 01541901330..bf7ed2d3ad6 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -34,7 +34,7 @@ describe API::Users do it "returns authorization error when the `username` parameter refers to an inaccessible user" do user = create(:user) - expect(Ability).to receive(:allowed?).with(nil, :read_user, user).and_return(false) + stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC]) get api("/users"), username: user.username |