From 3c88a7869b87693ba8c3fb9814d39437dd569a31 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Thu, 29 Jun 2017 07:43:41 +0000 Subject: Implement review comments for !12445 from @godfat and @rymai. - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE. --- app/finders/users_finder.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'app/finders/users_finder.rb') diff --git a/app/finders/users_finder.rb b/app/finders/users_finder.rb index 0534317df8f..07deceb827b 100644 --- a/app/finders/users_finder.rb +++ b/app/finders/users_finder.rb @@ -27,11 +27,8 @@ class UsersFinder users = by_search(users) users = by_blocked(users) users = by_active(users) - - if current_user - users = by_external_identity(users) - users = by_external(users) - end + users = by_external_identity(users) + users = by_external(users) users end @@ -63,13 +60,13 @@ class UsersFinder end def by_external_identity(users) - return users unless current_user.admin? && params[:extern_uid] && params[:provider] + return users unless current_user&.admin? && params[:extern_uid] && params[:provider] users.joins(:identities).merge(Identity.with_extern_uid(params[:provider], params[:extern_uid])) end def by_external(users) - return users = users.where.not(external: true) unless current_user.admin? + return users = users.where.not(external: true) unless current_user&.admin? return users unless params[:external] users.external -- cgit v1.2.3