From 3c88a7869b87693ba8c3fb9814d39437dd569a31 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Thu, 29 Jun 2017 07:43:41 +0000 Subject: Implement review comments for !12445 from @godfat and @rymai. - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE. --- app/policies/base_policy.rb | 6 ++++++ app/policies/global_policy.rb | 3 ++- app/policies/user_policy.rb | 6 ------ 3 files changed, 8 insertions(+), 7 deletions(-) (limited to 'app/policies') diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 623424c63e0..261a2e780c5 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -1,4 +1,6 @@ class BasePolicy + include Gitlab::CurrentSettings + class RuleSet attr_reader :can_set, :cannot_set def initialize(can_set, cannot_set) @@ -124,4 +126,8 @@ class BasePolicy yield @rule_set end + + def restricted_public_level? + current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) + end end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 2683aaad981..e9be43a5037 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -1,9 +1,10 @@ class GlobalPolicy < BasePolicy def rules + can! :read_users_list unless restricted_public_level? + return unless @user can! :create_group if @user.can_create_group - can! :read_users_list unless @user.blocked? || @user.internal? can! :log_in unless @user.access_locked? diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 229846e368c..265c56aba53 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -1,6 +1,4 @@ class UserPolicy < BasePolicy - include Gitlab::CurrentSettings - def rules can! :read_user if @user || !restricted_public_level? @@ -12,8 +10,4 @@ class UserPolicy < BasePolicy cannot! :destroy_user if @subject.ghost? end end - - def restricted_public_level? - current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) - end end -- cgit v1.2.3 From 96e986327c4dad9248f9013f191119ffafe4a6d8 Mon Sep 17 00:00:00 2001 From: Timothy Andrew Date: Mon, 3 Jul 2017 05:14:00 +0000 Subject: Implement review comments for !12445 from @jneen. - Fix duplicate `prevent` declaration - Add spec for `GlobalPolicy` --- app/policies/global_policy.rb | 1 - 1 file changed, 1 deletion(-) (limited to 'app/policies') diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 7767d3cccd5..55eefa76d3f 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -18,7 +18,6 @@ class GlobalPolicy < BasePolicy prevent :receive_notifications prevent :use_quick_actions prevent :create_group - prevent :log_in end rule { default }.policy do -- cgit v1.2.3