delta/gitlab/gitlab-ce.git/lib/api/users.rb, branch docs/database-development gitlab.com: gitlab-org/gitlab-ce.git Include the `is_admin` field in the `GET /users/:id` API when current user is an admin 2017-08-11T13:14:32+00:00 Rémy Coutable remy@rymai.me 2017-08-11T12:08:20+00:00 09a348eb139178be534d181273a360a3125df9f9 Signed-off-by: Rémy Coutable <remy@rymai.me> 
Signed-off-by: Rémy Coutable <remy@rymai.me>
Update grape gem 2017-07-20T13:33:18+00:00 Dmitriy Zaporozhets dmitriy.zaporozhets@gmail.com 2017-07-20T13:33:18+00:00 6b8ad689da393125bb2d1e548211c9a50039b0a7 New version of the gem returns 200 status code on delete with content instead of 204 so we explicitly set status code to keep existing behavior Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 
New version of the gem returns 200 status code on delete with content
instead of 204 so we explicitly set status code to keep existing
behavior

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Return `is_admin` attribute in the GET /user endpoint for admins 2017-07-12T10:45:46+00:00 Rémy Coutable remy@rymai.me 2017-07-12T10:18:14+00:00 91f63820a540e7f3e7206dc8044e257cf28527dc Signed-off-by: Rémy Coutable <remy@rymai.me> 
Signed-off-by: Rémy Coutable <remy@rymai.me>
fix specs 2017-07-07T14:09:30+00:00 James Lopez james@jameslopez.es 2017-07-07T14:09:30+00:00 5e66c6568ba2a528e037eaf9d466cfb489b52891 






add created at filter logic to users finder and API
2017-07-07T08:38:57+00:00

James Lopez
james@jameslopez.es

2017-07-07T07:29:00+00:00

1a7d2aba3b06a1e4fcc3861eeb70af30fc3330f6












Merge branch 'master' into '33580-fix-api-scoping'
2017-07-04T15:00:01+00:00

Douwe Maan
douwe@gitlab.com

2017-07-04T15:00:01+00:00

5e2f7f25eb6ed1118cb541e43026915a7c4cdfef

# Conflicts:
#   lib/api/users.rb




# Conflicts:
#   lib/api/users.rb






Simplify authentication logic in the v4 users API for !12445.
2017-07-04T12:19:48+00:00

Timothy Andrew
mail@timothyandrew.net

2017-07-04T12:19:48+00:00

d1488268b2e31b8f3549c6e1e46955619535cd98

- Rather than using an explicit check to turn off authentication for the
  `/users` endpoint, simply call `authenticate_non_get!`.

- All `GET` endpoints we wish to restrict already call
  `authenticated_as_admin!`, and so remain inacessible to anonymous users.

- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
  the same access check that `/users` users, and so is safe for use here.

- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323





- Rather than using an explicit check to turn off authentication for the
  `/users` endpoint, simply call `authenticate_non_get!`.

- All `GET` endpoints we wish to restrict already call
  `authenticated_as_admin!`, and so remain inacessible to anonymous users.

- This _does_ open up the `/users/:id` endpoint to anonymous access. It contains
  the same access check that `/users` users, and so is safe for use here.

- More context: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12445#note_34031323







Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api
2017-06-30T13:45:51+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-30T13:29:34+00:00

5dedea358dc3012b4c2a876065c16cf748fbf7ea

- Modify policy code to work with the `DeclarativePolicy` refactor
  in 37c401433b76170f0150d70865f1f4584db01fa8.





- Modify policy code to work with the `DeclarativePolicy` refactor
  in 37c401433b76170f0150d70865f1f4584db01fa8.







Implement review comments for !12445 from @godfat and @rymai.
2017-06-30T13:06:03+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-29T07:43:41+00:00

3c88a7869b87693ba8c3fb9814d39437dd569a31

- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
  fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
  visibility level is not restricted.

- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
  the `username` parameter is passed.

- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
  route + method, rather than the description.

- Change the type of `current_user` check in `UsersFinder` to be more
  compatible with EE.





- Use `GlobalPolicy` to authorize the users that a non-authenticated user can
  fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
  visibility level is not restricted.

- Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
  the `username` parameter is passed.

- Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
  route + method, rather than the description.

- Change the type of `current_user` check in `UsersFinder` to be more
  compatible with EE.







Initial attempt at refactoring API scope declarations.
2017-06-28T07:17:13+00:00

Timothy Andrew
mail@timothyandrew.net

2017-06-20T07:40:24+00:00

6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b

- Declaring an endpoint's scopes in a `before` block has proved to be
  unreliable. For example, if we're accessing the `API::Users` endpoint - code
  in a `before` block in `API::API` wouldn't be able to see the scopes set in
  `API::Users` since the `API::API` `before` block runs first.

- This commit moves these declarations to the class level, since they don't need
  to change once set.





- Declaring an endpoint's scopes in a `before` block has proved to be
  unreliable. For example, if we're accessing the `API::Users` endpoint - code
  in a `before` block in `API::API` wouldn't be able to see the scopes set in
  `API::Users` since the `API::API` `before` block runs first.

- This commit moves these declarations to the class level, since they don't need
  to change once set.