Check user access status in API for current_user

Jacob Vosmaer
1 parent 34fd5570
Showing 2 changed files with 10 additions and 0 deletions Show diff stats
lib/api/helpers.rb
spec/requests/api/api_helpers_spec.rb
@@ -8,6 +8,11 @@ module API
     def current_user
       private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
       @current_user ||= User.find_by(authentication_token: private_token)
+
+      unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
+        return nil
+      end
+
       identifier = sudo_identifier()
  
       # If the sudo is the current user do nothing
@@ -44,6 +44,11 @@ describe API, api: true do
       current_user.should be_nil
     end
  
+    it "should return nil for a user without access" do
+      Gitlab::UserAccess.stub(allowed?: false)
+      current_user.should be_nil
+    end
+
     it "should leave user as is when sudo not specified" do
       env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
       current_user.should == user
...	...	@@ -8,6 +8,11 @@ module API
8	8	def current_user
9	9	private_token = (params[PRIVATE_TOKEN_PARAM] \|\| env[PRIVATE_TOKEN_HEADER]).to_s
10	10	@current_user \|\|= User.find_by(authentication_token: private_token)
	11	+
	12	+ unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
	13	+ return nil
	14	+ end
	15	+
11	16	identifier = sudo_identifier()
12	17
13	18	# If the sudo is the current user do nothing
...	...
...	...	@@ -44,6 +44,11 @@ describe API, api: true do
44	44	current_user.should be_nil
45	45	end
46	46
	47	+ it "should return nil for a user without access" do
	48	+ Gitlab::UserAccess.stub(allowed?: false)
	49	+ current_user.should be_nil
	50	+ end
	51	+
47	52	it "should leave user as is when sudo not specified" do
48	53	env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
49	54	current_user.should == user
...	...