Commit 02b85fd2366bc6c0d3194ab68e13eb6291733c26
1 parent
34fd5570
Exists in
spb-stable
and in
2 other branches
Check user access status in API for current_user
Showing
2 changed files
with
10 additions
and
0 deletions
Show diff stats
lib/api/helpers.rb
| @@ -8,6 +8,11 @@ module API | @@ -8,6 +8,11 @@ module API | ||
| 8 | def current_user | 8 | def current_user |
| 9 | private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s | 9 | private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s |
| 10 | @current_user ||= User.find_by(authentication_token: private_token) | 10 | @current_user ||= User.find_by(authentication_token: private_token) |
| 11 | + | ||
| 12 | + unless @current_user && Gitlab::UserAccess.allowed?(@current_user) | ||
| 13 | + return nil | ||
| 14 | + end | ||
| 15 | + | ||
| 11 | identifier = sudo_identifier() | 16 | identifier = sudo_identifier() |
| 12 | 17 | ||
| 13 | # If the sudo is the current user do nothing | 18 | # If the sudo is the current user do nothing |
spec/requests/api/api_helpers_spec.rb
| @@ -44,6 +44,11 @@ describe API, api: true do | @@ -44,6 +44,11 @@ describe API, api: true do | ||
| 44 | current_user.should be_nil | 44 | current_user.should be_nil |
| 45 | end | 45 | end |
| 46 | 46 | ||
| 47 | + it "should return nil for a user without access" do | ||
| 48 | + Gitlab::UserAccess.stub(allowed?: false) | ||
| 49 | + current_user.should be_nil | ||
| 50 | + end | ||
| 51 | + | ||
| 47 | it "should leave user as is when sudo not specified" do | 52 | it "should leave user as is when sudo not specified" do |
| 48 | env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token | 53 | env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token |
| 49 | current_user.should == user | 54 | current_user.should == user |