Merge branch 'more-secure-api' into 'master'

More secure api Dont expose user email via API. Fixes #1314

Merge branch 'more-secure-api' into 'master'
More secure api Dont expose user email via API. Fixes #1314
Dmitriy Zaporozhets
2 parents 2af8ace1 47d6f705
Showing 17 changed files with 161 additions and 64 deletions Show diff stats
CHANGELOG
app/assets/javascripts/project_users_select.js.coffee
app/assets/javascripts/users_select.js.coffee
app/controllers/application_controller.rb
app/helpers/application_helper.rb
app/models/user.rb
app/services/gravatar_service.rb
doc/api/users.md
lib/api/entities.rb
lib/api/internal.rb
lib/api/projects.rb
lib/api/users.rb
spec/helpers/application_helper_spec.rb
spec/requests/api/notes_spec.rb
spec/requests/api/project_members_spec.rb
spec/requests/api/projects_spec.rb
spec/requests/api/users_spec.rb
@@ -35,6 +35,7 @@ v 7.0.0
   - Be more selective when killing stray Sidekiqs
   - Check LDAP user filter during sign-in
   - Remove wall feature (no data loss - you can take it from database)
+  - Dont expose user emails via API unless you are admin 
  
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
@@ -37,13 +37,9 @@
  
   projectUserFormatResult: (user) ->
     if user.avatar_url
-      avatar = gon.relative_url_root + user.avatar_url
-    else if gon.gravatar_enabled
-      avatar = gon.gravatar_url
-      avatar = avatar.replace('%{hash}', md5(user.email))
-      avatar = avatar.replace('%{size}', '24')
+      avatar = user.avatar_url
     else
-      avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
+      avatar = gon.default_avatar_url
  
     if user.id == ''
       avatarMarkup = ''
 $ ->
   userFormatResult = (user) ->
     if user.avatar_url
-      avatar = gon.relative_url_root + user.avatar_url
-    else if gon.gravatar_enabled
-      avatar = gon.gravatar_url
-      avatar = avatar.replace('%{hash}', md5(user.email))
-      avatar = avatar.replace('%{size}', '24')
+      avatar = user.avatar_url
     else
-      avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
+      avatar = gon.default_avatar_url
  
     "<div class='user-result'>
        <div class='user-image'><img class='avatar s24' src='#{avatar}'></div>
@@ -164,9 +164,8 @@ class ApplicationController &lt; ActionController::Base
   def add_gon_variables
     gon.default_issues_tracker = Project.issues_tracker.default_value
     gon.api_version = API::API.version
-    gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
     gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
-    gon.gravatar_enabled = Gitlab.config.gravatar.enabled
+    gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
  
     if current_user
       gon.current_user_id = current_user.id
@@ -60,23 +60,21 @@ module ApplicationHelper
  
   def avatar_icon(user_email = '', size = nil)
     user = User.find_by(email: user_email)
-    if user && user.avatar.present?
-      user.avatar.url
+
+    if user
+      user.avatar_url(size) || default_avatar
     else
       gravatar_icon(user_email, size)
     end
   end
  
   def gravatar_icon(user_email = '', size = nil)
-    size = 40 if size.nil? || size <= 0
+    GravatarService.new.execute(user_email, size) ||
+      default_avatar
+  end
  
-    if !Gitlab.config.gravatar.enabled || user_email.blank?
-      image_path('no_avatar.png')
-    else
-      gravatar_url = request.ssl? || gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
-      user_email.strip!
-      sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email
-    end
+  def default_avatar
+    image_path('no_avatar.png')
   end
  
   def last_commit(project)
@@ -482,4 +482,12 @@ class User &lt; ActiveRecord::Base
   def public_profile?
     authorized_projects.public_only.any?
   end
+
+  def avatar_url(size = nil)
+    if avatar.present?
+      URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
+    else
+      GravatarService.new.execute(email, size)
+    end
+  end
 end
@@ -0,0 +1,28 @@
+class GravatarService
+  def execute(email, size = nil)
+    if gravatar_config.enabled && email.present?
+      size = 40 if size.nil? || size <= 0
+
+      sprintf gravatar_url,
+        hash: Digest::MD5.hexdigest(email.strip.downcase),
+        size: size,
+        email: email.strip
+    end
+  end
+
+  def gitlab_config
+    Gitlab.config.gitlab
+  end
+
+  def gravatar_config
+    Gitlab.config.gravatar
+  end
+
+  def gravatar_url
+    if gitlab_config.https
+      gravatar_config.ssl_url
+    else
+      gravatar_config.plain_url
+    end
+  end
+end
@@ -6,6 +6,34 @@ Get a list of users.
  
 This function takes pagination parameters `page` and `per_page` to restrict the list of users.
  
+### For normal users:
+
+```
+GET /users
+```
+
+```json
+[
+  {
+    "id": 1,
+    "username": "john_smith",
+    "name": "John Smith",
+    "state": "active",
+    "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
+  },
+  {
+    "id": 2,
+    "username": "jack_smith",
+    "name": "Jack Smith",
+    "state": "blocked",
+    "avatar_url": "http://gravatar.com/../e32131cd8.jpeg",
+  }
+]
+```
+
+
+### For admins: 
+
 ```
 GET /users
 ```
@@ -29,6 +57,7 @@ GET /users
     "theme_id": 1,
     "color_scheme_id": 2,
     "is_admin": false,
+    "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
     "can_create_group": true
   },
   {
@@ -48,6 +77,7 @@ GET /users
     "theme_id": 1,
     "color_scheme_id": 3,
     "is_admin": false,
+    "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
     "can_create_group": true,
     "can_create_project": true
   }
@@ -62,6 +92,29 @@ Also see `def search query` in `app/models/user.rb`.
  
 Get a single user.
  
+#### For user: 
+
+```
+GET /users/:id
+```
+
+Parameters:
+
+- `id` (required) - The ID of a user
+
+```json
+{
+  "id": 1,
+  "username": "john_smith",
+  "name": "John Smith",
+  "state": "active",
+  "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
+}
+```
+
+
+#### For admin:
+
 ```
 GET /users/:id
 ```
 module API
   module Entities
-    class User < Grape::Entity
-      expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url,
-             :theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
-      expose :is_admin?, as: :is_admin
-      expose :can_create_group?, as: :can_create_group
-      expose :can_create_project?, as: :can_create_project
+    class UserSafe < Grape::Entity
+      expose :name, :username
+    end
  
-      expose :avatar_url do |user, options|
-        if user.avatar.present?
-          user.avatar.url
-        end
-      end
+    class UserBasic < UserSafe
+      expose :id, :state, :avatar_url
     end
  
-    class UserSafe < Grape::Entity
-      expose :name, :username
+    class User < UserBasic
+      expose :created_at
+      expose :is_admin?, as: :is_admin
+      expose :bio, :skype, :linkedin, :twitter, :website_url
     end
  
-    class UserBasic < Grape::Entity
-      expose :id, :username, :email, :name, :state, :created_at
+    class UserFull < User
+      expose :email
+      expose :theme_id, :color_scheme_id, :extern_uid, :provider
+      expose :can_create_group?, as: :can_create_group
+      expose :can_create_project?, as: :can_create_project
     end
  
-    class UserLogin < User
+    class UserLogin < UserFull
       expose :private_token
     end
  
@@ -59,4 +59,3 @@ module API
     end
   end
 end
-
@@ -209,7 +209,7 @@ module API
         @users = User.where(id: user_project.team.users.map(&:id))
         @users = @users.search(params[:search]) if params[:search].present?
         @users = paginate @users
-        present @users, with: Entities::User
+        present @users, with: Entities::UserBasic
       end
  
       # Get a project labels
@@ -13,7 +13,12 @@ module API
         @users = @users.active if params[:active].present?
         @users = @users.search(params[:search]) if params[:search].present?
         @users = paginate @users
-        present @users, with: Entities::User
+
+        if current_user.is_admin?
+          present @users, with: Entities::UserFull
+        else
+          present @users, with: Entities::UserBasic
+        end
       end
  
       # Get a single user
@@ -24,7 +29,12 @@ module API
       #   GET /users/:id
       get ":id" do
         @user = User.find(params[:id])
-        present @user, with: Entities::User
+
+        if current_user.is_admin?
+          present @user, with: Entities::UserFull
+        else
+          present @user, with: Entities::UserBasic
+        end
       end
  
       # Create user. Available only for admin
@@ -53,7 +63,7 @@ module API
         admin = attrs.delete(:admin)
         user.admin = admin unless admin.nil?
         if user.save
-          present user, with: Entities::User
+          present user, with: Entities::UserFull
         else
           not_found!
         end
@@ -87,7 +97,7 @@ module API
         admin = attrs.delete(:admin)
         user.admin = admin unless admin.nil?
         if user.update_attributes(attrs, as: :admin)
-          present user, with: Entities::User
+          present user, with: Entities::UserFull
         else
           not_found!
         end
@@ -67,10 +67,9 @@ describe ApplicationHelper do
     end
  
     it "should call gravatar_icon when no avatar is present" do
-      user = create(:user)
+      user = create(:user, email: 'test@example.com')
       user.save!
-      allow(self).to receive(:gravatar_icon).and_return('gravatar_method_called')
-      avatar_icon(user.email).to_s.should == "gravatar_method_called"
+      avatar_icon(user.email).to_s.should == "http://www.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=40&d=mm"
     end
   end
  
@@ -87,12 +86,12 @@ describe ApplicationHelper do
     end
  
     it "should return default gravatar url" do
-      allow(self).to receive(:request).and_return(double(:ssl? => false))
+      Gitlab.config.gitlab.stub(https: false)
       gravatar_icon(user_email).should match('http://www.gravatar.com/avatar/b58c6f14d292556214bd64909bcdb118')
     end
  
     it "should use SSL when appropriate" do
-      allow(self).to receive(:request).and_return(double(:ssl? => true))
+      Gitlab.config.gitlab.stub(https: true)
       gravatar_icon(user_email).should match('https://secure.gravatar.com')
     end
  
@@ -93,7 +93,7 @@ describe API::API, api: true  do
         post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!'
         response.status.should == 201
         json_response['body'].should == 'hi!'
-        json_response['author']['email'].should == user.email
+        json_response['author']['username'].should == user.username
       end
  
       it "should return a 400 bad request error if body not given" do
@@ -112,7 +112,7 @@ describe API::API, api: true  do
         post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user), body: 'hi!'
         response.status.should == 201
         json_response['body'].should == 'hi!'
-        json_response['author']['email'].should == user.email
+        json_response['author']['username'].should == user.username
       end
  
       it "should return a 400 bad request error if body not given" do
@@ -21,7 +21,7 @@ describe API::API, api: true  do
       response.status.should == 200
       json_response.should be_an Array
       json_response.count.should == 2
-      json_response.map { |u| u['email'] }.should include user.email
+      json_response.map { |u| u['username'] }.should include user.username
     end
  
     it "finds team members with query string" do
@@ -29,7 +29,7 @@ describe API::API, api: true  do
       response.status.should == 200
       json_response.should be_an Array
       json_response.count.should == 1
-      json_response.first['email'].should == user.email
+      json_response.first['username'].should == user.username
     end
  
     it "should return a 404 error if id not found" do
@@ -44,7 +44,7 @@ describe API::API, api: true  do
     it "should return project team member" do
       get api("/projects/#{project.id}/members/#{user.id}", user)
       response.status.should == 200
-      json_response['email'].should == user.email
+      json_response['username'].should == user.username
       json_response['access_level'].should == UsersProject::MASTER
     end
  
@@ -62,7 +62,7 @@ describe API::API, api: true  do
       }.to change { UsersProject.count }.by(1)
  
       response.status.should == 201
-      json_response['email'].should == user2.email
+      json_response['username'].should == user2.username
       json_response['access_level'].should == UsersProject::DEVELOPER
     end
  
@@ -75,7 +75,7 @@ describe API::API, api: true  do
       }.not_to change { UsersProject.count }.by(1)
  
       response.status.should == 201
-      json_response['email'].should == user2.email
+      json_response['username'].should == user2.username
       json_response['access_level'].should == UsersProject::DEVELOPER
     end
  
@@ -101,7 +101,7 @@ describe API::API, api: true  do
     it "should update project team member" do
       put api("/projects/#{project.id}/members/#{user3.id}", user), access_level: UsersProject::MASTER
       response.status.should == 200
-      json_response['email'].should == user3.email
+      json_response['username'].should == user3.username
       json_response['access_level'].should == UsersProject::MASTER
     end
  
@@ -37,7 +37,7 @@ describe API::API, api: true  do
         response.status.should == 200
         json_response.should be_an Array
         json_response.first['name'].should == project.name
-        json_response.first['owner']['email'].should == user.email
+        json_response.first['owner']['username'].should == user.username
       end
     end
   end
@@ -65,7 +65,7 @@ describe API::API, api: true  do
         response.status.should == 200
         json_response.should be_an Array
         json_response.first['name'].should == project.name
-        json_response.first['owner']['email'].should == user.email
+        json_response.first['owner']['username'].should == user.username
       end
     end
   end
@@ -270,7 +270,7 @@ describe API::API, api: true  do
       get api("/projects/#{project.id}", user)
       response.status.should == 200
       json_response['name'].should == project.name
-      json_response['owner']['email'].should == user.email
+      json_response['owner']['username'].should == user.username
     end
  
     it "should return a project by path name" do
@@ -20,7 +20,18 @@ describe API::API, api: true  do
         get api("/users", user)
         response.status.should == 200
         json_response.should be_an Array
-        json_response.first['email'].should == user.email
+        json_response.first['username'].should == user.username
+      end
+    end
+
+    context "when admin" do
+      it "should return an array of users" do
+        get api("/users", admin)
+        response.status.should == 200
+        json_response.should be_an Array
+        json_response.first.keys.should include 'email'
+        json_response.first.keys.should include 'extern_uid'
+        json_response.first.keys.should include 'can_create_project'
       end
     end
   end
@@ -29,7 +40,7 @@ describe API::API, api: true  do
     it "should return a user by id" do
       get api("/users/#{user.id}", user)
       response.status.should == 200
-      json_response['email'].should == user.email
+      json_response['username'].should == user.username
     end
  
     it "should return a 401 if unauthenticated" do
...	...	@@ -35,6 +35,7 @@ v 7.0.0
35	35	- Be more selective when killing stray Sidekiqs
36	36	- Check LDAP user filter during sign-in
37	37	- Remove wall feature (no data loss - you can take it from database)
	38	+ - Dont expose user emails via API unless you are admin
38	39
39	40	v 6.9.2
40	41	- Revert the commit that broke the LDAP user filter
...	...
...	...	@@ -37,13 +37,9 @@
37	37
38	38	projectUserFormatResult: (user) ->
39	39	if user.avatar_url
40		- avatar = gon.relative_url_root + user.avatar_url
41		- else if gon.gravatar_enabled
42		- avatar = gon.gravatar_url
43		- avatar = avatar.replace('%{hash}', md5(user.email))
44		- avatar = avatar.replace('%{size}', '24')
	40	+ avatar = user.avatar_url
45	41	else
46		- avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
	42	+ avatar = gon.default_avatar_url
47	43
48	44	if user.id == ''
49	45	avatarMarkup = ''
...	...
1	1	$ ->
2	2	userFormatResult = (user) ->
3	3	if user.avatar_url
4		- avatar = gon.relative_url_root + user.avatar_url
5		- else if gon.gravatar_enabled
6		- avatar = gon.gravatar_url
7		- avatar = avatar.replace('%{hash}', md5(user.email))
8		- avatar = avatar.replace('%{size}', '24')
	4	+ avatar = user.avatar_url
9	5	else
10		- avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}"
	6	+ avatar = gon.default_avatar_url
11	7
12	8	"<div class='user-result'>
13	9	<div class='user-image'><img class='avatar s24' src='#{avatar}'></div>
...	...
...	...	@@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base
164	164	def add_gon_variables
165	165	gon.default_issues_tracker = Project.issues_tracker.default_value
166	166	gon.api_version = API::API.version
167		- gon.gravatar_url = request.ssl? \|\| Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
168	167	gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
169		- gon.gravatar_enabled = Gitlab.config.gravatar.enabled
	168	+ gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
170	169
171	170	if current_user
172	171	gon.current_user_id = current_user.id
...	...
...	...	@@ -60,23 +60,21 @@ module ApplicationHelper
60	60
61	61	def avatar_icon(user_email = '', size = nil)
62	62	user = User.find_by(email: user_email)
63		- if user && user.avatar.present?
64		- user.avatar.url
	63	+
	64	+ if user
	65	+ user.avatar_url(size) \|\| default_avatar
65	66	else
66	67	gravatar_icon(user_email, size)
67	68	end
68	69	end
69	70
70	71	def gravatar_icon(user_email = '', size = nil)
71		- size = 40 if size.nil? \|\| size <= 0
	72	+ GravatarService.new.execute(user_email, size) \|\|
	73	+ default_avatar
	74	+ end
72	75
73		- if !Gitlab.config.gravatar.enabled \|\| user_email.blank?
74		- image_path('no_avatar.png')
75		- else
76		- gravatar_url = request.ssl? \|\| gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
77		- user_email.strip!
78		- sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email
79		- end
	76	+ def default_avatar
	77	+ image_path('no_avatar.png')
80	78	end
81	79
82	80	def last_commit(project)
...	...
...	...	@@ -482,4 +482,12 @@ class User < ActiveRecord::Base
482	482	def public_profile?
483	483	authorized_projects.public_only.any?
484	484	end
	485	+
	486	+ def avatar_url(size = nil)
	487	+ if avatar.present?
	488	+ URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
	489	+ else
	490	+ GravatarService.new.execute(email, size)
	491	+ end
	492	+ end
485	493	end
...	...
...	...	@@ -0,0 +1,28 @@
	1	+class GravatarService
	2	+ def execute(email, size = nil)
	3	+ if gravatar_config.enabled && email.present?
	4	+ size = 40 if size.nil? \|\| size <= 0
	5	+
	6	+ sprintf gravatar_url,
	7	+ hash: Digest::MD5.hexdigest(email.strip.downcase),
	8	+ size: size,
	9	+ email: email.strip
	10	+ end
	11	+ end
	12	+
	13	+ def gitlab_config
	14	+ Gitlab.config.gitlab
	15	+ end
	16	+
	17	+ def gravatar_config
	18	+ Gitlab.config.gravatar
	19	+ end
	20	+
	21	+ def gravatar_url
	22	+ if gitlab_config.https
	23	+ gravatar_config.ssl_url
	24	+ else
	25	+ gravatar_config.plain_url
	26	+ end
	27	+ end
	28	+end
...	...
...	...	@@ -6,6 +6,34 @@ Get a list of users.
6	6
7	7	This function takes pagination parameters `page` and `per_page` to restrict the list of users.
8	8
	9	+### For normal users:
	10	+
	11	+```
	12	+GET /users
	13	+```
	14	+
	15	+```json
	16	+[
	17	+ {
	18	+ "id": 1,
	19	+ "username": "john_smith",
	20	+ "name": "John Smith",
	21	+ "state": "active",
	22	+ "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
	23	+ },
	24	+ {
	25	+ "id": 2,
	26	+ "username": "jack_smith",
	27	+ "name": "Jack Smith",
	28	+ "state": "blocked",
	29	+ "avatar_url": "http://gravatar.com/../e32131cd8.jpeg",
	30	+ }
	31	+]
	32	+```
	33	+
	34	+
	35	+### For admins:
	36	+
9	37	```
10	38	GET /users
11	39	```
...	...	@@ -29,6 +57,7 @@ GET /users
29	57	"theme_id": 1,
30	58	"color_scheme_id": 2,
31	59	"is_admin": false,
	60	+ "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
32	61	"can_create_group": true
33	62	},
34	63	{
...	...	@@ -48,6 +77,7 @@ GET /users
48	77	"theme_id": 1,
49	78	"color_scheme_id": 3,
50	79	"is_admin": false,
	80	+ "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
51	81	"can_create_group": true,
52	82	"can_create_project": true
53	83	}
...	...	@@ -62,6 +92,29 @@ Also see `def search query` in `app/models/user.rb`.
62	92
63	93	Get a single user.
64	94
	95	+#### For user:
	96	+
	97	+```
	98	+GET /users/:id
	99	+```
	100	+
	101	+Parameters:
	102	+
	103	+- `id` (required) - The ID of a user
	104	+
	105	+```json
	106	+{
	107	+ "id": 1,
	108	+ "username": "john_smith",
	109	+ "name": "John Smith",
	110	+ "state": "active",
	111	+ "avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
	112	+}
	113	+```
	114	+
	115	+
	116	+#### For admin:
	117	+
65	118	```
66	119	GET /users/:id
67	120	```
...	...
1	1	module API
2	2	module Entities
3		- class User < Grape::Entity
4		- expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url,
5		- :theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
6		- expose :is_admin?, as: :is_admin
7		- expose :can_create_group?, as: :can_create_group
8		- expose :can_create_project?, as: :can_create_project
	3	+ class UserSafe < Grape::Entity
	4	+ expose :name, :username
	5	+ end
9	6
10		- expose :avatar_url do \|user, options\|
11		- if user.avatar.present?
12		- user.avatar.url
13		- end
14		- end
	7	+ class UserBasic < UserSafe
	8	+ expose :id, :state, :avatar_url
15	9	end
16	10
17		- class UserSafe < Grape::Entity
18		- expose :name, :username
	11	+ class User < UserBasic
	12	+ expose :created_at
	13	+ expose :is_admin?, as: :is_admin
	14	+ expose :bio, :skype, :linkedin, :twitter, :website_url
19	15	end
20	16
21		- class UserBasic < Grape::Entity
22		- expose :id, :username, :email, :name, :state, :created_at
	17	+ class UserFull < User
	18	+ expose :email
	19	+ expose :theme_id, :color_scheme_id, :extern_uid, :provider
	20	+ expose :can_create_group?, as: :can_create_group
	21	+ expose :can_create_project?, as: :can_create_project
23	22	end
24	23
25		- class UserLogin < User
	24	+ class UserLogin < UserFull
26	25	expose :private_token
27	26	end
28	27
...	...
...	...	@@ -59,4 +59,3 @@ module API
59	59	end
60	60	end
61	61	end
62		-
...	...