• Timothy Andrew's avatar
    Implement review comments for !12445 from @godfat and @rymai. · 3c88a786
    Timothy Andrew authored
    - Use `GlobalPolicy` to authorize the users that a non-authenticated user can
      fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
      visibility level is not restricted.
    
    - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
      the `username` parameter is passed.
    
    - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
      route + method, rather than the description.
    
    - Change the type of `current_user` check in `UsersFinder` to be more
      compatible with EE.
    3c88a786
base_policy.rb 2.44 KB