Check user access status in API for current_user

02b85fd2 · Jacob Vosmaer · 34fd5570 · 02b85fd2 · 02b85fd2
Commit 02b85fd2 authored May 15, 2014 by Jacob Vosmaer
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

lib/api/helpers.rb lib/api/helpers.rb +5 -0

spec/requests/api/api_helpers_spec.rb spec/requests/api/api_helpers_spec.rb +5 -0

No files found.
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -8,6 +8,11 @@ module API
    def current_user
      private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
      @current_user ||= User.find_by(authentication_token: private_token)
+
+      unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
+        return nil
+      end
+
      identifier = sudo_identifier()

      # If the sudo is the current user do nothing

--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@@ -44,6 +44,11 @@ describe API, api: true do
      current_user.should be_nil
    end

+    it "should return nil for a user without access" do
+      Gitlab::UserAccess.stub(allowed?: false)
+      current_user.should be_nil
+    end
+
    it "should leave user as is when sudo not specified" do
      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
      current_user.should == user