1. 30 Jun, 2017 1 commit
    • Timothy Andrew's avatar
      Implement review comments for !12445 from @godfat and @rymai. · 3c88a786
      Timothy Andrew authored
      - Use `GlobalPolicy` to authorize the users that a non-authenticated user can
        fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC`
        visibility level is not restricted.
      
      - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if
        the `username` parameter is passed.
      
      - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual
        route + method, rather than the description.
      
      - Change the type of `current_user` check in `UsersFinder` to be more
        compatible with EE.
      3c88a786
  2. 26 Jun, 2017 2 commits
    • Timothy Andrew's avatar
      Add CHANGELOG entry for CE MR 12445 · c39e4ccf
      Timothy Andrew authored
      c39e4ccf
    • Timothy Andrew's avatar
      Allow unauthenticated access to the `/api/v4/users` API. · 20f679d6
      Timothy Andrew authored
      - The issue filtering frontend code needs access to this API for non-logged-in
        users + public projects. It uses the API to fetch information for a user by
        username.
      
      - We don't authenticate this API anymore, but instead - if the `current_user` is
        not present:
      
        - Verify that the `username` parameter has been passed. This disallows an
          unauthenticated user from grabbing a list of all users on the instance. The
          `UsersFinder` class performs an exact match on the `username`, so we are
          guaranteed to get 0 or 1 users.
        - Verify that the resulting user (if any) is accessible to be viewed publicly
          by calling `can?(current_user, :read_user, user)`
      20f679d6
  3. 24 Jun, 2017 3 commits
  4. 23 Jun, 2017 34 commits