Don't expose a user's private token in the `/api/v3/user` API.

- This would allow anyone with a personal access token (even a read-only token, once scopes are implemented) to escalate their access by obtaining the private token.

Don't expose a user's private token in the `/api/v3/user` API.
- This would allow anyone with a personal access token (even a read-only token, once scopes are implemented) to escalate their access by obtaining the private token.
727dff3f · Timothy Andrew · 4d042afe · 727dff3f · 727dff3f · 727dff3f
Commit 727dff3f authored Aug 26, 2016 by Timothy Andrew
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

doc/api/users.md doc/api/users.md +1 -2

lib/api/users.rb lib/api/users.rb +1 -1

spec/requests/api/users_spec.rb spec/requests/api/users_spec.rb +1 -0

No files found.
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -310,8 +310,7 @@ GET /user
  "can_create_group": true,
  "can_create_project": true,
  "two_factor_enabled": true,
-  "external": false,
-  "private_token": "dd34asd13as"
+  "external": false
 }
 ```


--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -327,7 +327,7 @@ module API
      # Example Request:
      #   GET /user
      get do
-        present @current_user, with: Entities::UserLogin
+        present @current_user, with: Entities::UserFull
      end

      # Get currently authenticated user's keys

--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -605,6 +605,7 @@ describe API::API, api: true  do
      expect(json_response['can_create_project']).to eq(user.can_create_project?)
      expect(json_response['can_create_group']).to eq(user.can_create_group?)
      expect(json_response['projects_limit']).to eq(user.projects_limit)
+      expect(json_response['private_token']).to be_blank
    end

    it "returns 401 error if user is unauthenticated" do