Commit 727dff3f authored by Timothy Andrew's avatar Timothy Andrew

Don't expose a user's private token in the `/api/v3/user` API.

- This would allow anyone with a personal access token (even a read-only
  token, once scopes are implemented) to escalate their access by
  obtaining the private token.
parent 4d042afe
......@@ -310,8 +310,7 @@ GET /user
"can_create_group": true,
"can_create_project": true,
"two_factor_enabled": true,
"external": false,
"private_token": "dd34asd13as"
"external": false
}
```
......
......@@ -327,7 +327,7 @@ module API
# Example Request:
# GET /user
get do
present @current_user, with: Entities::UserLogin
present @current_user, with: Entities::UserFull
end
# Get currently authenticated user's keys
......
......@@ -605,6 +605,7 @@ describe API::API, api: true do
expect(json_response['can_create_project']).to eq(user.can_create_project?)
expect(json_response['can_create_group']).to eq(user.can_create_group?)
expect(json_response['projects_limit']).to eq(user.projects_limit)
expect(json_response['private_token']).to be_blank
end
it "returns 401 error if user is unauthenticated" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment