Commit 87fd342a authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'more-secure-api' into 'master'

More secure api

Dont expose user email via API. Fixes #1314
parents 2af8ace1 47d6f705
...@@ -35,6 +35,7 @@ v 7.0.0 ...@@ -35,6 +35,7 @@ v 7.0.0
- Be more selective when killing stray Sidekiqs - Be more selective when killing stray Sidekiqs
- Check LDAP user filter during sign-in - Check LDAP user filter during sign-in
- Remove wall feature (no data loss - you can take it from database) - Remove wall feature (no data loss - you can take it from database)
- Dont expose user emails via API unless you are admin
v 6.9.2 v 6.9.2
- Revert the commit that broke the LDAP user filter - Revert the commit that broke the LDAP user filter
......
...@@ -37,13 +37,9 @@ ...@@ -37,13 +37,9 @@
projectUserFormatResult: (user) -> projectUserFormatResult: (user) ->
if user.avatar_url if user.avatar_url
avatar = gon.relative_url_root + user.avatar_url avatar = user.avatar_url
else if gon.gravatar_enabled
avatar = gon.gravatar_url
avatar = avatar.replace('%{hash}', md5(user.email))
avatar = avatar.replace('%{size}', '24')
else else
avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}" avatar = gon.default_avatar_url
if user.id == '' if user.id == ''
avatarMarkup = '' avatarMarkup = ''
......
$ -> $ ->
userFormatResult = (user) -> userFormatResult = (user) ->
if user.avatar_url if user.avatar_url
avatar = gon.relative_url_root + user.avatar_url avatar = user.avatar_url
else if gon.gravatar_enabled
avatar = gon.gravatar_url
avatar = avatar.replace('%{hash}', md5(user.email))
avatar = avatar.replace('%{size}', '24')
else else
avatar = gon.relative_url_root + "#{image_path('no_avatar.png')}" avatar = gon.default_avatar_url
"<div class='user-result'> "<div class='user-result'>
<div class='user-image'><img class='avatar s24' src='#{avatar}'></div> <div class='user-image'><img class='avatar s24' src='#{avatar}'></div>
......
...@@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base ...@@ -164,9 +164,8 @@ class ApplicationController < ActionController::Base
def add_gon_variables def add_gon_variables
gon.default_issues_tracker = Project.issues_tracker.default_value gon.default_issues_tracker = Project.issues_tracker.default_value
gon.api_version = API::API.version gon.api_version = API::API.version
gon.gravatar_url = request.ssl? || Gitlab.config.gitlab.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
gon.relative_url_root = Gitlab.config.gitlab.relative_url_root gon.relative_url_root = Gitlab.config.gitlab.relative_url_root
gon.gravatar_enabled = Gitlab.config.gravatar.enabled gon.default_avatar_url = URI::join(Gitlab.config.gitlab.url, ActionController::Base.helpers.image_path('no_avatar.png')).to_s
if current_user if current_user
gon.current_user_id = current_user.id gon.current_user_id = current_user.id
......
...@@ -60,23 +60,21 @@ module ApplicationHelper ...@@ -60,23 +60,21 @@ module ApplicationHelper
def avatar_icon(user_email = '', size = nil) def avatar_icon(user_email = '', size = nil)
user = User.find_by(email: user_email) user = User.find_by(email: user_email)
if user && user.avatar.present?
user.avatar.url if user
user.avatar_url(size) || default_avatar
else else
gravatar_icon(user_email, size) gravatar_icon(user_email, size)
end end
end end
def gravatar_icon(user_email = '', size = nil) def gravatar_icon(user_email = '', size = nil)
size = 40 if size.nil? || size <= 0 GravatarService.new.execute(user_email, size) ||
default_avatar
end
if !Gitlab.config.gravatar.enabled || user_email.blank? def default_avatar
image_path('no_avatar.png') image_path('no_avatar.png')
else
gravatar_url = request.ssl? || gitlab_config.https ? Gitlab.config.gravatar.ssl_url : Gitlab.config.gravatar.plain_url
user_email.strip!
sprintf gravatar_url, hash: Digest::MD5.hexdigest(user_email.downcase), size: size, email: user_email
end
end end
def last_commit(project) def last_commit(project)
......
...@@ -482,4 +482,12 @@ class User < ActiveRecord::Base ...@@ -482,4 +482,12 @@ class User < ActiveRecord::Base
def public_profile? def public_profile?
authorized_projects.public_only.any? authorized_projects.public_only.any?
end end
def avatar_url(size = nil)
if avatar.present?
URI::join(Gitlab.config.gitlab.url, avatar.url).to_s
else
GravatarService.new.execute(email, size)
end
end
end end
class GravatarService
def execute(email, size = nil)
if gravatar_config.enabled && email.present?
size = 40 if size.nil? || size <= 0
sprintf gravatar_url,
hash: Digest::MD5.hexdigest(email.strip.downcase),
size: size,
email: email.strip
end
end
def gitlab_config
Gitlab.config.gitlab
end
def gravatar_config
Gitlab.config.gravatar
end
def gravatar_url
if gitlab_config.https
gravatar_config.ssl_url
else
gravatar_config.plain_url
end
end
end
...@@ -6,6 +6,34 @@ Get a list of users. ...@@ -6,6 +6,34 @@ Get a list of users.
This function takes pagination parameters `page` and `per_page` to restrict the list of users. This function takes pagination parameters `page` and `per_page` to restrict the list of users.
### For normal users:
```
GET /users
```
```json
[
{
"id": 1,
"username": "john_smith",
"name": "John Smith",
"state": "active",
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
},
{
"id": 2,
"username": "jack_smith",
"name": "Jack Smith",
"state": "blocked",
"avatar_url": "http://gravatar.com/../e32131cd8.jpeg",
}
]
```
### For admins:
``` ```
GET /users GET /users
``` ```
...@@ -29,6 +57,7 @@ GET /users ...@@ -29,6 +57,7 @@ GET /users
"theme_id": 1, "theme_id": 1,
"color_scheme_id": 2, "color_scheme_id": 2,
"is_admin": false, "is_admin": false,
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
"can_create_group": true "can_create_group": true
}, },
{ {
...@@ -48,6 +77,7 @@ GET /users ...@@ -48,6 +77,7 @@ GET /users
"theme_id": 1, "theme_id": 1,
"color_scheme_id": 3, "color_scheme_id": 3,
"is_admin": false, "is_admin": false,
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
"can_create_group": true, "can_create_group": true,
"can_create_project": true "can_create_project": true
} }
...@@ -62,6 +92,29 @@ Also see `def search query` in `app/models/user.rb`. ...@@ -62,6 +92,29 @@ Also see `def search query` in `app/models/user.rb`.
Get a single user. Get a single user.
#### For user:
```
GET /users/:id
```
Parameters:
- `id` (required) - The ID of a user
```json
{
"id": 1,
"username": "john_smith",
"name": "John Smith",
"state": "active",
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
}
```
#### For admin:
``` ```
GET /users/:id GET /users/:id
``` ```
......
module API module API
module Entities module Entities
class User < Grape::Entity class UserSafe < Grape::Entity
expose :id, :username, :email, :name, :bio, :skype, :linkedin, :twitter, :website_url, expose :name, :username
:theme_id, :color_scheme_id, :state, :created_at, :extern_uid, :provider
expose :is_admin?, as: :is_admin
expose :can_create_group?, as: :can_create_group
expose :can_create_project?, as: :can_create_project
expose :avatar_url do |user, options|
if user.avatar.present?
user.avatar.url
end
end end
class UserBasic < UserSafe
expose :id, :state, :avatar_url
end end
class UserSafe < Grape::Entity class User < UserBasic
expose :name, :username expose :created_at
expose :is_admin?, as: :is_admin
expose :bio, :skype, :linkedin, :twitter, :website_url
end end
class UserBasic < Grape::Entity class UserFull < User
expose :id, :username, :email, :name, :state, :created_at expose :email
expose :theme_id, :color_scheme_id, :extern_uid, :provider
expose :can_create_group?, as: :can_create_group
expose :can_create_project?, as: :can_create_project
end end
class UserLogin < User class UserLogin < UserFull
expose :private_token expose :private_token
end end
......
...@@ -59,4 +59,3 @@ module API ...@@ -59,4 +59,3 @@ module API
end end
end end
end end
...@@ -209,7 +209,7 @@ module API ...@@ -209,7 +209,7 @@ module API
@users = User.where(id: user_project.team.users.map(&:id)) @users = User.where(id: user_project.team.users.map(&:id))
@users = @users.search(params[:search]) if params[:search].present? @users = @users.search(params[:search]) if params[:search].present?
@users = paginate @users @users = paginate @users
present @users, with: Entities::User present @users, with: Entities::UserBasic
end end
# Get a project labels # Get a project labels
......
...@@ -13,7 +13,12 @@ module API ...@@ -13,7 +13,12 @@ module API
@users = @users.active if params[:active].present? @users = @users.active if params[:active].present?
@users = @users.search(params[:search]) if params[:search].present? @users = @users.search(params[:search]) if params[:search].present?
@users = paginate @users @users = paginate @users
present @users, with: Entities::User
if current_user.is_admin?
present @users, with: Entities::UserFull
else
present @users, with: Entities::UserBasic
end
end end
# Get a single user # Get a single user
...@@ -24,7 +29,12 @@ module API ...@@ -24,7 +29,12 @@ module API
# GET /users/:id # GET /users/:id
get ":id" do get ":id" do
@user = User.find(params[:id]) @user = User.find(params[:id])
present @user, with: Entities::User
if current_user.is_admin?
present @user, with: Entities::UserFull
else
present @user, with: Entities::UserBasic
end
end end
# Create user. Available only for admin # Create user. Available only for admin
...@@ -53,7 +63,7 @@ module API ...@@ -53,7 +63,7 @@ module API
admin = attrs.delete(:admin) admin = attrs.delete(:admin)
user.admin = admin unless admin.nil? user.admin = admin unless admin.nil?
if user.save if user.save
present user, with: Entities::User present user, with: Entities::UserFull
else else
not_found! not_found!
end end
...@@ -87,7 +97,7 @@ module API ...@@ -87,7 +97,7 @@ module API
admin = attrs.delete(:admin) admin = attrs.delete(:admin)
user.admin = admin unless admin.nil? user.admin = admin unless admin.nil?
if user.update_attributes(attrs, as: :admin) if user.update_attributes(attrs, as: :admin)
present user, with: Entities::User present user, with: Entities::UserFull
else else
not_found! not_found!
end end
......
...@@ -67,10 +67,9 @@ describe ApplicationHelper do ...@@ -67,10 +67,9 @@ describe ApplicationHelper do
end end
it "should call gravatar_icon when no avatar is present" do it "should call gravatar_icon when no avatar is present" do
user = create(:user) user = create(:user, email: 'test@example.com')
user.save! user.save!
allow(self).to receive(:gravatar_icon).and_return('gravatar_method_called') avatar_icon(user.email).to_s.should == "http://www.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=40&d=mm"
avatar_icon(user.email).to_s.should == "gravatar_method_called"
end end
end end
...@@ -87,12 +86,12 @@ describe ApplicationHelper do ...@@ -87,12 +86,12 @@ describe ApplicationHelper do
end end
it "should return default gravatar url" do it "should return default gravatar url" do
allow(self).to receive(:request).and_return(double(:ssl? => false)) Gitlab.config.gitlab.stub(https: false)
gravatar_icon(user_email).should match('http://www.gravatar.com/avatar/b58c6f14d292556214bd64909bcdb118') gravatar_icon(user_email).should match('http://www.gravatar.com/avatar/b58c6f14d292556214bd64909bcdb118')
end end
it "should use SSL when appropriate" do it "should use SSL when appropriate" do
allow(self).to receive(:request).and_return(double(:ssl? => true)) Gitlab.config.gitlab.stub(https: true)
gravatar_icon(user_email).should match('https://secure.gravatar.com') gravatar_icon(user_email).should match('https://secure.gravatar.com')
end end
......
...@@ -93,7 +93,7 @@ describe API::API, api: true do ...@@ -93,7 +93,7 @@ describe API::API, api: true do
post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!' post api("/projects/#{project.id}/issues/#{issue.id}/notes", user), body: 'hi!'
response.status.should == 201 response.status.should == 201
json_response['body'].should == 'hi!' json_response['body'].should == 'hi!'
json_response['author']['email'].should == user.email json_response['author']['username'].should == user.username
end end
it "should return a 400 bad request error if body not given" do it "should return a 400 bad request error if body not given" do
...@@ -112,7 +112,7 @@ describe API::API, api: true do ...@@ -112,7 +112,7 @@ describe API::API, api: true do
post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user), body: 'hi!' post api("/projects/#{project.id}/snippets/#{snippet.id}/notes", user), body: 'hi!'
response.status.should == 201 response.status.should == 201
json_response['body'].should == 'hi!' json_response['body'].should == 'hi!'
json_response['author']['email'].should == user.email json_response['author']['username'].should == user.username
end end
it "should return a 400 bad request error if body not given" do it "should return a 400 bad request error if body not given" do
......
...@@ -21,7 +21,7 @@ describe API::API, api: true do ...@@ -21,7 +21,7 @@ describe API::API, api: true do
response.status.should == 200 response.status.should == 200
json_response.should be_an Array json_response.should be_an Array
json_response.count.should == 2 json_response.count.should == 2
json_response.map { |u| u['email'] }.should include user.email json_response.map { |u| u['username'] }.should include user.username
end end
it "finds team members with query string" do it "finds team members with query string" do
...@@ -29,7 +29,7 @@ describe API::API, api: true do ...@@ -29,7 +29,7 @@ describe API::API, api: true do
response.status.should == 200 response.status.should == 200
json_response.should be_an Array json_response.should be_an Array
json_response.count.should == 1 json_response.count.should == 1
json_response.first['email'].should == user.email json_response.first['username'].should == user.username
end end
it "should return a 404 error if id not found" do it "should return a 404 error if id not found" do
...@@ -44,7 +44,7 @@ describe API::API, api: true do ...@@ -44,7 +44,7 @@ describe API::API, api: true do
it "should return project team member" do it "should return project team member" do
get api("/projects/#{project.id}/members/#{user.id}", user) get api("/projects/#{project.id}/members/#{user.id}", user)
response.status.should == 200 response.status.should == 200
json_response['email'].should == user.email json_response['username'].should == user.username
json_response['access_level'].should == UsersProject::MASTER json_response['access_level'].should == UsersProject::MASTER
end end
...@@ -62,7 +62,7 @@ describe API::API, api: true do ...@@ -62,7 +62,7 @@ describe API::API, api: true do
}.to change { UsersProject.count }.by(1) }.to change { UsersProject.count }.by(1)
response.status.should == 201 response.status.should == 201
json_response['email'].should == user2.email json_response['username'].should == user2.username
json_response['access_level'].should == UsersProject::DEVELOPER json_response['access_level'].should == UsersProject::DEVELOPER
end end
...@@ -75,7 +75,7 @@ describe API::API, api: true do ...@@ -75,7 +75,7 @@ describe API::API, api: true do
}.not_to change { UsersProject.count }.by(1) }.not_to change { UsersProject.count }.by(1)
response.status.should == 201 response.status.should == 201
json_response['email'].should == user2.email json_response['username'].should == user2.username
json_response['access_level'].should == UsersProject::DEVELOPER json_response['access_level'].should == UsersProject::DEVELOPER
end end
...@@ -101,7 +101,7 @@ describe API::API, api: true do ...@@ -101,7 +101,7 @@ describe API::API, api: true do
it "should update project team member" do it "should update project team member" do
put api("/projects/#{project.id}/members/#{user3.id}", user), access_level: UsersProject::MASTER put api("/projects/#{project.id}/members/#{user3.id}", user), access_level: UsersProject::MASTER
response.status.should == 200 response.status.should == 200
json_response['email'].should == user3.email json_response['username'].should == user3.username
json_response['access_level'].should == UsersProject::MASTER json_response['access_level'].should == UsersProject::MASTER
end end
......
...@@ -37,7 +37,7 @@ describe API::API, api: true do ...@@ -37,7 +37,7 @@ describe API::API, api: true do
response.status.should == 200 response.status.should == 200
json_response.should be_an Array json_response.should be_an Array
json_response.first['name'].should == project.name json_response.first['name'].should == project.name
json_response.first['owner']['email'].should == user.email json_response.first['owner']['username'].should == user.username
end end
end end
end end
...@@ -65,7 +65,7 @@ describe API::API, api: true do ...@@ -65,7 +65,7 @@ describe API::API, api: true do
response.status.should == 200 response.status.should == 200
json_response.should be_an Array json_response.should be_an Array
json_response.first['name'].should == project.name json_response.first['name'].should == project.name
json_response.first['owner']['email'].should == user.email json_response.first['owner']['username'].should == user.username
end end
end end
end end
...@@ -270,7 +270,7 @@ describe API::API, api: true do ...@@ -270,7 +270,7 @@ describe API::API, api: true do
get api("/projects/#{project.id}", user) get api("/projects/#{project.id}", user)
response.status.should == 200 response.status.should == 200
json_response['name'].should == project.name json_response['name'].should == project.name
json_response['owner']['email'].should == user.email json_response['owner']['username'].should == user.username
end end
it "should return a project by path name" do it "should return a project by path name" do
......
...@@ -20,7 +20,18 @@ describe API::API, api: true do ...@@ -20,7 +20,18 @@ describe API::API, api: true do
get api("/users", user) get api("/users", user)
response.status.should == 200 response.status.should == 200
json_response.should be_an Array json_response.should be_an Array
json_response.first['email'].should == user.email json_response.first['username'].should == user.username
end
end
context "when admin" do
it "should return an array of users" do
get api("/users", admin)
response.status.should == 200
json_response.should be_an Array
json_response.first.keys.should include 'email'
json_response.first.keys.should include 'extern_uid'
json_response.first.keys.should include 'can_create_project'
end end
end end
end end
...@@ -29,7 +40,7 @@ describe API::API, api: true do ...@@ -29,7 +40,7 @@ describe API::API, api: true do
it "should return a user by id" do it "should return a user by id" do
get api("/users/#{user.id}", user) get api("/users/#{user.id}", user)
response.status.should == 200 response.status.should == 200
json_response['email'].should == user.email json_response['username'].should == user.username
end end
it "should return a 401 if unauthenticated" do it "should return a 401 if unauthenticated" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment