Commit 02b85fd2 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Check user access status in API for current_user

parent 34fd5570
......@@ -8,6 +8,11 @@ module API
def current_user
private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
@current_user ||= User.find_by(authentication_token: private_token)
unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
return nil
end
identifier = sudo_identifier()
# If the sudo is the current user do nothing
......
......@@ -44,6 +44,11 @@ describe API, api: true do
current_user.should be_nil
end
it "should return nil for a user without access" do
Gitlab::UserAccess.stub(allowed?: false)
current_user.should be_nil
end
it "should leave user as is when sudo not specified" do
env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
current_user.should == user
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment