Merge branch 'api_ldap' into 'master'

Check user access during API calls

Merge branch 'api_ldap' into 'master'
Check user access during API calls
39eac7b0 · Dmitriy Zaporozhets · 216704f3 · 223a8695 · 39eac7b0 · 39eac7b0
Commit 39eac7b0 authored May 15, 2014 by Dmitriy Zaporozhets
5 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -16,6 +16,7 @@ v 6.9.0
  - Two Step MR creation process
  - Remove unwanted files from satellite working directory with git clean -fdx
  - Accept merge request via API (sponsored by O'Reilly Media)
+  - Add more access checks during API calls

 v 6.8.0
  - Ability to at mention users that are participating in issue and merge req. discussion

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -8,6 +8,11 @@ module API
    def current_user
      private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
      @current_user ||= User.find_by(authentication_token: private_token)
+
+      unless @current_user && Gitlab::UserAccess.allowed?(@current_user)
+        return nil
+      end
+
      identifier = sudo_identifier()

      # If the sudo is the current user do nothing

--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -61,18 +61,7 @@ module Gitlab
    private

    def user_allowed?(user)
-      return false if user.blocked?
-
-      if Gitlab.config.ldap.enabled
-        if user.ldap_user?
-          # Check if LDAP user exists and match LDAP user_filter
-          Gitlab::LDAP::Access.open do |adapter|
-            return false unless adapter.allowed?(user)
-          end
-        end
-      end
-
-      true
+      Gitlab::UserAccess.allowed?(user)
    end
  end
 end
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
+module Gitlab
+  module UserAccess
+    def self.allowed?(user)
+      return false if user.blocked?
+
+      if Gitlab.config.ldap.enabled
+        if user.ldap_user?
+          # Check if LDAP user exists and match LDAP user_filter
+          Gitlab::LDAP::Access.open do |adapter|
+            return false unless adapter.allowed?(user)
+          end
+        end
+      end
+
+      true
+    end
+  end
+end
--- a/spec/requests/api/api_helpers_spec.rb
+++ b/spec/requests/api/api_helpers_spec.rb
@@ -39,6 +39,17 @@ describe API, api: true do
  end

  describe ".current_user" do
+    it "should return nil for an invalid token" do
+      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = 'invalid token'
+      current_user.should be_nil
+    end
+
+    it "should return nil for a user without access" do
+      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
+      Gitlab::UserAccess.stub(allowed?: false)
+      current_user.should be_nil
+    end
+
    it "should leave user as is when sudo not specified" do
      env[API::APIHelpers::PRIVATE_TOKEN_HEADER] = user.private_token
      current_user.should == user