Commit 0d6b46c0 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '35697-allow-logged-in-user-to-read-user-list' into 'master'

Allow logged in users to read user list under public restriction

Closes #35697

See merge request !13201
parents cfa41e62 0d35b081
...@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy ...@@ -44,7 +44,7 @@ class GlobalPolicy < BasePolicy
prevent :log_in prevent :log_in
end end
rule { admin | ~restricted_public_level }.policy do rule { ~(anonymous & restricted_public_level) }.policy do
enable :read_users_list enable :read_users_list
end end
end end
---
title: Allow any logged in users to read_users_list even if it's restricted
merge_request: 13201
author:
...@@ -16,38 +16,44 @@ describe API::Users do ...@@ -16,38 +16,44 @@ describe API::Users do
it "returns authorization error when the `username` parameter is not passed" do it "returns authorization error when the `username` parameter is not passed" do
get api("/users") get api("/users")
expect(response).to have_http_status(403) expect(response).to have_gitlab_http_status(403)
end end
it "returns the user when a valid `username` parameter is passed" do it "returns the user when a valid `username` parameter is passed" do
user = create(:user)
get api("/users"), username: user.username get api("/users"), username: user.username
expect(response).to have_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.size).to eq(1) expect(json_response.size).to eq(1)
expect(json_response[0]['id']).to eq(user.id) expect(json_response[0]['id']).to eq(user.id)
expect(json_response[0]['username']).to eq(user.username) expect(json_response[0]['username']).to eq(user.username)
end end
it "returns authorization error when the `username` parameter refers to an inaccessible user" do
user = create(:user)
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
get api("/users"), username: user.username
expect(response).to have_http_status(403)
end
it "returns an empty response when an invalid `username` parameter is passed" do it "returns an empty response when an invalid `username` parameter is passed" do
get api("/users"), username: 'invalid' get api("/users"), username: 'invalid'
expect(response).to have_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an Array expect(json_response).to be_an Array
expect(json_response.size).to eq(0) expect(json_response.size).to eq(0)
end end
context "when public level is restricted" do
before do
stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
end
it "returns authorization error when the `username` parameter refers to an inaccessible user" do
get api("/users"), username: user.username
expect(response).to have_gitlab_http_status(403)
end
it "returns authorization error when the `username` parameter is not passed" do
get api("/users")
expect(response).to have_gitlab_http_status(403)
end
end
end end
context "when authenticated" do context "when authenticated" do
...@@ -58,10 +64,10 @@ describe API::Users do ...@@ -58,10 +64,10 @@ describe API::Users do
end end
context 'when authenticate as a regular user' do context 'when authenticate as a regular user' do
it "renders 403" do it "renders 200" do
get api("/users", user) get api("/users", user)
expect(response).to have_gitlab_http_status(403) expect(response).to have_gitlab_http_status(200)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment