Merge branch...

Merge branch '349706-the-users-username-exists-action-shouldn-t-be-available-when-gitlab-instance-doesn-t-allow' into 'master' Prevent user exists route when GitLab instance doesn't allow registration See merge request gitlab-org/gitlab!78490

Merge branch...
Merge branch '349706-the-users-username-exists-action-shouldn-t-be-available-when-gitlab-instance-doesn-t-allow' into 'master' Prevent user exists route when GitLab instance doesn't allow registration See merge request gitlab-org/gitlab!78490
0db28376 · Etienne Baqué · be9c1c23 · 8bb58ac2 · 0db28376 · 0db28376
Commit 0db28376 authored Jan 26, 2022 by Etienne Baqué
Showing with 22 additions and 6 deletions

app/controllers/users_controller.rb app/controllers/users_controller.rb +5 -1

locale/gitlab.pot locale/gitlab.pot +3 -0

spec/requests/users_controller_spec.rb spec/requests/users_controller_spec.rb +14 -5

No files found.
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -148,7 +148,11 @@ class UsersController < ApplicationController
  end

  def exists
-    render json: { exists: !!Namespace.find_by_path_or_name(params[:username]) }
+    if Gitlab::CurrentSettings.signup_enabled? || current_user
+      render json: { exists: !!Namespace.find_by_path_or_name(params[:username]) }
+    else
+      render json: { error: _('You must be authenticated to access this path.') }, status: :unauthorized
+    end
  end

  def follow

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -41154,6 +41154,9 @@ msgstr ""
 msgid "You may close the milestone now."
 msgstr ""

+msgid "You must be authenticated to access this path."
+msgstr ""
+
 msgid "You must be logged in to search across all of GitLab"
 msgstr ""


--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -634,13 +634,13 @@ RSpec.describe UsersController do
  end

  describe 'GET #exists' do
-    before do
-      sign_in(user)
+    context 'when user exists' do
+      before do
+        sign_in(user)

-      allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
-    end
+        allow(::Gitlab::ApplicationRateLimiter).to receive(:throttled?).and_return(false)
+      end

-    context 'when user exists' do
      it 'returns JSON indicating the user exists' do
        get user_exists_url user.username

@@ -661,6 +661,15 @@ RSpec.describe UsersController do
    end

    context 'when the user does not exist' do
+      it 'will not show a signup page if registration is disabled' do
+        stub_application_setting(signup_enabled: false)
+        get user_exists_url 'foo'
+
+        expected_json = { error: "You must be authenticated to access this path." }.to_json
+        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(response.body).to eq(expected_json)
+      end
+
      it 'returns JSON indicating the user does not exist' do
        get user_exists_url 'foo'