Commit 0e747806 authored by Mike Ricketts's avatar Mike Ricketts Committed by Rémy Coutable

Re-instate is_admin flag in users API is current user is an admin

parent 745d46bc
---
title: Reinstate is_admin flag in users api when authenticated user is an admin
merge_request: 12211
author: rickettm
...@@ -62,6 +62,7 @@ GET /users ...@@ -62,6 +62,7 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z", "created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
...@@ -94,6 +95,7 @@ GET /users ...@@ -94,6 +95,7 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/2/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/2/index.jpg",
"web_url": "http://localhost:3000/jack_smith", "web_url": "http://localhost:3000/jack_smith",
"created_at": "2012-05-23T08:01:01Z", "created_at": "2012-05-23T08:01:01Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
...@@ -197,6 +199,7 @@ Parameters: ...@@ -197,6 +199,7 @@ Parameters:
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg", "avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith", "web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z", "created_at": "2012-05-23T08:00:58Z",
"is_admin": false,
"bio": null, "bio": null,
"location": null, "location": null,
"skype": "", "skype": "",
......
...@@ -43,11 +43,14 @@ module API ...@@ -43,11 +43,14 @@ module API
expose :external expose :external
end end
class UserWithPrivateDetails < UserPublic class UserWithAdmin < UserPublic
expose :private_token
expose :admin?, as: :is_admin expose :admin?, as: :is_admin
end end
class UserWithPrivateDetails < UserWithAdmin
expose :private_token
end
class Email < Grape::Entity class Email < Grape::Entity
expose :id, :email expose :id, :email
end end
......
...@@ -59,7 +59,7 @@ module API ...@@ -59,7 +59,7 @@ module API
users = UsersFinder.new(current_user, params).execute users = UsersFinder.new(current_user, params).execute
entity = current_user.admin? ? Entities::UserPublic : Entities::UserBasic entity = current_user.admin? ? Entities::UserWithAdmin : Entities::UserBasic
present paginate(users), with: entity present paginate(users), with: entity
end end
......
...@@ -11,7 +11,7 @@ describe API::Users do ...@@ -11,7 +11,7 @@ describe API::Users do
let(:not_existing_user_id) { (User.maximum('id') || 0 ) + 10 } let(:not_existing_user_id) { (User.maximum('id') || 0 ) + 10 }
let(:not_existing_pat_id) { (PersonalAccessToken.maximum('id') || 0 ) + 10 } let(:not_existing_pat_id) { (PersonalAccessToken.maximum('id') || 0 ) + 10 }
describe "GET /users" do describe 'GET /users' do
context "when unauthenticated" do context "when unauthenticated" do
it "returns authentication error" do it "returns authentication error" do
get api("/users") get api("/users")
...@@ -76,6 +76,12 @@ describe API::Users do ...@@ -76,6 +76,12 @@ describe API::Users do
expect(response).to have_http_status(403) expect(response).to have_http_status(403)
end end
it 'does not reveal the `is_admin` flag of the user' do
get api('/users', user)
expect(json_response.first.keys).not_to include 'is_admin'
end
end end
context "when admin" do context "when admin" do
...@@ -92,6 +98,7 @@ describe API::Users do ...@@ -92,6 +98,7 @@ describe API::Users do
expect(json_response.first.keys).to include 'two_factor_enabled' expect(json_response.first.keys).to include 'two_factor_enabled'
expect(json_response.first.keys).to include 'last_sign_in_at' expect(json_response.first.keys).to include 'last_sign_in_at'
expect(json_response.first.keys).to include 'confirmed_at' expect(json_response.first.keys).to include 'confirmed_at'
expect(json_response.first.keys).to include 'is_admin'
end end
it "returns an array of external users" do it "returns an array of external users" do
......
...@@ -7,6 +7,38 @@ describe API::V3::Users do ...@@ -7,6 +7,38 @@ describe API::V3::Users do
let(:email) { create(:email, user: user) } let(:email) { create(:email, user: user) }
let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') } let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
describe 'GET /users' do
context 'when authenticated' do
it 'returns an array of users' do
get v3_api('/users', user)
expect(response).to have_http_status(200)
expect(response).to include_pagination_headers
expect(json_response).to be_an Array
username = user.username
expect(json_response.detect do |user|
user['username'] == username
end['username']).to eq(username)
end
end
context 'when authenticated as user' do
it 'does not reveal the `is_admin` flag of the user' do
get v3_api('/users', user)
expect(json_response.first.keys).not_to include 'is_admin'
end
end
context 'when authenticated as admin' do
it 'reveals the `is_admin` flag of the user' do
get v3_api('/users', admin)
expect(json_response.first.keys).to include 'is_admin'
end
end
end
describe 'GET /user/:id/keys' do describe 'GET /user/:id/keys' do
before { admin } before { admin }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment