Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • 12-9-stable
  • 12-7-stable
  • 12-6-stable
  • 12-8-stable
  • github/fork/Kloppi313/patch-1
  • 12-5-stable
  • 12-4-stable
  • github/fork/ramalokesh8477/master
  • 12-1-stable
  • 12-2-stable
  • 12-0-stable
  • 12-3-stable
  • 42-42-stable
  • github/fork/hussamgit398/patch-2
  • 12-3-auto-deploy-20190911
  • 12-3-auto-deploy-20190916
  • 12-3-auto-deploy-20190908
  • 12-3-auto-deploy-20190901
  • 12-3-auto-deploy-20190901-32664
  • v12.10.0.pre
  • v12.9.0
  • v12.9.0-rc42
  • v12.8.7
  • v12.8.6
  • v12.8.5
  • v12.8.4
  • v12.8.3
  • v12.6.8
  • v12.7.7
  • v12.8.2
  • v12.8.1
  • v12.9.0.pre
  • v12.8.0
  • v12.8.0-rc42
  • v12.5.10
  • v12.7.6
  • v12.6.7
  • v12.7.5
  • v12.5.9
40 results
Search by author
  • Any Author
  • Grant Young Grant Young grantyoung
  • Nailia Iskhakova Nailia Iskhakova niskhakova
  • gitlab-qa-bot gitlab-qa-bot gitlab-qa-bot
3 authors
  1. Feb 25, 2020
  3. Jan 14, 2020
  5. Dec 11, 2019
  7. Oct 29, 2019
  9. Feb 26, 2019
  11. Oct 20, 2017
  13. Jun 14, 2017
  15. Apr 25, 2017
    • Timothy Andrew's avatar
      Don't display the `is_admin?` flag for user API responses. · 34b71e73
      Timothy Andrew authored 
      - To prevent an attacker from enumerating the `/users` API to get a list of all
  the admins.

- Display the `is_admin?` flag wherever we display the `private_token` - at the
  moment, there are two instances:

  - When an admin uses `sudo` to view the `/user` endpoint
  - When logging in using the `/session` endpoint
      34b71e73
  17. Apr 21, 2017
  19. Nov 28, 2016
  21. Aug 09, 2016
  23. Jun 27, 2016
  25. Sep 03, 2015