diff --git a/changelogs/unreleased/29903-remove-user-is-admin-flag-from-api.yml b/changelogs/unreleased/29903-remove-user-is-admin-flag-from-api.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a0d497ac1e90205be92e852c2065026eb9904c71
--- /dev/null
+++ b/changelogs/unreleased/29903-remove-user-is-admin-flag-from-api.yml
@@ -0,0 +1,4 @@
+---
+title: Don't display the is_admin flag in most API responses
+merge_request: 10846
+author:
diff --git a/doc/api/deployments.md b/doc/api/deployments.md
index 0273c8196147893d8dbb115b7d9928bf4478985f..ab9e63e01d31f8d45c4ac8d7de37327e17739cf7 100644
--- a/doc/api/deployments.md
+++ b/doc/api/deployments.md
@@ -48,7 +48,6 @@ Example of response
"bio": null,
"created_at": "2016-08-11T07:09:20.351Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"location": null,
"name": "Administrator",
@@ -106,7 +105,6 @@ Example of response
"bio": null,
"created_at": "2016-08-11T07:09:20.351Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"location": null,
"name": "Administrator",
@@ -195,7 +193,6 @@ Example of response
"avatar_url": "http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon",
"web_url": "http://localhost:3000/root",
"created_at": "2016-08-11T07:09:20.351Z",
- "is_admin": true,
"bio": null,
"location": null,
"skype": "",
diff --git a/doc/api/jobs.md b/doc/api/jobs.md
index 3f109dfdca35170e098988acd4442a93234200a8..404da3dc603a3c19fd1eea276505e7bd0c4ac3ce 100644
--- a/doc/api/jobs.md
+++ b/doc/api/jobs.md
@@ -57,7 +57,6 @@ Example of response
"bio": null,
"created_at": "2015-12-21T13:14:24.077Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"name": "Administrator",
"skype": "",
@@ -101,7 +100,6 @@ Example of response
"bio": null,
"created_at": "2015-12-21T13:14:24.077Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"name": "Administrator",
"skype": "",
@@ -173,7 +171,6 @@ Example of response
"bio": null,
"created_at": "2015-12-21T13:14:24.077Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"name": "Administrator",
"skype": "",
@@ -217,7 +214,6 @@ Example of response
"bio": null,
"created_at": "2015-12-21T13:14:24.077Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"name": "Administrator",
"skype": "",
@@ -284,7 +280,6 @@ Example of response
"bio": null,
"created_at": "2015-12-21T13:14:24.077Z",
"id": 1,
- "is_admin": true,
"linkedin": "",
"name": "Administrator",
"skype": "",
diff --git a/doc/api/keys.md b/doc/api/keys.md
index 3b55c2baf568a25a55e058170a4a97ef781e2b71..3ace1040f3856cd916f1adb1545c83e701ae6bac 100644
--- a/doc/api/keys.md
+++ b/doc/api/keys.md
@@ -26,7 +26,6 @@ Parameters:
"avatar_url": "http://www.gravatar.com/avatar/cfa35b8cd2ec278026357769582fa563?s=40\u0026d=identicon",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2015-09-03T07:24:01.670Z",
- "is_admin": false,
"bio": null,
"skype": "",
"linkedin": "",
diff --git a/doc/api/users.md b/doc/api/users.md
index e7ef68cffbc7b4fd66d1196c8018883c4aa0fc2d..86027bcc05c734756c8c3458325462079b9e4427 100644
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -62,7 +62,6 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z",
- "is_admin": false,
"bio": null,
"location": null,
"skype": "",
@@ -95,7 +94,6 @@ GET /users
"avatar_url": "http://localhost:3000/uploads/user/avatar/2/index.jpg",
"web_url": "http://localhost:3000/jack_smith",
"created_at": "2012-05-23T08:01:01Z",
- "is_admin": false,
"bio": null,
"location": null,
"skype": "",
@@ -169,7 +167,6 @@ Parameters:
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/cd8.jpeg",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z",
- "is_admin": false,
"bio": null,
"location": null,
"skype": "",
@@ -200,7 +197,6 @@ Parameters:
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z",
- "is_admin": false,
"bio": null,
"location": null,
"skype": "",
@@ -325,7 +321,6 @@ GET /user
"avatar_url": "http://localhost:3000/uploads/user/avatar/1/index.jpg",
"web_url": "http://localhost:3000/john_smith",
"created_at": "2012-05-23T08:00:58Z",
- "is_admin": false,
"bio": null,
"location": null,
"skype": "",
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 64ab6f01eb50b14a5a12f5eea1440bed423ffeb3..6d6ccefe8776cfa1266e9a589ba1d3823f79eecf 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -14,7 +14,6 @@ module API
class User < UserBasic
expose :created_at
- expose :admin?, as: :is_admin
expose :bio, :location, :skype, :linkedin, :twitter, :website_url, :organization
end
@@ -41,8 +40,9 @@ module API
expose :external
end
- class UserWithPrivateToken < UserPublic
+ class UserWithPrivateDetails < UserPublic
expose :private_token
+ expose :admin?, as: :is_admin
end
class Email < Grape::Entity
diff --git a/lib/api/session.rb b/lib/api/session.rb
index 002ffd1d154c9869927cda934bb9b36047a8e05a..016415c30233c2ff91ff202d33a4734c6a4f173e 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -1,7 +1,7 @@
module API
class Session < Grape::API
desc 'Login to get token' do
- success Entities::UserWithPrivateToken
+ success Entities::UserWithPrivateDetails
end
params do
optional :login, type: String, desc: 'The username'
@@ -14,7 +14,7 @@ module API
return unauthorized! unless user
return render_api_error!('401 Unauthorized. You have 2FA enabled. Please use a personal access token to access the API', 401) if user.two_factor_enabled?
- present user, with: Entities::UserWithPrivateToken
+ present user, with: Entities::UserWithPrivateDetails
end
end
end
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 46f221f68fef5bdc83c301d77d6069694f1a0c1b..40acaebf6705302078b07263e7f70b6943fee133 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -433,7 +433,7 @@ module API
success Entities::UserPublic
end
get do
- present current_user, with: sudo? ? Entities::UserWithPrivateToken : Entities::UserPublic
+ present current_user, with: sudo? ? Entities::UserWithPrivateDetails : Entities::UserPublic
end
desc "Get the currently authenticated user's SSH keys" do
diff --git a/spec/fixtures/api/schemas/public_api/v4/user/public.json b/spec/fixtures/api/schemas/public_api/v4/user/public.json
index 5587cfec61ac0acf4e1c8b74dcd1e03192e64239..faa126b65f24ee348c6fc1147209e967dfad615b 100644
--- a/spec/fixtures/api/schemas/public_api/v4/user/public.json
+++ b/spec/fixtures/api/schemas/public_api/v4/user/public.json
@@ -9,7 +9,6 @@
"avatar_url",
"web_url",
"created_at",
- "is_admin",
"bio",
"location",
"skype",
@@ -43,7 +42,6 @@
"avatar_url": { "type": "string" },
"web_url": { "type": "string" },
"created_at": { "type": "date" },
- "is_admin": { "type": "boolean" },
"bio": { "type": ["string", "null"] },
"location": { "type": ["string", "null"] },
"skype": { "type": "string" },
diff --git a/spec/requests/api/keys_spec.rb b/spec/requests/api/keys_spec.rb
index b55860884857d47762bbb699b986e9c511bee265..ab957c729843e8cab0d37aea7ced64cc64cd97dc 100644
--- a/spec/requests/api/keys_spec.rb
+++ b/spec/requests/api/keys_spec.rb
@@ -32,6 +32,12 @@ describe API::Keys do
expect(json_response['user']['id']).to eq(user.id)
expect(json_response['user']['username']).to eq(user.username)
end
+
+ it "does not include the user's `is_admin` flag" do
+ get api("/keys/#{key.id}", admin)
+
+ expect(json_response['user']['is_admin']).to be_nil
+ end
end
end
end
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 2c6ae592d91a5e7b729bc43f8169e5aa9e911504..4919ad198339457a4f0259f7199a567bae97db60 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -135,6 +135,12 @@ describe API::Users do
expect(json_response['username']).to eq(user.username)
end
+ it "does not return the user's `is_admin` flag" do
+ get api("/users/#{user.id}", user)
+
+ expect(json_response['is_admin']).to be_nil
+ end
+
it "returns a 401 if unauthenticated" do
get api("/users/9998")
expect(response).to have_http_status(401)
@@ -397,7 +403,6 @@ describe API::Users do
it "updates admin status" do
put api("/users/#{user.id}", admin), { admin: true }
expect(response).to have_http_status(200)
- expect(json_response['is_admin']).to eq(true)
expect(user.reload.admin).to eq(true)
end
@@ -411,7 +416,6 @@ describe API::Users do
it "does not update admin status" do
put api("/users/#{admin_user.id}", admin), { can_create_group: false }
expect(response).to have_http_status(200)
- expect(json_response['is_admin']).to eq(true)
expect(admin_user.reload.admin).to eq(true)
expect(admin_user.can_create_group).to eq(false)
end
diff --git a/spec/requests/api/v3/users_spec.rb b/spec/requests/api/v3/users_spec.rb
index 05ee704f738a261a7746c9bb7f3d37d211ff62df..e9c57f7c6c37cefbd2cb3135326b77376b0e4d1f 100644
--- a/spec/requests/api/v3/users_spec.rb
+++ b/spec/requests/api/v3/users_spec.rb
@@ -274,5 +274,11 @@ describe API::V3::Users do
expect(new_user).to be_confirmed
end
+
+ it 'does not reveal the `is_admin` flag of the user' do
+ post v3_api('/users', admin), attributes_for(:user)
+
+ expect(json_response['is_admin']).to be_nil
+ end
end
end