From 727dff3f158b9ef852b2b014d4efe0abd69a23d0 Mon Sep 17 00:00:00 2001
From: Timothy Andrew <mail@timothyandrew.net>
Date: Fri, 26 Aug 2016 09:37:57 +0530
Subject: [PATCH] Don't expose a user's private token in the `/api/v3/user`
 API.

- This would allow anyone with a personal access token (even a read-only
  token, once scopes are implemented) to escalate their access by
  obtaining the private token.
---
 doc/api/users.md                | 3 +--
 lib/api/users.rb                | 2 +-
 spec/requests/api/users_spec.rb | 1 +
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/api/users.md b/doc/api/users.md
index 7e848586dbd0..54f7a2a2acea 100644
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -310,8 +310,7 @@ GET /user
   "can_create_group": true,
   "can_create_project": true,
   "two_factor_enabled": true,
-  "external": false,
-  "private_token": "dd34asd13as"
+  "external": false
 }
 ```
 
diff --git a/lib/api/users.rb b/lib/api/users.rb
index 8a376d3c2a32..c440305ff0fc 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -327,7 +327,7 @@ class Users < Grape::API
       # Example Request:
       #   GET /user
       get do
-        present @current_user, with: Entities::UserLogin
+        present @current_user, with: Entities::UserFull
       end
 
       # Get currently authenticated user's keys
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 0bbba64a6d58..ef73778efa9e 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -605,6 +605,7 @@
       expect(json_response['can_create_project']).to eq(user.can_create_project?)
       expect(json_response['can_create_group']).to eq(user.can_create_group?)
       expect(json_response['projects_limit']).to eq(user.projects_limit)
+      expect(json_response['private_token']).to be_blank
     end
 
     it "returns 401 error if user is unauthenticated" do
-- 
GitLab