Commit 20cb5a7b authored by Rémy Coutable's avatar Rémy Coutable Committed by Rémy Coutable

Merge branch 'fix-project-hook-delete-permissions' into 'master'

Prevent users from deleting Webhooks via API they do not own

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576

See merge request !1959
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 88e60bbb
Please view this file on the master branch, on stable branches it's out of date.
v 8.2.5
- Fix a window.opener bug that could lead to XSS and open redirects
- Prevent privilege escalation via "impersonate" feature
- Prevent users from deleting Webhooks via API they do not own
v 8.2.4
- Bump Git version requirement to 2.7.4
......
......@@ -101,10 +101,10 @@ module API
required_attributes! [:hook_id]
begin
@hook = ProjectHook.find(params[:hook_id])
@hook.destroy
@hook = user_project.hooks.destroy(params[:hook_id])
rescue
# ProjectHook can raise Error if hook_id not found
not_found!("Error deleting hook #{params[:hook_id]}")
end
end
end
......
......@@ -140,14 +140,24 @@ describe API::API, 'ProjectHooks', api: true do
expect(response.status).to eq(200)
end
it "should return success when deleting non existent hook" do
it "should return a 404 error when deleting non existent hook" do
delete api("/projects/#{project.id}/hooks/42", user)
expect(response.status).to eq(200)
expect(response.status).to eq(404)
end
it "should return a 405 error if hook id not given" do
delete api("/projects/#{project.id}/hooks", user)
expect(response.status).to eq(405)
end
it "shold return a 404 if a user attempts to delete project hooks he/she does not own" do
test_user = create(:user)
other_project = create(:project)
other_project.team << [test_user, :master]
delete api("/projects/#{other_project.id}/hooks/#{hook.id}", test_user)
expect(response.status).to eq(404)
expect(WebHook.exists?(hook.id)).to be_truthy
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment