Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
b2f48d8c
Commit
b2f48d8c
authored
Apr 12, 2016
by
Robert Schilling
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
API: Return 404 if user does not have access to group
parent
6bb71869
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
12 additions
and
7 deletions
+12
-7
CHANGELOG
CHANGELOG
+1
-0
lib/api/helpers.rb
lib/api/helpers.rb
+1
-2
spec/requests/api/groups_spec.rb
spec/requests/api/groups_spec.rb
+10
-5
No files found.
CHANGELOG
View file @
b2f48d8c
...
@@ -40,6 +40,7 @@ v 8.7.0 (unreleased)
...
@@ -40,6 +40,7 @@ v 8.7.0 (unreleased)
- Fix admin/projects when using visibility levels on search (PotHix)
- Fix admin/projects when using visibility levels on search (PotHix)
- Build status notifications
- Build status notifications
- API: Expose user location (Robert Schilling)
- API: Expose user location (Robert Schilling)
- API: Do not leak group existence via return code (Robert Schilling)
- ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
- ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
- Update number of Todos in the sidebar when it's marked as "Done". !3600
- Update number of Todos in the sidebar when it's marked as "Done". !3600
- API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling)
- API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling)
...
...
lib/api/helpers.rb
View file @
b2f48d8c
...
@@ -91,8 +91,7 @@ module API
...
@@ -91,8 +91,7 @@ module API
if
can?
(
current_user
,
:read_group
,
group
)
if
can?
(
current_user
,
:read_group
,
group
)
group
group
else
else
forbidden!
(
"
#{
current_user
.
username
}
lacks sufficient "
\
not_found!
(
'Group'
)
"access to
#{
group
.
name
}
"
)
end
end
end
end
...
...
spec/requests/api/groups_spec.rb
View file @
b2f48d8c
...
@@ -61,7 +61,8 @@ describe API::API, api: true do
...
@@ -61,7 +61,8 @@ describe API::API, api: true do
it
"should not return a group not attached to user1"
do
it
"should not return a group not attached to user1"
do
get
api
(
"/groups/
#{
group2
.
id
}
"
,
user1
)
get
api
(
"/groups/
#{
group2
.
id
}
"
,
user1
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
...
@@ -92,7 +93,8 @@ describe API::API, api: true do
...
@@ -92,7 +93,8 @@ describe API::API, api: true do
it
'should not return a group not attached to user1'
do
it
'should not return a group not attached to user1'
do
get
api
(
"/groups/
#{
group2
.
path
}
"
,
user1
)
get
api
(
"/groups/
#{
group2
.
path
}
"
,
user1
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
end
end
...
@@ -157,7 +159,8 @@ describe API::API, api: true do
...
@@ -157,7 +159,8 @@ describe API::API, api: true do
it
"should not return a group not attached to user1"
do
it
"should not return a group not attached to user1"
do
get
api
(
"/groups/
#{
group2
.
id
}
/projects"
,
user1
)
get
api
(
"/groups/
#{
group2
.
id
}
/projects"
,
user1
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
...
@@ -189,7 +192,8 @@ describe API::API, api: true do
...
@@ -189,7 +192,8 @@ describe API::API, api: true do
it
'should not return a group not attached to user1'
do
it
'should not return a group not attached to user1'
do
get
api
(
"/groups/
#{
group2
.
path
}
/projects"
,
user1
)
get
api
(
"/groups/
#{
group2
.
path
}
/projects"
,
user1
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
end
end
...
@@ -247,7 +251,8 @@ describe API::API, api: true do
...
@@ -247,7 +251,8 @@ describe API::API, api: true do
it
"should not remove a group not attached to user1"
do
it
"should not remove a group not attached to user1"
do
delete
api
(
"/groups/
#{
group2
.
id
}
"
,
user1
)
delete
api
(
"/groups/
#{
group2
.
id
}
"
,
user1
)
expect
(
response
.
status
).
to
eq
(
403
)
expect
(
response
.
status
).
to
eq
(
404
)
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment