Skip to content

G
gitlab-ce
Commit 76cf7f34 authored by Oswaldo Ferreira's avatar Oswaldo Ferreira
Browse files
Options

Use 403 instead 404 for unpermitted actions

parent 726dd584
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 10 deletions
app/controllers/projects/issue_links_controller.rb
View file @ 76cf7f34
...@@ -16,9 +16,7 @@ module Projects ...@@ -16,9 +16,7 @@ module Projects
def destroy def destroy
issue_link = IssueLink.find(params[:id]) issue_link = IssueLink.find(params[:id])
# In order to remove a given relation, one must be allowed to admin_issue_link both the current return render_403 unless can?(current_user, :admin_issue_link, issue_link.target.project)
# project and on the related issue project.
return render_404 unless can?(current_user, :admin_issue_link, issue_link.target.project)
result = IssueLinks::DestroyService.new(issue_link, current_user).execute result = IssueLinks::DestroyService.new(issue_link, current_user).execute
...@@ -32,7 +30,7 @@ module Projects ...@@ -32,7 +30,7 @@ module Projects
end end
def authorize_admin_issue_link! def authorize_admin_issue_link!
render_404 unless can?(current_user, :admin_issue_link, @project) render_403 unless can?(current_user, :admin_issue_link, @project)
end end
def issue def issue
......
spec/controllers/projects/issue_links_controller_spec.rb
View file @ 76cf7f34
...@@ -77,8 +77,8 @@ describe Projects::IssueLinksController, type: :controller do ...@@ -77,8 +77,8 @@ describe Projects::IssueLinksController, type: :controller do
context 'when unauthorized' do context 'when unauthorized' do
let(:user_role) { :guest } let(:user_role) { :guest }
it 'returns 404' do it 'returns 403' do
is_expected.to have_http_status(404) is_expected.to have_http_status(403)
end end
end end
...@@ -128,8 +128,8 @@ describe Projects::IssueLinksController, type: :controller do ...@@ -128,8 +128,8 @@ describe Projects::IssueLinksController, type: :controller do
context 'when no authorization on current project' do context 'when no authorization on current project' do
let(:current_project_user_role) { :guest } let(:current_project_user_role) { :guest }
it 'returns 404' do it 'returns 403' do
is_expected.to have_http_status(404) is_expected.to have_http_status(403)
end end
end end
...@@ -137,8 +137,8 @@ describe Projects::IssueLinksController, type: :controller do ...@@ -137,8 +137,8 @@ describe Projects::IssueLinksController, type: :controller do
let(:referenced_issue) { create :issue } let(:referenced_issue) { create :issue }
let(:current_project_user_role) { :developer } let(:current_project_user_role) { :developer }
it 'returns 404' do it 'returns 403' do
is_expected.to have_http_status(404) is_expected.to have_http_status(403)
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7