Merge branch '42129-fix-project-snippet-user-agent-detail' into 'master'

Fix the user-agent detail API endpoint for project snippets

Closes #42129

See merge request gitlab-org/gitlab-ce!16521

doc/api/project_snippets.md

@@ -131,12 +131,13 @@ Available only for admins.
 GET /projects/:id/snippets/:snippet_id/user_agent_detail
 ```
 
-| Attribute   | Type    | Required | Description                          |
-|-------------|---------|----------|--------------------------------------|
-| `id`        | Integer | yes      | The ID of a snippet                  |
+| Attribute     | Type    | Required | Description                          |
+|---------------|---------|----------|--------------------------------------|
+| `id`          | Integer | yes      | The ID of a project                  |
+| `snippet_id`  | Integer | yes      | The ID of a snippet                  |
 
 ```bash
-curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/1/user_agent_detail
+curl --request GET --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/1/snippets/2/user_agent_detail
 ```
 
 Example response:

lib/api/project_snippets.rb

@@ -143,7 +143,7 @@ module API
       get ":id/snippets/:snippet_id/user_agent_detail" do
         authenticated_as_admin!
 
-        snippet = Snippet.find_by!(id: params[:id])
+        snippet = Snippet.find_by!(id: params[:snippet_id], project_id: params[:id])
 
         return not_found!('UserAgentDetail') unless snippet.user_agent_detail
 

spec/requests/api/project_snippets_spec.rb

 require 'rails_helper'
 
 describe API::ProjectSnippets do
-  let(:project) { create(:project, :public) }
-  let(:user) { create(:user) }
-  let(:admin) { create(:admin) }
+  set(:project) { create(:project, :public) }
+  set(:user) { create(:user) }
+  set(:admin) { create(:admin) }
 
   describe "GET /projects/:project_id/snippets/:id/user_agent_detail" do
     let(:snippet) { create(:project_snippet, :public, project: project) }
@@ -18,6 +18,13 @@ describe API::ProjectSnippets do
       expect(json_response['akismet_submitted']).to eq(user_agent_detail.submitted)
     end
 
+    it 'respects project scoping' do
+      other_project = create(:project)
+
+      get api("/projects/#{other_project.id}/snippets/#{snippet.id}/user_agent_detail", admin)
+      expect(response).to have_gitlab_http_status(404)
+    end
+
     it "returns unautorized for non-admin users" do
       get api("/projects/#{snippet.project.id}/snippets/#{snippet.id}/user_agent_detail", user)