Commit 4f5ed812 authored by Rémy Coutable's avatar Rémy Coutable

API: Introduce `#find_project!` which also check access permission

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 304163be
......@@ -68,7 +68,7 @@ module API
end
def user_project
@project ||= find_project(params[:id])
@project ||= find_project!(params[:id])
end
def available_labels
......@@ -76,12 +76,15 @@ module API
end
def find_project(id)
project =
if id =~ /^\d+$/
Project.find_by(id: id)
else
Project.find_with_namespace(id)
end
if id =~ /^\d+$/
Project.find_by(id: id)
else
Project.find_with_namespace(id)
end
end
def find_project!(id)
project = find_project(id)
if can?(current_user, :read_project, project)
project
......
......@@ -379,7 +379,7 @@ module API
# POST /projects/:id/fork/:forked_from_id
post ":id/fork/:forked_from_id" do
authenticated_as_admin!
forked_from_project = find_project(params[:forked_from_id])
forked_from_project = find_project!(params[:forked_from_id])
unless forked_from_project.nil?
if user_project.forked_from_project.nil?
user_project.create_forked_project_link(forked_to_project_id: user_project.id, forked_from_project_id: forked_from_project.id)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment