API: fixes visibility of project hook

When a user is not authorized to see the list of hooks for a project, he is still able to access the hooks separately. For example if access to `GET /projects/:id/hooks` fails and returns a `403 Unauthorized` error it is still possible to access a hook directly via `GET /projects/:id/hooks/:hook_id`. Fixes access, also added tests to check access and status codes of hooks.
2013-02-16 14:42:49 +01:00 · 2013-02-16 14:42:49 +01:00 · e9d3b96595
commit e9d3b96595
parent ed3f44085e
2 changed files with 33 additions and 10 deletions
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@ -155,6 +155,7 @@ module Gitlab
      # Example Request:
      #   GET /projects/:id/hooks/:hook_id
      get ":id/hooks/:hook_id" do
+        authorize! :admin_project, user_project
        @hook = user_project.hooks.find(params[:hook_id])
        present @hook, with: Entities::Hook
      end